The latest version of the PCI Data Security Standard, formally released last month (Version 2.0, 28 October 2010), gives merchants, service providers, auditors and banks an opportunity to briefly review how far (or not) the card payment industry has come in securing its cardholder data.
Many IT managers and finance directors still loathe the words "PCI compliance", but the essential common sense of the 12 requirements are slowly being understood as general good practice for data security. Version 2.0 offers no seismic shift in the standard or its approach. Clarification of the existing requirements, a more detailed reporting/testing process and a longer three-year cycle of updates all demonstrate that the standard is bedding into a mature yardstick for data security.
Now is a good time to pause and reflect why these requirements cause so many organisations so much pain. We should also scratch our heads and ask why we have not done all this before. Clearly, a big part within our organisations and companies has been played by a culture that has seen security as an optional add-on, or something to be considered when the budget exists, or, as is the case with many, a naive belief that security is someone else's problem.
Every week, the media is full of cases of data theft: law company websites being compromised, major hotel chains being breached, and high-street retailers being attacked. And what about the reports that card details have been sent out in clear text e-mails in what appears to be an unthinking legitimate process, or the reports of yet another loss of personally identifiable information (PII) on a USB/CD/laptop/unencrypted e-mail or spreadsheet?
The pillars and concepts of PCI security are not rocket science. They consist of 12 requirements that any information security manager worth his salt would be able to pull together as sensible, commonsense measures that any organisation that takes security seriously should be doing to some degree.
New European breach laws are being drafted that will make it a legal requirement for companies to report breaches of a much wider remit than cardholder data. Any loss of PII may soon have to be declared publicly, starting with the telcos.
In the US, 46 states now have laws that require all data breaches to be reported. Three states have gone as far as to make parts, or in some cases all, of the PCI DSS a legal requirement.
Closer to home, businesses in the UK now face fines of up to £500,000 if they breach data protection laws, after new powers for the Information Commissioner's Office (ICO) came into effect in April 2010.
Companies that handle personal, financial or sensitive data should now be looking at their approach to security. The PCI DSS has shown only too clearly that an 11th hour response cannot be achieved in an effective, manageable and business-driven way without, in many cases, pain, resources and additional cost.
The government's National Security Strategy puts cyber attacks in the top tier of most likely threats to the UK. Does your company place security around the data that it holds? Whose reputation will be next to become tarnished with an unthinkable data breach?
Ben Densham, CISSP, is a technical consultant with Nettitude
Security Zone is a regular series in Computer Weekly covering all aspects of IT security management. Each article is written by a member of the International Information Systems Security Certification Consortium (ISC)2.