PCI DSS version 3 and file integrity monitoring – new standard, same issues
PCI DSS version 3.0
PCI DSS version 3 will be with us soon. Such is the anticipation that the PCI Security Standards Council has released a preview of the “Highlights of Change” document.
The highlights of the updated Data Security Standard include a one-finger statement that may be directed at you if you are a merchant or acquiring bank.
“Cardholder data remains a target for criminals. Lack of education and awareness about payment security and poor implementation and maintenance of PCI Standards lead to many of the security breaches that occur in the present “.
In other words, a big part of the momentum of the new version of the standard is to give it a new lease of life. The fact that PCI DSS is not new does not make it any less relevant today.
But what is the benefit of PCI DSS for us?
To understand how relevant cardholder data protection is, the hard facts are outlined in Nilson’s recent report. Their findings are that global card fraud losses have now exceeded $ 11 billion. It’s not all bad news if you’re a card brand or issuing bank – the losses are made a bit more bearable by the fact that total transactions now exceed $ 21 TRILLION.
http://www.nilsonreport.com/publication_the_current_issue.php?1=1
“Card issuer losses occur primarily at the point of sale due to counterfeit cards. Issuers bear the fraud loss if they authorize merchants to accept payment. Merchant and acquirer losses occur primarily in Card Absent (CNP) Transactions on the Web, at a Call Center, or by Mail Order “
That is why PCI DSS exists and should be taken seriously with all requirements fully implemented and practiced on a daily basis. Card fraud is a very real problem, and like most crimes, if you think it won’t happen to you, think again. Ignorance, complacency, and corner clipping remain the top contributors to card data theft.
The changes are very much in line with the NNT methodology of continuous and real-time security validation for all systems included: the PCI SSC states that the changes in version 3 of the standard include “Recommendations are focused on helping organizations to take a proactive approach to protecting cardholder data that focuses on security, not compliance, and makes PCI DSS a common practice “
So instead of this being an exercise of ‘Once a year, run a few scans, patch everything, get a report from a QSA and then relax for another 11 months’, the PCI SSC is trying to educate and encourage the merchants and banks to incorporate or enforce best security practices within their day-to-day operations and comply with PCI as a natural consequence of this.
Continuous FIM: the foundation of PCI compliance
In fact, having an ongoing FIM approach as a starting point for security and PCI compliance makes a lot of sense. Setup is not time consuming, it will only tell you if you need to take action when necessary, help you define a reinforced construction standard for your systems and drive you to adopt the discipline required for change control, plus give you complete peace of mind that systems are being actively protected at all times, 100% in accordance with PCI DSS requirements.
