I’m going to refer to another something in a previous blog, the one about Verizon’s 2012 Data Breach Report regarding PCI Compliance.
One statistic they mentioned was that 96% of victims subject to PCI DSS had not achieved compliance. What does that say? Probably would have stood a better chance had they been compliant.
The PCI Data Security Standard, though judged harshly by some (usually those who are trying to getting compliant), is a good security standard. Pretty specific, but if you’re following it, your security posture of your organization has improved.
The basics again:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
There are 200+ specific requirements under the above 6 headings. You need to comply with ALL 200+ requirements to be considered compliant, or have compensating controls in place.
I too often hear, “We’re compliant. We’re doing our quarterly scanning and completing our SAQ” (Self-Assessment Questionnaire).
Running some scans and checking some boxes does NOT make you PCI DSS compliant.
Get Ready for PCI DSS v4.0
For PCI recommendations on payment processing with newly remote workers, PCI SSC suggests a review of key areas to protect payment card data. Read Article: Payment Processing in a Remote Working Environment