Version 3.0 of the Payment Card Industry Data Security Standard (PCI DSS v3.0) became effective on January 1, 2014, but much remains to be seen before merchants, service providers and auditors will truly understand how the new mandates will impact organizations, especially in Europe given the pending changes to the European Data protection requirements.
PCI DSS 2.0 compliant vendors will have until January 1, 2015 to move to the new standard, and some of the changes will continue to be remain merely practices until June 1, 2015, and organizations will need to be ready to embrace the many technological changes taking place in the payments industry while simultaneously remaining secure and in compliance.
The PCI Security Standards Council is hosting the 4th Annual PCI-DSS European Roadshow on Tuesday April 29th at IBIS Earls Court, London, which will focus primarily on the key modifications in compliance requirements brought about by PCI DSS v3.0 and what merchants need to do now to make sure that they address these changes.
Dwayne Melançon (@ThatDwayne), Tripwire’s Chief Technology Officer, will be presenting a session titled Continuous Compliance Best Practices, which will examine how to create a continuous, automated approach to satisfy the compliance requirements for PCI, as well as discussing techniques to achieve security and business value beyond compliance and increase organization’s awareness of suspicious activities often associated with data breaches.
Melançon brings over 25 years of security software experience and owns a critical role in driving and evangelizing Tripwire’s solution suite while leading the company’s long term product development strategy to ensure it meets the evolving data security needs of global enterprises.
After joining Tripwire in 2000, Melançon has spearheaded numerous initiatives during his tenure, including executive responsibility for business development, professional services and support, information systems management and marketing initiatives.
Melançon points out that many organizations approach compliance as an “event” rather than as an ongoing state of operations, and that organizations can save considerable time and money if they approach compliance as a “set of reusable competencies and capabilities” which can enable them to achieve a continuous state of compliance and significantly reduce overall risk.
“Since compliance requires an investment in technology, process, and training, you might as well gain the benefit of that investment beyond the confines of an individual audit,” Melançon said. “In this presentation I will discuss repeatable methods that allow you to leverage automation to reduce the cost, headache, and time to achieve and maintain compliance.”
For organizations who must comply with PCI or similar compliance regimes, Melançon says he has found that many are simply trying to learn as they go rather than seeking to benefit from others’ experiences and success stories.
“I wanted to share information on ‘best known methods for achieving continuous compliance in the hopes that organizations can spend more time doing, and less time trying to figure things out on their own,” Melançon explained.
This session is designed to appeal to security managers, those charged with compliance responsibilities, and executives who are charged with creating an atmosphere of accountability for compliance activities within their organizations.
“Attendees will come away from the talk with a framework for establishing continuous compliance as a set of capabilities, as well as some guidance on identifying the ‘low hanging fruit’ to help them gain momentum for their compliance programs through early wins,” Melançon said.
One of the biggest obstacles Melançon has identified over the years is when organizations attempt to apply equal rigor and resources to the entire business, saying that is one of the biggest mistakes in compliance efforts.
“To address this issue, I will discuss scoping strategies as well as methodologies that provide for a risk-based prioritization of activities to ensure organizations focus on the most important things first. I will also talk about how to communicate the value of your activities to non-technical stakeholders in the business so you can actually get funded,” Melançon continued.
“Continuous monitoring and the rapid identification of anomalies and outliers will become expected in the future, and these practices make it easier to achieve this level of capability from a security and compliance perspective.”
- PCI DSS Compliance is No Security Guarantee
- PCI DSS 3.0 – What’s New? An Infographic…
- How PCI DSS v3.0 Will Affect Your Organization
- The Skinny on PCI DSS 3.0 Compliance Changes
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock