Copyright © 2011 SecurityWarrior LLC - 3 -
DSS document contains slightly over 220 security controls covering both technical and policycontrols, and ranging from vulnerability scanning, through log review and to security awarenesstraining and incident response planning.But despite its success over the last few years, PCI has occasionally influenced security thinkingin less useful ways. Some businesses choose to treat PCI DSS as
ceiling, not a floor, of security
and blindly implement only PCI controls while neglecting all others. Also, other types of datathat businesses use deserve no less protection than payment data. Organizations should notlose focus on other types of secret and sensitive data, both internal and regulated, especiallywhen its loss can be even more damaging than payment data.Today, after a few revisions, PCI DSS stands at version 2.0, which will continue to be the activeversion for the next 3 years. In brief, PCI DSS
12 broad requirements are:
PCI compliance presents a significant challenge to large, distributed businesses. While gettingcompliant is easier than staying in compliance, even that initial assessment often takes monthsof work and thousands of dollars in products and services, as well as internal policy changes.Legacy applications as well as newer virtual and even cloud based applications, falling under PCImandate, present additional challenges.On the other end of the spectrum, smaller, less security aware organizations face their owndramatic PCI challenges, related to costly ongoing controls, such as log monitoring, as well ascontrols requiring extensive security knowledge, such as secure application development. Evenwith simpler security controls such as avoiding default passwords and configuring firewalls,smaller organizations have trouble protecting their data. The recent Verizon Data BreachInvestigations 2011 report, for example, still names password guessing as a key risk to carddata
: ‘“exploitation of default or guessable credentials” is represented in two
-thirds of allintrusions and accounts for nearly one-third of all [sensitive data] records compromised.