Volume 13, Number 23 -- August 20, 2013

PCI 3.0 Gets Positive Initial Reviews from Security Pros

Published: August 20, 2013

by Alex Woodie

For many IT professionals, the letters "PCI DSS" conjure painful memories of invasive audits of internal systems that, in the end, generated hundreds of billable hours for compliance experts but did little to actually boost security. While the PCI 3.0 standard that was previewed last week won't eliminate deep scrutiny, it may actually boost security, experts say.

The PCI Security Standards Council (PCI SSC) last week issued a preview of version 3 of the Payment Cardholder Industry Data Security Standards (PCI DSS). According to the PCI SSC, the new standard "will help companies make PCI DSS part of their business-as-usual by introducing more flexibility, and an increased focus on education, awareness, and security as a shared responsibility."

To that end, the PCI SSC highlighted several changes that are on tap for PCI DSS 3.0. This includes: building security policy and operational procedures into each requirement; providing guidance for all requirements; giving more flexibility around password strength and complexity; delivering new requirements for point of sale (POS) terminal security; adding more robust requirements for penetration testing and validating segmentation; delivering new considerations for cardholder data in memory; providing better testing procedures; and requiring software vendors to achieve compliance, including threat modeling.

One security expert applauding the changes is Philip Lieberman, CEO of security software company Lieberman Software. "The new PCI 3.0 standard is long overdue," Lieberman said in a written statement. "For most merchants, the existing PCI standard is one-time pain per year where things are cleaned up, and the bad security practices return almost immediately after the auditor leaves."

The new standard also appears to recognize that perimeter breaches are a regular occurrence and that additional focus is needed on securing databases and applications, not just the network. "Given that the perimeter is no longer secure, the only real mitigation is to have persistent controls within the interior that are both human and technological to minimize losses," Lieberman said.

By moving the focus toward implementing good security processes and away from compliance, the new PCI standards will hopefully put merchants on the right track toward protecting their data. This should, at the same time, help security software companies while hurting unscrupulous auditors, Lieberman said.

"The old PCI standard generated very little business for us and little security for merchants," he said. "It was a boon to auditors and charlatans that provided PCI certifications for boatload of money yet delivered little to nothing of any real value to their clients."

That sentiment was echoed by Pierluigi Stella, CTO of managed security services provider Network Box USA. "I'm incredibly relieved to hear that PCI needs to be more focused on security and less on filling up check marks to reach compliance. Because, as I've stated on numerous occasions, compliance doesn't make you secure, while security will likely make you compliant."

The PCI 3.0 standards are still up for review by the PCI community and are scheduled to be officially published in November.


Focus on Network Security Overlooks Importance of Protecting Data, Oracle Study Finds

The 10-Year Security Itch Needs Scratching

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By

A Guide to IBM i Message Management

Managing & making sense of your IBM i messages is an enormous task. And missing a crucial message could result in system failure or significant compliance costs.

Download this exclusive eBook and learn how to selectively monitor & filter messages and intelligently escalate issues before it's too late.

Download your Guide to IBM i Message Management today.

Editor: Alex Woodie
Contributing Editors: Dan Burger, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Maxava:  FREE Webinar: Test your DR without Downtime. September 12
HiT Software:  Ritmo/i leverages IBM i ODBS protocol. Download FREE Trial!
Townsend Security:  Download eBook "Encryption Key Management Simplified" now!


More IT Jungle Resources:

System i PTF Guide: Weekly PTF Updates
IBM i Events Calendar: National Conferences, Local Events, and Webinars
Breaking News: News Hot Off The Press
TPM @ The Reg: More News From ITJ EIC Timothy Prickett Morgan

The Four Hundred
IBM Forms OpenPower Consortium, Breathes New Life Into Power

IBM Rolls Out Three New Power7+ Flex System Nodes

IBM To FTC: Make Oracle Stop Running Those Mean Server Ads Please

Mad Dog 21/21: Defenestration

Steady Growth For The Connectria Cloud

Four Hundred Guru
IFSPOP--Another (And A Better) IFS Interface

SQL and Invalid Decimal Data

Admin Alert: Budgeting For Your Next Power Systems Upgrade

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

System i PTF Guide
August 17, 2013: Volume 15, Number 33

August 10, 2013: Volume 15, Number 32

August 3, 2013: Volume 15, Number 31

July 27, 2013: Volume 15, Number 30

July 20, 2013: Volume 15, Number 29

July 13, 2013: Volume 15, Number 28

TPM at The Register
Rackspace spends big bucks to peddle its cloud vision

Unisys to forge new Xeon iron with homegrown s-Par partitioning

SGI backs away from public clouds, chases HPC and big data

Chip makers shine up wafers and foils for 25th Hot Chips jamboree

Citrix weaves together XenClient hypervisor and XenDesktop VDI stack

Super Micro closes out record year, eager to cross Ivy Bridge

IBM furloughs hardware workers for a week to cut costs

IBM gooses Flex modular systems with Power7+, double-stuffed

Red ink not as deep as expected for Fujitsu in Q1

Ex-Cray supercomputer interconnect guru Scott leaves Nvidia for Google

IDC: Sluggish China to pinch global IT spending this year

IBM CEO doesn't forget Parris in Power and Mainframe top job lob


Computer Keyes
Townsend Security
RJS Software Systems

Printer Friendly Version

Krengel Adopts Tokens in Credit Card Transaction Software

Kisco Gives IBM i Security Tool a Web Interface

Quadrant Launches New Fax Appliance

RJS Tackles a 'Screen Jumping' Problem

Avnet Introduces Utility Pricing on Hardware

News Briefs and Product Shorts:

PCI 3.0 Gets Positive Initial Reviews from Security Pros . . . IBM to Stop Supporting SPSS Statistics Component on IBM i . . . Chrono-Logic Offers Full Support for LANSA Version 13 . . . Agilysys Takes Procurement to the Web . . . Capitalware Updates MQ Series Tools . . .

Four Hundred Stuff


Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2013 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement