Is it actually clickbait if I disclose I used clickbait in the first sentence?? While some might say yes, I would argue that my readers are discerning enough to see through the ruse. Can you fault me for trying to learn the rules and ensure that I am not only in compliance with them, but also using them to my advantage? I’m just looking for a little lift with search engine optimization. Speaking of taking such an approach, let’s turn to the real topic at hand: PCI-DSS Myths.
PCI-DSS stands for Payment Card Industry-Data Security Standard. It is a standard aimed at protecting cardholder data processed, transferred, or stored by any entity or individual that takes payment cards. Thinking back on my time working for a single corporation prior to returning to contracting, I can sum up my thoughts regarding PCI compliance very simply: “Whatever we do, let’s not take credit cards so we don’t have to deal with PCI-DSS.” I allowed what I didn’t know to dictate my decisions, which is never a good plan. I did not make time to learn more then, but my current role leaves me with no option but to learn more, so I’m diving in, and I hope to share what I learn as I go.
I’ve discovered there are a few common myths surrounding PCI-DSS:
Myth 1: We don’t need to comply with PCI-DSS because we only have a few transactions a year, or a very low dollar total in transactions. Reality: PCI-DSS is a contractual agreement between a merchant, card brands, and the banks handling the payment processing. Understanding that PCI-DSS is a contractual standard, not a government regulatory one, is the best place to begin to understand why this myth exists. Very often before government regulation kicks in, there needs to be a threshold reached.There is no minimum threshold with PCI.
Myth 2: If we outsource our card payment processing, we have no need to concern ourselves with PCI-DSS. Reality: While much of the burden will be on the outside vendor to ensure many of the technical controls are in place, there are still responsibilities that remain with you, the merchant. For example:
Myth 3: PCI-DSS is too complicated to comply with. It will take a full-time person just to deal with it. Reality: The bulk of the requirements of PCI-DSS are likely to already be in place in an organization with a healthy information security program. Some of the specific governance controls regarding policies might be lacking, but even those should be addressed by a mature information security program. Achieving a strong InfoSec program is an area Parameter can certainly assist with on a fractional basis if you don’t have the budget to onboard a full time executive.
Myth 4: If we comply with PCI-DSS, we have done all we need to do to protect the organization.
Reality: PCI-DSS primarily deals with securing cardholder data, not the entire environment. Additionally, a PCI-DSS certification is a snapshot of a specific point in time. A healthy information security program will have many more controls in place and enforce constant vigilance over the entire environment.
PCI-DSS is undeniably complex, and is ever changing—especially with the release of v4.0—and I have the utmost respect for organizations working to ensure their customers and their data are protected. While I am certain there are myriad misconceptions not mentioned here, these are a few of the myths most commonly encountered by myself and my colleagues. The good news is, even though it would be impossible to address every misbelief about PCI in a single article, odds are they will be easily answered by an overall information security program that is at a healthy maturity level. One of the best ways to ascertain where your security program lies on the InfoSec spectrum is to compare it against a standard framework such as NIST, ISO27002, or other equivalent.
In part, this is the advantage I touched on earlier. Since you might find yourself needing to pursue PCI-DSS certification, take this opportunity to not only look at how to meet the minimum requirements of certification, but also to do an overall evaluation of your information security program. If conducting such an assessment is beyond your in-house expertise, that is where your humble author would suggest contacting Parameter Security to assist you in assessing and architecting your program. You can find us at https://www.parametersecurity.com/, and we look forward to speaking with you.
The most fulfilling part of my role at Parameter is connecting with clients, assisting them in digging into their current security program, and subsequently developing and executing a plan to get them to where they want to be.
So many organizations we work with find themselves at the end of a history of purchasing technology they hoped would make them more secure, or possibly pursuing certifications they thought would do the trick. In the end, they have an appearance of being secure, but their true state of security is unimproved from where they started. Parameter Security works with clients from around the world to implement standards and protocols that actually protect companies’ clients and data.
So what does all this have to do with House of the Dragon? Well, much like House of the Dragon is a follow up to Game of Thrones, PCI-DSS has a sequel in the works, too. The PCI-DSS v4.0 standard has arrived, and mandatory compliance is coming sooner than many realize. While it may clarify some of the issues folks find frustrating currently, it may also open a new can of worms. That’s why we conducted webinars around the topic and invited friends to join us with their questions and to learn more about PCI 4.0. You can find information about upcoming webinars and other PCI resources.
Until next time, please feel free to reach out if I can help you with your Information Security program in any way.