While some hailed last November's release of the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 as a long-awaited update to a dated standard, the new rigor in PCI DSS 3.0 adds challenges to enterprise compliance efforts.
According to Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based Gartner Inc., PCI DSS 3.0 is about 27% larger than its predecessor, meaning enterprises will be forced to implement more security controls, making PCI compliance more expensive.
"There's no two ways about it. It's much bigger; it's more thorough. A lot of what's in there is a reaction to the [recent data] breaches," Litan said. "It's good [for] security, but it's becoming incredibly onerous for most merchants."
In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Litan discussed how Gartner clients are reacting to the PCI DSS 3.0 changes, specifically the challenges of meeting Requirement 11, which raises the bar regarding vulnerability assessment and penetration testing.
Litan also talked about the ROI of PCI DSS and whether the costs justify the time, effort and money needed for enterprises to achieve compliance, as well as how the standard is paving the way for next-generation security technologies like point-to-point encryption and chip and PIN payment-processing technology.