make a good business better

Blog Information Security

Print Divider Print Divider Branding

2015 Outlook: PCI and Security for Merchants

01/07/2015  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services


Social Logo Social Logo Social Logo Social Logo

2014 was a big year in the information security space. As we enter the new year, the LBMC Security Services team is reviewing the major issues and events of the year gone by, and offering up our predictions for the topics and considerations that will be at the forefront during 2015. In this post, I’d like to revisit the most notable trends related to PCI compliance and merchant security in 2014 and provide some thoughts on two possible outcomes for 2015. (An obvious “crystal ball” prediction for the upcoming year would be to predict the migration to EMV solutions in the US, but since that’s already been mandated for late 2015, it would be cheating to include that in a prognostication list.)

A Transitional Year for PCI

2014 marked a milestone for the PCI standards, which impact every organization that processes, stores, or transmits credit card data. Over the course of this last year, merchants could choose to demonstrate compliance against either Version 2.0 of the standards, which had been available for several years, or the new Version 3.0. Many companies stuck with what they knew, assessing their security against Version 2.0, but that’s done now – as of January 1, 2015, Version 3.0 is the one rule of the land when it comes to credit card security.

Merchants who have yet to switch over will need to ensure that their security measures are up-to-date with the latest requirements, including new rules on Point of Sale (POS) devices. We’ve covered several of the new 3.0 rules in-depth here on the LBMC Security Services blog in posts throughout 2014. PCI Version 3.0’s additional focus on POS devices proved to be timely, as this year saw Point of Sale vulnerabilities becoming something of a theme.

Malware similar to the software that facilitated the Target breach in late 2013 emerged again and again in 2014 retail breaches, infecting POS devices in similar ways. Among the most notable of these breaches was the attack on Home Depot. In response, the FBI issued a malware warning for retailers running certain POS systems on Windows-based machines.

Two Potential Futures

When I think about PCI in 2015, I can’t help thinking about two possible futures: what should happen, and what probably will happen. Here’s what needs to happen: in 2015, organizations need to start taking a risk-based approach to security. They need to begin making decisions about information security programs based on a risk assessment performed by security experts, so they can identify the situational risks that are specific to their particular company, business environment, and industry.

Once that information is available, they can make well-informed decisions about which risks to address, and how to properly address them. Taking this approach will ensure reasonable and prudent security measures are in place to address risks, and will therefore also ensure compliance obligations are met. Many organizations are doing this. But many aren’t, and we’re going to continue to see a high rate of major breaches and attacks as long as businesses fail to make risk-based decisions about information security. Which leads me to the other future – the one I fear may happen.

In 2015, many organizations may continue to implement the minimum security measures required to comply with relevant regulations, obligations, or audits. Their security programs may continue to be driven by compliance obligations, focused mainly on “checking the box” and doing just enough to satisfy the regulator or auditor, rather than addressing security issues based on risk. And as attacks continue to evolve, these organizations will be more and more vulnerable, because compliance with a regulation doesn’t necessarily equate to good security and risk management. Often, it takes a serious breach to drive home the importance of proper and effective security for a given organization. For those security professionals who are working in an organization that fits the second profile (the one that is compliance driven), there is a ray of hope.

After the high-profile breaches of 2014, some board-level decision makers are beginning to recognize the necessity of robust security, and they are asking questions about a company’s security posture, raising the topic’s visibility among senior executives, and compelling the company to address security head-on. If these leaders can drive a focused conversation about security and help organizations take key steps like conducting risk assessments and acting on the results, businesses may be able to identify their key risks and address problem areas according to their budgets. With strong leadership in the boardroom and the executive suite, 2015 can be a year defined by the rise of a more responsible approach to security, with merchants more effectively protecting their customers and their businesses. 

On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter at @lbmcsecurity.

LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.

Get a Quote for PCI Services

Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.

Download LBMC's PCI Compliance Guide

Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.

Download the PCI Guide

Posted in: PCI Compliance