With the new data security standard coming into force on the 1st February, companies are going to be challenged to provide evidence of constant compliance. Four out of five companies failed interim PCI DSS assessments and the total cost of an average data breach stands at $4M. So with time running out to plug the compliance gaps, how will businesses react?
1st February 2018 marks the deadline for businesses to adopt new industry standard, PCI DSS 3.2, aimed at reducing and better responding to cyber-attacks resulting in payment data breaches. Originally announced in 2016, the industry has had almost two years to prepare for these increased requirements but a significant percentage of businesses are still not prepared.
PCI Pal CTO, Geoff Forsyth, explains: “The industry has developed a culture of ‘compliance cramming’, treating PCI as an annual exam to be passed without working towards a culture of
continuous compliance. For businesses in this ‘annual pass’ group, PCI DSS 3.2 could be a rude awakening because it requires evidence of continuous compliance instead of a pass/fail.”
Primary requirements of PCI DSS 3.2 include:
● Expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment
● Additional security validation steps for service providers and others, including the ‘Designated Entities Supplemental Validation’ (DESV) criteria
Businesses Struggling to Gain & Sustain Compliance
Despite existing data security standards, many companies struggle to ensure continuous compliance – data taken from a 2017 report found that at the time of data compromise the average merchant is not compliant with almost half (47%) of current PCI DSS requirements. Of those that do pass compliance checks, almost a third are not compliant just 12 months later, according to Verizon’s PCI DSS Compliance report.
Forsyth continues: “To be PCI compliant is a constant process. The annual assessment has, to date, only been able to check that the correct processes are in place. PCI DSS 3.2 will change that approach, requiring evidence that device inventories and configuration standards are kept up to date, and security controls are applied where needed.”
Companies should no longer rely on outdated workarounds such as pause-and-resume, when taking payments over the phone. The recent spate of high-profile security has thrust this issue into the spotlight but this new standard will ensure it stays front of mind for the industry at large.”