What does the time delay on the new PCI DSS mean?

When the Payment Card Industry Security Standards Council (PCI SSC) updates the security standards for organisations that handle cardholder data, the PCI DSS, it often triggers an industry-wide frenzy to dissect the implications of the updates for businesses, as is the case with the latest update, PCI DSS 3.2. While it does represent an essential shift to protect against fast moving cyberthreats, the fact that it will take up to two years for companies to become compliant proves how vulnerable many will be for the foreseeable future.

The implications of the new PCI DSS

Historically PCI DSS requirements have not been dynamic enough to keep up with the pace of change in the contemporary cybersecurity landscape, whereas the new rules favour regular incremental updates that keep in-step with the changing security environment. This will help businesses to protect some of their most valuable data from the agile threat of cyberattack.

However, by setting a two-year window to become compliant, the PCI SSC may have inadvertently set up a period of greater confusion for end users. Adherence to the changes outlined in the update will merely be considered as best practice - and not as a requirement - until February 2018. Cloud providers that are only compliant with older PCI DSS regulations than 3.2 will be leaving their customers more vulnerable to attack, and the fact that it will take some up to two years to meet the requirements shows just how far behind many cloud providers are.

There will inevitably be providers who leave it as long as possible to update their systems and processes to meet these requirements; this poses inherent risks to the security of their customer’s data. End users will therefore need to take extra care to ensure that their data is adequately stored and protected, and that third-party providers guarantee a high degree of security and compliance.

What if you don't comply?

Non-compliance to the PCI DSS can not only lead to punitive fines, but can also result in breaches, with attackers gaining access to customers’ cardholder data. These can have severe consequences for an organisation – in reputational damage, in lost customers, and even occasionally in legal measures. It therefore pays for organisations to approach compliance with the gravity it deserves, working with providers who have a strong security culture imprinted on their DNA.

The PCI DSS Security council seeks to protect cardholder data by ensuring that all merchants abide by certain levels of security when handling this data. The PCI SSC intermittently updates the compliance requirements according to their own timetable. The Security Council’s U-turn of December 2015 revealed the faults inherent in this approach - the date by which organisations that handle cardholder data must migrate their cryptographic protocols was postponed by two years after it was revealed that this deadline was unrealistic.

Feedback from security experts and the global PCI community acknowledged that making this change so rapidly was simply unrealistic. The furore around this U-turn made it clear that these occasional yet abrupt updates imposed major system changes on organisations without regards for the agility of the modern cyberattacker and the unpredictability of the security climate.

From this perspective, the incrementalism of PCI DSS 3.2 is welcome, enabling the update to more closely shadow changes in the security environment. Businesses that hold cardholder data face a dexterous and elusive threat in the form of the modern cyberattacker, but the new incremental approach should ensure ever-greater protection. The PCI’s old approach simply was not dynamic enough to reliably combat this danger.

Is your data secure enough?

However, with a two year window for compliance end users will need to be both cautious and proactive in securing their payment data. As with December 2015’s U-turn on cryptographic protocols, the two year window is indicative of the fact that many organisations are potentially quite far behind in their approach to cardholder data security and that there could be corresponding vulnerabilities in their systems. Businesses can fortify themselves by doing their due diligence to ensure that their payment providers understand the consequences of PCI DSS 3.2 and comply with the updated standards.

Chris Scott, Programme Director at The Bunker

Image Credit: Rob Hyrons / Shutterstock