Has everyone forgotten about the poor old PCI standard?

2 minute read

2018 - The year of GDPR and the NIS Directive…

2018 seems to be the year when the panoply of cyber security standards comes into effect. Over the last few months, it’s been impossible to avoid hearing about GDPR, the replacement for the existing Data Protection Act, as its implementation date of 25th May 2018 approaches. If you are looking for more advice on GDPR there is advice on the ICO’s website (The ICO or Information Commissioner’s Office, the UK’s data protection regulator).

In the run-up to Christmas, the NIS Directive (Networks & Information Systems Directive) – the cyber security standard for our critical national infrastructure - has been receiving some attention, with the bill due to go through parliament in April for a start date of 10th May 2018. For more information on the NIS Directive, click here for the NCSC’s guidance.

…But also the year of PCI 3.2

So, it wouldn’t be a surprise if some people had forgotten that 1st February was the effective date for the new elements of the latest PCI (credit card) standard, version 3.2. The PCI Council’s CTO, Troy Leach, has written a blog discussing the changes between versions 3.1 & 3.2 (The PCI Council also publishes a summary of the changes between 3.1 & 3.2 on its main site but access to this document is chargeable).

PCI Version 3.2 was published by the PCI Council back in 2016, with everyone being given a period of grace to achieve the new elements of the standard, much like GDPR. Unfortunately, the publicity given to these other standards has diverted attention away from PCI. Controls 10.8 & 10.8.1, for instance, highlight the need of card payment processors to have the capability in place to continuously monitor and detect cyber security breaches that affect the security of credit card data. So, the message is clear, that continuous monitoring, detection and risk mitigation is recognised as crucial, forming a key part of each of these standards.

e2e-assure Protective Monitoring and SOC Services

These changes recognise that cyber security is becoming both more complex and of greater importance to us all. GDPR is replacing the current Data Protection Act to enhance the protection of personally identifiable information, recognising that there are far more types of information that can be used to identify an individual. The NIS Directive emphasises the need to protect against cyber attacks on critical national infrastructure, such as our transportation networks and utilities against nation state and organised crime-initiated cyber attacks. PCI or the Payment Card Industry Council focuses on the protection of our credit card information and again has updated its standard to upgrade the controls required of card processors.

All of which is leading to much greater interest in what we do, with more and more people coming to talk to us about how our Protective Monitoring and SOC Service can not only address the immediate needs of compliance but also ensure that they maintain and optimise the effectiveness of their existing security measures. That capability is being recognised by our growing customer base of high-profile organisations large and small from a wide variety of sectors. For more information on our continuous monitoring, detection and cyber defence services see our website.

Our unique offering of highly skilled, qualified and motivated people, using our very own modern, comprehensive toolset designed specifically for the task, following highly-tuned and effective processes is proving hugely attractive. We’d love the chance to show you how we can help you address the challenge.

Updated: