Long before the term “data breach” became a trending topic, several members of the payment card industry — notably Visa, MasterCard, Discover, American Express, and Japan Credit Bureau — recognized the need to increase security at the merchant level for the storage and processing of payment card information. Those entities pooled their security standards into the Payment Card Industry Data Security Standard (PCI DSS), which was first introduced to the world in December 2004.
Ten years, millions of lost records, and multiple updated PCI DSS versions later, full merchant compliance is still a long way off. As noted in the Verizon 2014 PCI Compliance Report, only 11.1 percent of sampled companies had achieved full PCI DSS 2.0 compliance.
The abysmal year-after-year full-compliance statistics have not gone unnoticed. Compliance was previously based on a snapshot assessment of security procedures and products in play at the merchant business. PCI DSS Version 3.0, introduced earlier this year, represents a slight change in philosophy: Security is not simply a checklist of security-related products and procedures; rather, it’s an ongoing journey of user education and training in the use of those security products.
The change in philosophy is evidenced in the requirement that merchants undergo a penetration test — essentially a controlled cyber attack designed to reveal system vulnerabilities — based on a new national standard for penetration testing. The testing process often directly addresses security at the weakest point, teaching average users to identify and avoid common cyber threats.
The reality is the majority of cyber breaches have come from simple employee errors or misuse of the systems in place. A penetration test will actively engage the employees and computer users in an organization and assist in educating them about the effects of their actions. This new requirement alone, if well implemented, may significantly reduce the frequency of data breaches and allow security products and software to perform as designed.
The deadline for firms to complete a penetration test is not until July 2015, and there is a still long road ahead to improve private data security. Penetration testing is an eye-opening experience for all involved. I, for one, am optimistic that this new requirement will make all those involved aware of their important role in data security.
We at ISO are keeping track of all challenges related to cyber exposures. If you have any questions about the new PCI DSS standards, you can email Shawn Dougherty at sdougherty@iso.com anytime.