PCI DSS compliance has been around for more than 10 years. Networking and firewalls have been in use in corporate data centers for much longer and covered entities have relied on these technologies to segment their PCI environments and reduce their compliance and audit burdens. Today’s data center environments are more complex, abstracted, and distributed. The techniques and technologies utilized by bad actors have also evolved. As a result, we continue to see reports of high-profile data breaches. QSAs continue to issue findings on critical PCI scoping and segmentation errors, on failures to properly isolate the CDE and connected systems traffic, and for having networks that are too flat.Read more »
The ability to accurately scope and segment your PCI environment is a critical first step of an effective and sustainable PCI compliance program. The PCI Standards Council published the "Information Supplement: Guidance for PCI DSS Scoping and Segmentation" to help organizations identify the systems that are in scope for PCI DSS; and also offers considerations for using segmentation to reduce the number of systems in scope for PCI DSS controls. Executing these activities is not always easy for many organizations.Read more »
Credit card payment processing methods and the infrastructure and systems that support these processes have evolved significantly over the years. It is not uncommon to have applications where the software stack is running on different compute platforms and geographically dispersed. Organizations are also using third-party cloud services to deliver discreet activities in the shopping and payment process. As the scope of PCI broadens to include an increasing range of on-premise and third-party services, and a combination of old and legacy technologies, visibility and control become more critical.
Read more »
At the end of 2016, SWIFT introduced a new Customer Security Program, which also includes the SWIFT Customer Security Controls Framework (CSCF). Last August, SWIFT announced a new version of the SWIFT CSCF in response to the growing number of cyberattacks on SWIFT infrastructure, causing billions in financial losses. Member institutions are expected to comply with these new controls and attest to the mandatory controls at the end of 2019. The latest version promotes some advisory controls to mandatory controls and introduces new advisory controls.Read more »
PCI DSS requires covered companies to not only be 100 percent compliant, but to also maintain that posture continuously. The Interim report on compliance (iRoc) is a measure of the state of compliance and efficacy of PCI controls in between assessments – and is a good proxy for measuring an organization’s ability to maintain a continuous state of 100 percent PCI compliance. Verizon’s 2018 Payment Security Report finds that an increasing number of merchants are 100 percent compliant, growing from 11.2 percent of the covered merchants in 2012 to 52.5 percent in 2017.
Read more »