For many IT security professionals, compliance is seen as a necessary evil.
The approach to compliancy is often to get “a tick in the box” as quickly as possible and move on to other things. The impending PCI DSS v3.0 standard which will finally be enforced in January 2015 however, requires continuous updates and refinements to ensure organisations not only achieve the standard but also remain compliant.
The good thing about PCI-DSS v3.0 is that it’s actually being designed as a simpler standard which is focused on three key areas:
1. Education and awareness
2. Integrating PCI-DSS in to BAU activities
3. Understanding the responsibilities been the customer and supplier
However, there is no doubt PCI DSS v3.0 will be considered a thorn in the side for many – we expect to see a number of businesses taking the ostrich approach and hoping for the best or alternatively, find a partner that offers compliancy and get them to take care of it. Working with the right partner for compliancy can certainly help to acquire the necessary green lights, but businesses should be informed and aware that PCI DSS v3.0 requires a greater degree of diligence in whom they choose to partner with.
Less than a third of businesses are actually compliant
In our experience, whilst most businesses may think or hope they are PCI compliant, when we assess them, the majority are in fact failing to meet the requirements –only around 30 per cent or less of the customers we assess successfully make the cut – even those who have previously worked with a third party PCI DSS compliance provider.
To put this in real terms, a significant proportion of businesses failing to achieve PCI compliance have already taken steps to meet the requirements, and many are operating under the mistaken belief that they are compliant. This ‘compliance myopia’ is in many cases related to the outsourcing of PCI compliance to managed service providers without due care and attention.
The theory is sound – many third party providers offer PCI compliance services that tick certain standards and requirements – which means you won’t need to invest in in-house resources to tackle them. As ever however, the devil is in the detail – it pays to dig deeper and ask questions; even those providers that do claim to be PCI compliant may only actually cover one of two of the twelve requirements the standard addresses.
PCI DSS v3.0 makes you liable, not your provider
Are we splitting hairs? Should you care? Well, PCI DSS v3.0 will be a watershed – it puts the responsibility of compliance for all twelve standards onto the business itself, whether or not you are working with a third party specialist. To put this simply – if your outsourced compliance partner does not offer all twelve of the PCI requirements, you will fail to provide the level of PCI cover needed when the auditor arrives and you will be liable for regulatory fines.
In this day and age it is nolonger feasible to look away or to claim ignorance. New regulations, best practices and standards will result in more breaches being made public – leaving culpable companies with nowhere to hide, and risking exposure to public and legal scrutiny. Industry giants are also increasingly cracking down on non-compliance, with VISA set to increase fines for merchants that don’t meet its requirements in 2015 and only granting approved service provider status to those that do.
PCI DSS v3.0 is black and white
The good news is that PCI is not a grey area – it’s back and white. With expert help and commitment you can identify exactly the processes required and measures needed to plug any gaps. Moreover, working with a VISA approved ‘Managed Service Provider’(rather than a VISA approved Hosting Partner) will not only address all twelve PCI requirements, but the nature of achieving compliancy will act as a source of business advantage by introducing efficiency and streamlining many operational IT processes.
At The Bunker we have an internal governance team dedicated to advising and consulting with each customer – putting a roadmap into place and handling all elements of reporting required by the QSA.
Don’t wait until audit time to find out where your business is falling down – work with a partner you can trust who will have the insight and tools needed to not only answer any questions raised by your board or the QSA, but also ensure your business is protected against future risks and fines.