Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

Date: Aug 13, 2014

While some hailed last November's release of the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 as a long-awaited update to a dated standard, the new rigor in PCI DSS 3.0 adds challenges to enterprise compliance efforts.

According to Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based Gartner Inc., PCI DSS 3.0 is about 27% larger than its predecessor, meaning enterprises will be forced to implement more security controls, making PCI compliance more expensive.

"There's no two ways about it. It's much bigger; it's more thorough. A lot of what's in there is a reaction to the [recent data] breaches," Litan said. "It's good [for] security, but it's becoming incredibly onerous for most merchants."

In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Litan discussed how Gartner clients are reacting to the PCI DSS 3.0 changes, specifically the challenges of meeting Requirement 11, which raises the bar regarding vulnerability assessment and penetration testing.

Litan also talked about the ROI of PCI DSS and whether the costs justify the time, effort and money needed for enterprises to achieve compliance, as well as how the standard is paving the way for next-generation security technologies like point-to-point encryption and chip and PIN payment-processing technology.

More on PCI Data Security Standard

  • canderson

    Why infosec will increasingly rely on computer hardware security

    VIDEO - Video: Cryptography luminary Paul Kocher discusses why computer hardware security will play a larger role in the information security product ecosystem.
  • canderson

    PCI 3.0 changes: A PCI compliance requirements checklist for 2015

    VIDEO - In this presentation, compliance expert Nancy Rodriguez offers a line-by-line review of the key PCI DSS changes that become mandatory as of Jan. 1, 2015.
  • canderson

    PCI audit conflict of interest problems persist

    VIDEO - Discussing the state of PCI DSS compliance, Gartner's Avivah Litan says the industry still struggles with PCI auditors who both identify PCI problems and sell remediation services to fix them, causing a conflict of interest.
  • National Vulnerability Database (NVD)

    Definition - NVD (National Vulnerability Database) is a product of the National Institute of Standards and Technology (NIST) Computer Security Division and is used by the U.S. Government for security management and compliance as well as automatic vulnerability management.
  • virtual payment terminal

    Definition - Virtual terminals allow sellers to take credit card payments online for orders made online or over the phone without requiring a card reader device.
  • ingress filtering

    Definition - Ingress filtering is a method of verifying that inbound packets arriving at a network are from the source computer they claim to be before entry (or ingress) is granted.
  • Beyond PCI: Out-of-band security tips for credit card data protection

    Tip - Securing credit card data -- both online and at brick-and-mortar stores -- requires security measures beyond those mandated by PCI DSS. Expert Philip Alexander outlines six out-of-band security controls to consider.
  • compensating control

    Definition - Compensating controls were introduced in PCI DSS 1.0, to give organizations an alternative to the requirements for encryption. The alternative is sometimes considered a loophole that creates a security risk.

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: