|
Oct 26
2009
|
Who cares about PCI DSS?Posted by: Dave on Oct 26, 2009 |
|
The PCI DSS is a set of minimum requirements that are designed to reduce the likelihood of a data breach occurring. The emphasis being on 'minimum set of requirements' and 'reduce the likelihood'. In order to prevent attacks from sophisticated attackers a much higher standard of security is needed. In our recent blog post surrounding the Heartland Court filing documents we gained an insight into how PCI Compliance was viewed by Heartland. Since publishing this post two reports have emerged that give further insight into how PCI DSS is viewed by the wider community.
Imperva, specialists in data security and the Ponemon Institute carried out a survey across more than 500 U.S. and multinational IT organisations. I will not go into detail on the survey findings as you can read a detailed analysis of the findings at darkreading.com or the iTWire. Importantly, the survey findings reveal that roughly 30 percent take PCI security seriously and the others see it as a check box. Had this survey taken place prior to the Heartland data breach then I suspect Heartland would have been included in the 70% of organisations that viewed PCI DSS as a checkbox routine.
The Web Application Security Consortium has published their Web Application Security Statistics report for 2008. The report includes data about 12,186 web applications with 97,554 detected vulnerabilities of different risk levels. The report has some interesting findings but the one relevant to this discussion is that that 99% of web applications were not compliant with PCI DSS standard requirements. We do not have any information on the nature of the web applications included in the survey i.e. were they in the financial services industry but even so this is still a rather shocking statistic.
PCI DSS is a minimum set of requirements but realistically a much higher level of security is required to protect cardholder information. If the industry continues to struggle to implement a minimum set of requirements then the data breaches occurrence will continue to increase.
Dave
--
If you liked this article then you can:
- Subscribe to our
Blog RSS feed - Become a fan of webpayments.ie on Facebook
- Follow us on Twitter
Related Blog Posts:
Related Articles:
written by John Clarke , October 27, 2009
Until some serious fines are passed down to merchants for non PCI compliance (as opposed to retrospective fines after data has been breached, as has been the case to date), it is unlikely that PCI DSS compliance will be taken seriously.
The card schemes (i.e. Visa & Mastercard) are in a position to do this (as PCI DSS compliance has been mandatory for over a year), but do not seem to have a appetite to do so yet. Mastercard, in particular, have been rattling their sabres about fines being immanent for over a year now.
The other event likely to drive PCI DSS compliance, is a very large, high profile data breach in Europe, which will allow the card schemes to move on taking a tougher line on PCI DSS.
