cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mgorman
Contributor II

Com;pliance dropping for PCI-DSS, and an interesting quote

Came across this article, and while the compliance dropping didn't surprise me, there was one quote that I think is gold for those working int he field, and trying to make the argument for resources, etc.  

 

“Our data shows that we have never investigated a payment card security data breach for a PCI DSS-compliant organisation. Compliance works.”

 

https://www.computerweekly.com/news/252473828/PCI-DSS-payment-security-compliance-drops-again

 

5 Replies
Steve-Wilme
Advocate II

And DSS v4.0 is just around the corner.  So currently compliant organisations may become non compliant all over again.  New version means more vendors clamouring to offer point solutions, bigger fees for QSA companies etc.  And yet so many organisations haven't got basic security hygiene right yet.

 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
emb021
Advocate I


@Steve-Wilme wrote:

And DSS v4.0 is just around the corner.  So currently compliant organisations may become non compliant all over again.  New version means more vendors clamouring to offer point solutions, bigger fees for QSA companies etc.  And yet so many organisations haven't got basic security hygiene right yet.

 

 


And what I have heard is v4 will be very different from 3.x, which will add to all this.

 

 

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
jimscard
Newcomer III

PCI DSS v4.0 is at least a year away, and is expected to change quite a bit from the draft currently being reviewed by stakeholders under NDA.

Jim Scardelis, M.S., CISSP, CISA, CEH, PCI Secure Software, Secure SLC, P2PE, P2PE Application & 3DS Assessor, PCIP, CIPP/US, CIPP/C, CIPP/E, CIPT, CTT+
Any views or opinions contained in this communication are solely those of the author.
Caute_cautim
Community Champion

What is PCI DSS without compliance, many of the banks indicate to their lower Tiers, that they must demonstrate their adherence to the controls and improvements.  But the Banks themselves in many cases, do not uphold the same level of compliance or simply ignore it.   It appears, as long as the Banks themselves do not fall foul of a security breach, they are exonerated.   Well it appears that way in New Zealand from my perspective.   Or will Open Banking be a new chapter or a new dawn?

 

Regards

 

Caute_cautim

Steve-Wilme
Advocate II

v4.0 is out in draft.

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS