Online credit card transactions are all set to function in virtual environments. Security levels would be increased while taking virtualization into account (as per the second edition) states a release of the Payment Card Industry Data Security Standard. As per the standard it is mandatory for organizations that handle payment card data to follow minimum security standards in order to process card transactions. Based on the size of an organization, the annual compliance validation processes are handled internally or externally by certain Qualified Security Assessors who are independent.
The PCI DSS system components (2.2.1) now hold virtualized systems, with compliance details in relation to the virtual environs. There were merchants, auditors, financial institutions, etc who were part of the PCI Special Interest Group and would help in the better understanding of how the standard would be affected due to other environments.
While there are minor changes in the document, adopting approaches to mitigate vulnerability (approaches that are risk based), scoping of the (PCI) assessments, as well as detailing on secure application coding standards are all included. There should be no new issues from the 2.0 version, however organizations must consider the implications of the standard that is to be implemented.
The lesson that is learnt from past experiences is simple. Investing in controls in order to address PCI provides a wonderful opportunity in improving the overall security. PCI has provided enough awareness with regard to data security risks and thus made a positive impact where there have been heavy investments in the processes as well as technology with regard to data security.
Though the release cycle of the new PCI DSS has been between 2 to 3 years, the security standards do not risk redundancy before the upgrading, stated Kane Lightower, Regional Sales Director, Imperva. He also stated that the standard would enforce a benchmark in security that would be minimum and refuted claims of it becoming a hacker's play book.
Lightower also stated that the security should not be based entirely on the compliance by the respective organizations. He also stated that while compliance had matured much more, Australia's has no data breach disclosure laws and that meant that there were more leniencies. Since the data breaches and the consequences in Australia weren't as high as that of the U.S., pressure for compliance were not as strong. As per a recent report (from Verizon Business), it was found that only a mere 22% of the organizations that had been surveyed were completely PCI DSS compliant.