PCI Security Standards Council Cements Position on Executive Responsibility for Data Security
PCI Security Standards Council Cements Position on Executive Responsibility for Data Security

The PCI Security Standards Council (SSC) recently compiled some resources on how to create a Culture of Cybersecurity. These resources reflect changes made to the PCI Data Security Standards (DSS) that require executive responsibility for data security. The PCI SSC regularly updates its standards based on feedback from the PCI Council’s more than 700 global participating organizations as well as data breach report findings and industry changes.

The most recent release of the PCI DSS included many updates, including requirements for two-factor authentication to access the PCI segment of a network, regardless of how the access occurs. This update closes a loophole that was allowing cybercriminals to gain access to PCI segments of the network by compromising a single factor access to non-PCI segments of the network.

Also updated in the most recent release was Rule 12.4.1, which requires a named member of the executive management to be responsible and accountable for the maintenance of PCI DSS compliance.  There have been numerous reports indicating the correlation between executive ownership of data security and greater detection and management of risks and threats; PCI SSC’s new guidelines cement their position on creating this accountability and recommending a transformative change in creating a culture of security.

Best Practices for Implementing a Security Awareness Program

The PCI Council recommends following their Best Practices for Implementing a Security Awareness Program and, as part of becoming an organization that reduces risk “every day, year-round, not just at assessment time,” include layers of technology to protect customer data including EMV chip, tokenization, and point-to-point encryption. Of course, you’ll also want a layer of technology to ensure all the other critical layers in your security program are working, plus a way to remotely delete data that may be at risk on an endpoint device (even if held in the cloud). We can help with that with our Application Persistence plus the visibility and control provided by Absolute Data & Device Security.

Take back control: see and secure all of your data, devices, and applications with Absolute.