Visa Europe revealed important stats about the usage of Contactless Cards.
Poland, Spain and the UK use this payment methd the most,
with UK usage growing by 300% year over year.
PCI DSS Prioritized Approach
Igor Mancini October 16, 2015
5 minutes read
The Payment Card Industry Data Security Standard (PCI DSS) is a continuous process (asses-remediate-report) and a vital part of a company's security dealings. But it's also extremely complex to follow, understand and put in place for many organisations. Furthermore, sometimes it is difficult for PCI DSS specialists to describe the benefits of the PCI Standard in a clear way, when dealing with Clients that do not understand its technical aspects and how to plan each task.
Realising these and other challenges, the PCI Security Standard Council have put together a document called the Prioritized Approach which aims to be a helping hand when it comes to getting organisation up to speed with achieving, monitoring and maintaining their PCI compliance.
In order to protect yourself from card fraud and to keep your money safe, it is vital that you know more about this technology. This article breaks the topic down for you and also teaches you some important methods for preventing card fraud.
As stated by the PCI Council themselves, there are some key goals they had in mind when they created this document:
Can help merchants identify highest risk targets
Creates a common language around PCI DSS implementation and assessment efforts
Milestones enable merchants to demonstrate progress on compliance process
The PCI SSC recognises that those in charge of securing, protecting and keeping cardholder data safe may have no idea where to start and so the PCI DSS Prioritized Approach can:
"help stakeholders understand where they can act to reduce risk earlier in the compliance process"
Additionally, the document is:
"suitable for merchants who undergo an on-site assessment or use SAQ D."
And not only does the document create a better understand of what compliance means and how merchants can achieve it but, as the name suggests, it can also aid them in prioritising certain requirements and it gives them tangible objectives and achievements.
This is no replacement for PCI Compliance.
As mentioned, the Prioritized Approach is designed to be a 'helping hand'; like a walking stick to lean on or a friend shouting words of encouragement and advice from the sidelines. But what it is absolutely, under no circumstances meant to do is replace the list of PCI DSS requirements, nor is it designed to replace the entire PCI compliance structure.
Although the document can aid merchants and security teams on the long road to compliance, it's really important to understand that even if you get through one or even five of the document's six milestones (scroll down for a more detailed explanation on that), that doesn't automatically make your company PCI compliant, it just means that you're doing a good job of getting there.
How is the document structured and how can you use it?
The PCI DSS Prioritized Approach document is structured in an easy-to-digest way. First, it outlines six different milestones:
Removing sensitive authentication data and limiting data retention
Protecting systems and networks and being prepared to respond to a system breach
Securing payment card applications
Monitoring and controlling access to your systems
Protecting stored cardholder data
Finalising remaining compliance efforts, and ensuring all controls are in place
These milestones have numbered labels too and they have been added to the list of requirements, next to the requirements that pertain to them. For example, when we look at requirement 9.9 - and more in details to its sub-requirements - we notice that they are labelled with a number 2, which reminds us to:
"Protect systems and networks, and be prepared to respond to a system breach. This milestone targets controls for points of access to most compromises, and the processes for responding."
The numbered labels are colour-coded which should save you time as you won't have to keep going back to the milestone table that the PCI SSC has laid out for you.
This approach merchants to plan for identified problems better (in terms of manpower and finances). So for example, if you really want to prioritize your response to a system breach then you can put all of your resources into that, following the labelled requirements to tell you exactly what you need to do.
If you're a small to mid-sized business, this is especially handy as you will not spread yourself (or your resources) too thin and it allows you to get things done instead of starting (and not finishing) lots of tasks.
A great support for Consultants and IT Security providers.
The document helps IT security teams in completing PCI DSS related tasks. And while this was probably the first goal of the PCI SSC when they created and published the document, imagine how it can also support companies in the IT Security industry that offer consultancy or products that help entities in achieving, monitoring and maintaining their PCI compliance.
As a consultant or someone who provides PCI DSS to entities, this document is useful for you too as it allows you to stress the importance of PCI compliance better as merchants will be able to have a much firmer grasp on what the PCI DSS actually is and why they need it. As a result this supports you and your consultancy services and it can even be used as a tool to help you sell your PCI compliance services.
It is a great tool, don't you agree?
As mentioned, although the document makes life easier, we think that it is merely a step towards PCI compliance. With PCI compliance being mandatory for all business that store, process and transmit cardholder data, the document is a welcome tool from the PCI SSC but there is still lots that must be done once the requirements have been completed.
It is important to remember that, even when you've fulfilled all of the milestones and requirements for compliance, you still need to be assessed by a qualified company (QSA) and compliance is a continuous process too as you need to be reassessed regularly - according to the type of business you run - to ensure that you are still keeping inline with the PCI DSS' requirements.