Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Gartner on PCI DSS 3.0 changes: Bigger, harder and more expensive

While some hailed last November's release of the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 as a long-awaited update to a dated standard, the new rigor in PCI DSS 3.0 adds challenges to enterprise compliance efforts.

According to Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based Gartner Inc., PCI DSS 3.0 is about 27% larger than its predecessor, meaning enterprises will be forced to implement more security controls, making PCI compliance more expensive.

"There's no two ways about it. It's much bigger; it's more thorough. A lot of what's in there is a reaction to the [recent data] breaches," Litan said. "It's good [for] security, but it's becoming incredibly onerous for most merchants."

In this interview, conducted at the 2014 Gartner Security & Risk Management Summit, Litan discussed how Gartner clients are reacting to the PCI DSS 3.0 changes, specifically the challenges of meeting Requirement 11, which raises the bar regarding vulnerability assessment and penetration testing.

Litan also talked about the ROI of PCI DSS and whether the costs justify the time, effort and money needed for enterprises to achieve compliance, as well as how the standard is paving the way for next-generation security technologies like point-to-point encryption and chip and PIN payment-processing technology.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Today’s threats necessitate a multi-layered approach to data security. Breach reports continue to point to PCI DSS as a strong foundation for this defense-in-depth approach. But even with the best standards in place, these criminals are persistent in their attacks and we have to be persistent in our defenses, relying not just on one layer of protections but many. This has to be a daily priority, built into business practices, not a one-time effort.

Regarding updates introduced with version 3.0 – addressing third party security, password and authentication challenges, pen testing and segmentation – these are all in synch with what the breach reports are demonstrating as problem areas and based on feedback from the industry including merchants. The changes are aimed at providing the right balance of flexibility, rigor and consistency to help organizations make payment security part of their business-as-usual activity, not something centered on an annual assessment.
Enterprises need to establish processes that test themselves regularly to ensure that human error has not introduced an inadvertent vulnerability. Whenever a new employee is added to a network, robust passwords etc. need to be established, and changed with regularity. It is easy to be compliant today, but not compliant tomorrow. And PCI 3.0 obligates you to ensure your VoIP systems are secure too. How is your enterprise doing THAT? There are third party tools that vastly simplify this and can be built into your work process. A great example is VoIPaudit - which provides comprehensive assessment of your VoIP network identifying vulnerabilities, mapping them to the standard and providing remediation steps that can be taken to fix the problem. They have a free "lite" version that can be downloaded and run to validate the security and compliance of a VoIP system. And the risks are much more than toll fraud. You'll be surprised at what you find.
Interesting that the costs go to the business, and then straight to the credit card comapnies. If they want REAL security, they need to provide innovative ways they can protect themselves. Dumping it on the small and medium size business hurts the economy. A frankly, the credit card companies are doing much better than most industries. They are better able to guard themselves.