PCI compliance managers and professionals from over 20 household names came together at the inaugural PCI DSS Forum London event in June, with one issue in particular on everyone's mind, Version 1.2.
True to form, according to many present, the PCI Security Council has been vague as to what the update will entail for businesses. However, experts on the day, including Branko Lolich from American Express, echoed the official statement of the Council; Version 1.2 is simply a refinement of the current standard; carry on as you are until 1 October and you will then have a grace period in which to make the changes. You could almost hear the room breathe a (very) cautious sigh of relief. A month later, and the PCI Council announce the 24 Month Lifecycle Review and Change Process, proof that changes to the standard can be expected on a regular basis.
A major requirement of the PCI DSS is that companies elicit a response to policies from 100% of the user population, therefore these changes, no matter how minor, must be communicated across the entire card processing network. All policy documentation will be inspected during onsite audits, and staff will be questioned as to their understanding of policies, therefore it is imperative that staff be kept up to date on Version 1.2 and all revisions to the standard, and how these effect their responsibiities; no mean feat on a 24 month lifecycle review process.
Managing the PCI DSS Lifecycle Review
So, how do you manage this, and more importantly, how can you prove that you’ve made every effort to do so? Well, according to some, Automated Self Certification is the answer. We asked Robert O’Brien, CEO of Baronscourt and expert on Automated Self Certification, to give us the 5 key ways in which the technology can help manage PCI DSS change:
Two recently published reports futher compound the necessity of communicating policy and eliciting action and response across the user population. The Identity Theft Resource Centre has issued statistics which state that 16% of all data breaches in 2008 have come from insiders, a figure up by 6% on last year. The 2008 Verizon Business Data Breach report is even more shocking; 62% of data breaches can be attributed to a significant error in human behaviour, and business partners accounted for a third of all breaches, small wonder that 3rd party issues appear so frequently on PCI forums and blogs. With the organisational compliance burden increasing year on year, it makes sense that more and more companies are turning to Automated Self Certification.
MetaCompliance is the leading automated policy management and self certification product suite. For more information on how MetaCompliance can help you overcome your PCI challenges, visit www.metacompliance.com