While the Payment Card Industry (PCI) specification has always been a sore spot for many IT organizations, the latest iteration of the PCI specification is about to become a significantly more expensive endeavor for most organizations to comply with.
Rather than simply having a third-party certify PCI 3.0 compliance, IT organizations, by the latter part of 2014, are going to have to show they ran actual penetration testing in order to attain compliance. Those tests are going to not only have to address physical connections, but also any of the applications involving credit card transactions that an organization develops.
According to Rodolphe Simonetti, managing director of Verizon’s new Payment Card Industry Services, PCI 3.0 has a lot more teeth in terms of making sure an organization is able the comply with it. Nevertheless, like most specifications, Simonetti notes that PCI covers a base minimum level of security. The trap many organizations fall into, says Simonetti, is thinking that complying with PCI makes their organization secure.
Audits associated with any compliance specification consume a lot of time. But for the most part, they have tended to concentrate on theoretical. Penetration testing represents a significantly higher threshold in terms of achieving compliance. But just because your organization may be able to pass those tests, one should not assume that hackers and other purveyors of malware are going to limit their attacks to the scope of the tests covered within the PCI specification.
Technically, PCI 3.0 goes into effect starting in January of 2014. But like most specifications, there is a fair amount of time before organizations have to show they are in compliance. However, like most tests, cramming for this one the days and nights before is probably not going to lead to a passing grade.