This week marks the annual sojourn for many of us in North America involved in the payment card industry’s security and compliance efforts. For many attendees, both Assessors and Assessed, the primary topic is the Data Security Standard. The lifecycle for the standard has a three year duration, with many important points throughout, that allow for the development, maturation, and introduction of the next version. Ignoring the official stages and listening to the surrounding discourse, the simplified lifecycle would seem to have three phases:
Circulate: Receive information about the newest iteration of the standard, progressively over several months
Complain: Regurgitate arguments about why compliance isn’t security and specific controls are unnecessary
Comply: Realize that your acquiring entity still needs your compliance report and get to work addressing the changes
The publication of the newest version was announced at last year’s gathering and we’ve had time to review and digest. It’s now time to begin thinking about the feedback we will provide and how to meet any new requirements being introduced. Are the new controls added effective? Are there any areas of risk that lack sufficient coverage? Can clarity of the requirements be improved? Do you still have to ask your QSA?
There has been no shortage of important news stories around card security in the recent press. There is obviously still room to improve security, decrease fraud, and do so in a way that benefits all parties involved. It will take the cooperation of the entire ecosystem in order to attain that goal. The annual community meetings give us a chance to spark those conversations.
If you’ll be at the CM, I hope we get a chance to catch up and chat. If you won’t make it, there will be updates from the meeting and posts specifically around PCI DSS 3.0 in the near future.