Our Thinking

Over the last few weeks, our team of Qualified Security Assessor's (QSAs) has been responding to questions from our clients about how they can maintain PCI compliance while transitioning their contact centers (and associated business processes) to “work from home.” It's not just an important topic, but a very valid one given that most organizations today have never dealt with these kind of business challenges before; they truly are unprecedented. In many cases, just keeping the business operating is paramount and we recognize how many variables are at play today.

Recent events have changed the world we typically wake up to, and it is continuing to change. The ways we interact, the ways we seek necessities, and the ways we conduct business, have all shifted in a very short period of time. 

For many retailers, business is continuing and even trending upwards as consumers shift their shopping habits to online. What doesn't seem likely to change however, is the responsibility that retailers have to protect the consumers' personal information.

As technology continues to advance, it's critical for the security community to respond to the evolving risk for consumer data.

On Tuesday, January 14, I had the opportunity to once again sit the PCI Dream Team’s eighth online session. During this session, we responded to questions from our participants which covered a broad range of concerns.

The Online Team and I had a great time at the PCI Community meeting last week, set in the spectacular environs of Vancouver BC. We ate and drank, pontificated, watched ferries and seaplanes come into the harbor (my inner 8-year old self couldn’t resist and I booked a flight out on one), and had a generally spectacular time networking with old and new friends in the payment security space.  While there were far too many interesting presentations and conversations to put into one place, I had a few takeaways that I felt were worth sharing. In no particular order:

Although 2019 promises a new version of the Payment Card Industry Data Security Standard (PCI DSS) the current version 3.2.1 is the de facto standard for measuring security programs for all merchants and service providers that participate in commerce using credit or debit cards.

There are twelve major requirements in the PCI DSS, and considering the complexity of the material we have chosen to dedicate individual blogs to the different requirements. The focus of these blogs will be to provide tips and pointers, help provide clarity for “what’s new” and to enhance understanding so that your organization can achieve a sustainable security posture that easily satisfies the requirements of the PCI DSS.

Password complexity and authentication has always been a subject of contention both for users and system  administrators. Many assume that forcing users to create more complex passwords, and changing them frequently,   will lead to greater system safety - in theory this may be true. Given human nature, things rarely go as planned and research has shown that forcing users to comply with these additional requirements has actually had a detrimental effect on system security.