While PCI DSS 3.0 took effect in January 2014, organisations have been able to postpone implementing the standard until 1 January 2015. With only 15 working days to go, Vormetric’s VP EMEA, Paul Ayers, highlights the need for data-centric security measures around card data:
“Maintaining credit and debit card information on behalf of financial services clients demands the highest levels of security and customer confidence, and adhering to standards like PCI DSS plays a crucial role in this. Unfortunately, given the fact the financial sector remains a key target for cyber-criminals – pummeled by both nation state hackers trying to harm enemies’ core financial structure and criminals out to steal money – the time has come to put protections in place around that data itself.
“Reflective of this environment, it should come as little surprise to many that this version of the standard has some 408 requirements – that’s 27 percent more rules than version 2. Interestingly, revisions to this version have reinforced the criticality of robust encryption and key management. Section 3.5.2, for example, calls on businesses to store secret and private keys used to encrypt/decrypt cardholder data separately and/or within a secure cryptographic device. Furthermore, the PCI Council also elaborated on the principles of split knowledge and dual control, helping underscore the criticality of implementing controls so no single administrator has privileged access to either keys and encrypted data.
“In the past, organisations only encrypted for protection what they were forced to protect by compliance requirements, or when they were in an industry area where secrets were important. These new stipulations show why PCI DSS is no longer a simple ‘check box’ compliance activity – it has evolved considerably past the point where once a year a business made sure they were adhering to its stipulations. In this brave, new world where the tempo of data breach incidents perpetrated by hackers shows no sign of slowing and the risk to data can also come from a trusted insider, any business handling payment data and sensitive, personally identifiable data needs to put encryption with granular access control controls in place.”