Last week, John Kindervag exposed five myths he felt existed about the Payment Card Industry Data Security Standard in an article on SearchSecurity.com.
Here's a summary of John's myths:
Myth 1 - PCI is hard
- PCI mostly calls for good, basic security.
- There are a number of products and services available to help meet almost any of the requirements.
- Many people who say PCI compliance is hard, really mean it is not cheap.
- Organizations must realize that the requirements of a sound, basic enterprise security strategy can't be ignored, and that often means expanding the security budget.
So PCI may be expensive, but it is certainly not hard.
Myth 2 - PCI will make us secure
- Once a company is PCI compliant, it may become complacent.
- PCI is designed to be a measure of basic, baseline security, not a security panacea.
- PCI compliance is a continual process -- a great foundation to create information security awareness.
Myth 3 - Encryption is scary
- For most companies, compliance is a matter of simply protecting databases containing PAN information with column or whole-disk encryption to protect account numbers.
- Requirement 3.4 has created a cryptographic explosion. There are many vendors who have invested in creating products that precisely meet the encryption needs of PCI.
- The bad news is that the laws of supply and demand have encryption products have become more expensive than they might otherwise be.
One credit card executive told me he believes there will be as much as an 80% reduction in breaches and fraud once data-at-rest encryption becomes widely deployed. If true, this will be a boon for both consumers and companies alike.
Myth 4 – "I don't take enough credit cards…
… to need to be compliant." This is a common and broad misunderstanding of the requirements. PCI requires that any entity that stores, processes or transmits any credit card data to be in compliance with the PCI DSS. The amount of validation is the real differentiator.
- PCI assumes that each covered entity is always fully in compliance with PCI.
- Companies are assumed to be compliant right now, and there may be a date that they have to be validated as compliant.
- The fundamental difference between Level 1 and Level 4 PCI requirements is the amount of third-party validation that must be done to meet the certification process.
Myth 5 - Product X will make me compliant
- no single product -- or even a single vendor -- can supply all of the "stuff" needed to become fully compliant.
- Focus more on the big picture related to the intent of the requirements than a point product.
I think John has highlighted five pretty recognized myths and offered solid rebuttals to each. What PCI myths have you encountered?
If you'd like to learn more about the PCI Data Security Standard, I'd like to encourage you to read some of Ecora's whitepapers and view some of our webinars on the subject. Like John, we know that no one vendor offers a solution for becoming PCI compliant, but we can provide you with a lot of solid advice that might assist you with improving your security of cardholder data.
Contributed by Mark Tordoff
Comments