In the “At A Glance” document the PCI SSC says that a core goal of v4.0 is to “Promote security as a continuous process” because “Criminals never sleep. Ongoing security is crucial to protect payment data.” At this point any readers from the Information Security community are muttering “duh” to themselves. Yes, it’s obvious. What should flow from that but is perhaps a little less obvious is that the list of PCI DSS security controls does not get shorter or easier as time goes on. Version 1.1 of the PCI DSS was a 17 page PDF. Version 4.0 is 360 pages. They didn’t just add a lot of cool clip art. The standard is far more robust. It requires more of us as a community, to appropriately protect account data, cardholder data, and sensitive authentication data. The data thieves keep adding to their list of tools, so our list of controls, protections, and requirements has to grow as well. Finally, what does this mean for compliance budgets? Well…they’re not going to go down either, unless you can find a path to reducing scope so that fewer PCI DSS controls are applicable to your environment. Otherwise, it will take additional FTE and hard budget resources to implement, maintain, and assess an ever-increasing list of security controls to maintain compliance.
Keep watching this space as well as all other CampusGuard communication channels like Twitter, LinkedIn, and be sure you’re signed up for our Newsletter and Announcements via the Contact Us section below. And as always, your CampusGuard Customer Advocate Team is here to help.