I’m going to refer to another something in a previous blog, the one about Verizon’s 2012 Data Breach Report.
One statistic they mentioned was that 96% of victims subject to PCI DSS had not achieved compliance. What does that say? Probably would have stood a better chance had they been compliant.
The PCI Data Security Standard, though judged harshly by some (usually those who are trying to getting compliant), is a good security standard. Pretty specific, but if you’re following it, your security posture of your organization has improved.
The basics again:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
There are 200+ specific requirements under the above 6 headings. You need to comply with ALL 200+ requirements to be considered compliant, or have compensating controls in place.
I too often hear, “We’re compliant. We’re doing our quarterly scanning and completing our SAQ” (Self-Assessment Questionnaire).
Running some scans and checking some boxes does NOT make you PCI DSS compliant.