While the new PCI DSS 3.2 requirements are an essential shift to protect against fast moving cyber threats, the fact that it will take up to two years for companies to become compliant proves how vulnerable many will be for the foreseeable future, according to a data centre storage company.
Previous PCI DSS (Payment Card Industry Data Security Standard) requirements have not been dynamic enough to keep up with the pace of change in the contemporary cyber security landscape, whereas the new rules favour regular incremental updates that keep date with the changing security environment. This will help businesses to protect some of their most valuable data from the fast-moving threat of cyber attack, says Chris Scott, Programme Director at The Bunker.
Comment
Chris Scott said: “By setting a two year window to become compliant, the PCI SSC may have inadvertently set up a period of greater confusion for end users, who will need to take extra care to ensure that their data is adequately stored and protected, and that third-party providers guarantee a high degree of security and compliance. Cloud providers that are only compliant with older PCI DSS regulations than 3.2 will be leaving their customers more vulnerable to attack, and the fact that it will take some up to two years to meet the requirements show how far behind many cloud providers are.”
The PCI DSS seeks to protect cardholder data by ensuring that all merchants abide by certain levels of security when handling this data. The PCI SSC intermittently updates the compliance requirements according to their own timetable. The Security Council’s U-turn of December 2015 revealed the faults inherent in this approach – the date by which organisations that handle cardholder data must migrate their cryptographic protocols was postponed by two years after it was revealed that this deadline was unrealistic. It had become clear that these occasional yet abrupt updates imposed major system changes on organisations without regard for the agility of the modern cyber attacker and the unpredictability of the security climate.
Chris Scott added: “Businesses that hold cardholder data face an agile and elusive threat in the form of the modern cyber attacker, but the new incremental approach should ensure ever greater protection. The PCI’s old approach simply was not dynamic enough to reliably combat this danger. Businesses can fortify themselves by doing their due diligence to ensure that their payment providers understand the consequences of PCI DSS 3.2 and comply with the updated standards.”
Background
Visit the PCI Security Standards Council website: https://www.pcisecuritystandards.org/.
