Skip to content ↓ | Skip to navigation ↓

Many merchants will tell you that PCI compliance is time-consuming and a drain on resources that should be focused on attracting more business – there is even a well-established market of PCI consultants and businesses to hire.

The general sentiment is how to quickly and easily check the box. Monitoring and logging activity to create custom reports for the auditor is consuming; penetration testing is disruptive; and on top of this, a misperception is the idea that PCI is the security plan.

Unfortunately, recent breaches of well-known companies challenge this. PCI is important, but it does not mean PCI equals security.

The Value of PCI

The reality is PCI serves as a security foundation that is critical to the business, therefore, companies should leverage it to set the stage for their security strategy.

Furthermore, understanding how this compliance addresses specific security issues provides a deeper insight into a company’s threat vectors.

The box is there for critical purpose not to simply check. The recent PCI 3.1 speaks to the known vulnerabilities in Secure Socket Layers (SSL) and earlier versions of Transport Layer Security (TLS) protocols for encryption for data being transmitted – in particular Heartbleed and POODLE, both of which affect SSL/TLS implementations and can put payment data at risk.

I recently offered some guidance on PCI 3.1 based on our customer engagements. The value of PCI cannot be undermined or misrepresented; it’s a starting point for actionable security measures.

A Chance to Gain Better PCI Insight

There is more to offer you. We invite you to a webinar, “PCI Compliance: What Problem Are We Trying to Solve?” on Wednesday October 28th at 2 pm AEST (UTC + 10:00).

Join Mario Sist, QSA from Underwriter Laboratories, and David Bell, Systems Engineer from Tripwire, to learn what PCI compliance is really intended to help with.

In this webinar you will:

  • Learn how PCI DSS fits into the security framework and understand why PCI should be important to your organisation.
  • Understand the benefits of investing in a QSA.
  • Learn how Tripwire solutions can make the job of the QSA and the PCI audit process easier, based on the recent findings of the UL white paper, PCI DSS 3.1 Compliance with Tripwire.

And an extra bonus if you attend live, you can earn one hour of CPE credit.

Register today!

Title image courtesy of ShutterStock

Hacking Point of Sale
  • "Unfortunately, recent breaches of well-known companies challenge this. PCI is important, but it does not mean PCI equals security."

    "Recent" does not describe this. The history dates back to before PCI was created; PCI is an attempt at self-regulation, and it remains to be seen whether it will be sufficient to stave off more the more onerous actual regulation.

    "The reality is PCI serves as a security foundation that is critical to the business, therefore, companies should leverage it to set the stage for their security strategy."

    I mostly disagree. The foundations of security, in terms of basic principles, existed long before PCI was even conceived of. You have the cart before the horse. This is, of course, an old argument. Does PCI impede real security by absorbing arbitrarily large amounts of the budget? Or has it aided security by such means as requiring firewalls, when some organizations hadn't taken even that basic step?

    In my experience, the journey of an organization from a follower of basic principles to PCI compliance is less costly (and more certain) than the journey of a PCI-compliant organization to a follower of basic principles. There is much that PCI does not even touch upon, there are scoping issues, etc.