Since 2004, merchant companies that handle branded credit cards have worked to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). These regulations, which consist of six fundamental control objectives and 12 core requirements, aim to protect payment card data for customers. They also help card issuers and banks limit their liability in the event a merchant suffers losses because of a security event. PCI as a body of standards has undergone eight revisions since its inception. The most recent update, PCI 3.2, took effect in April 2016. This version introduced several important sub-requirements. For instance, sub-requirements 2.2.3, 2.3 and 4.1 extended the deadlines for merchants to remove and migrate away from older versions of SSL and TLS, whereas sub-requirement 8.3 demanded merchants begin implementing multi-factor authentication. Kathy Trahan, a senior product marketing manager at Tripwire, feels that latter change is welcome in today's digital world. As she explains in a blog post:
"…[Multi-factor] authentication is a backbone to security in that it helps to ensure the authentication only of trusted sources. This is an important cause in today’s world. The 2016 Verizon Data Breach Investigations Report revealed that 63% of breaches resulted from weak, default, or stolen passwords. Previous PCI versions only required remote access from untrusted networks to have multi-factor authentication. This is a step in the right direction."
Striving to fulfill PCI's sub-requirements like multi-factor authentication can help companies better protect their customers' data. But compliance with these standards doesn't mean a company is any more secure. To illustrate, file integrity monitoring might be a good idea, but that's not the case if IT personnel don't have a way to distinguish unauthorized modifications from legitimate changes. Additionally, some companies focus on PCI only to pass an audit. Following this path wastes time and resources when continuous compliance could increase organizations' efficiency and reduce risk. For companies to get the most out of the standards, they need to start thinking about PCI compliance as a business journey and not a check-the-box exercise. Only then can they not only aim to comply with frameworks like the General Data Protection Regulation (GDPR) but also increase their security. The question is: how can merchants embrace this new line of thinking? Paul "PJ" Norris, a senior systems engineer, will help answer that question in a session during the 14th PCI London on 26 January 2017. There, he will discuss the latest updates in PCI 3.2 and demonstrate how Tripwire's solutions can help merchants achieve continuous PCI compliance using critical security controls and avoid some of the most common PCI pitfalls. For more information about Paul Norris's session, please click here.
