How PCI DSS acts as an (informal) insurance policy
We are firmly in the post-digital era, and the number of data breaches continues to increase in proportion to the volume of data being generated. This data is central to our business strategies. Organizations need every possible advantage if they hope to stem this tide and protect their value and reputation.
Unfortunately, this worrying trend in data breaches is not matched by an increase in organizational readiness. Many organizations are seriously underprepared and, even to this day, fail to implement the basic security measures needed to prevent cyber and similarly damaging incidents.
Enter industry frameworks, including the likes of PCI DSS (view my PCI-DSS course in Infosec Skills) and ISO27000!
Get your free course catalog
What exactly is it?
The Payment Card Industry Data Security Standard, or PCI DSS, is a set of measures (technical, procedural and, very importantly, cultural) that are designed to help protect customers’ data and (incidentally) reduce credit card fraud.
Non-compliance can be complicated and expensive!
Why the fuss?
PCI DSS as an industry framework has numerous benefits for organizations implementing its requirements. In addition to providing a framework for implementing best-in-breed information security, PCI DSS has other (and you could argue for, intended or unintended) consequences.
To the man on the street and the regulator alike, implementing PCI DSS is a show of the organization’s:
- clear intent and discipline, especially when they are making data a strategic organizational priority;
- priority and focus on what matters to the customers, investors and business partners; and
- risk maturity, by virtue of having a clear roadmap and metrics for the systematic implementation and monitoring of risks relating to information security.
Formal and informal insurance policies
A disclaimer right out the gate is that any references we make to PCI DSS as an (informal) insurance policy should not be confused with actual cyber liability insurance policies. There is still a place for these policies, which cover the organization’s liability in the event of a cyber incident. To be clear, they are non-negotiable.
Cyber liability insurance provides coverage for assessments, fines or penalties imposed by banks or credit card companies due to non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) or payment card company rules. And, because most insurance carriers that offer this type of insurance are global, it is advisable to implement universally recognized IT security best practices.
Enter PCI DSS as a commonly accepted industry gold standard, which gives all stakeholders (customers, investors, regulators and business partners alike) the warm and fuzzies by offering the comfort that the organization has been and remains intentional about its accountabilities as a processor of sensitive personal information.
I like to classify PCI DSS as “informal insurance” because, although most country data protection legislation refers to a need to put in place “appropriate security safeguards”, they are not prescriptive as to the type of controls.
For example, in CPRA 1798.100. (d)(5)(e) “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification,…”
Because “reasonable” is open to interpretation, it becomes harder to enforce consistently. Another reason is that, due to the sheer diversity of the available security safeguards and the size and complexity of different organizations, there is no one size fits all. This opens the door to the prospect of self-regulation by industry players when determining “reasonable security procedures,” a cause to which PCI DSS lends itself comfortably due to the prescriptive nature of its control framework.
The regulator’s angle
Globally, data protection legislation has, at its core, a clear requirement for organizations to protect the information in their custody from unauthorized access. For example, Article 32 of the GDPR explains that “In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular, from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
An important aspect of the GDPR is its emphasis on preventing unauthorized access to sensitive information. The PCI DSS delves into this prescriptively and at length to remove ambiguity. For more details, refer to Requirements 7-10 of version 3.2.1 of PCI DSS.
On a side note, starting from March 31, 2024, PCI DSS version 4.0 comes into effect, while some of the provisions under this version will only become mandatory after March 31, 2025. One of the biggest changes in version 4.0 is that it allows businesses the flexibility to implement alternative technical and administrative controls as long as they meet the broader control objectives, it doesn't take anything away from the robust control framework that is PCI DSS.
Because it is an industry-standard and not a law, even with the latest version, non-compliance with PCI DSS would technically not be considered an infringement of regulatory requirements. However, compliance or implementation of the critical data protection requirements of PCI DSS is certain to be viewed favorably by authorities as a clear statement of intent.
An important thing we’ve observed about regulators investigating a data breach is that they no longer focus solely on the breach itself. Instead, they are particularly keen on understanding what protective measures the breached organization has in place. In addition, they are interested in how well prepared and how effectively the organization can respond to such incidents.
In closing
It’s not surprising that regulators tend to see the implementation of PCI DSS-strength data protection controls as clear evidence of an organization’s discipline and risk maturity when it comes to protecting the interests of the public by safeguarding their data. These are factors considered when determining the size of a regulatory fine or the seriousness of a regulatory sanction. Now, if that isn’t an informal insurance policy, what is!
View my course on PCI-DSS for Developers in Infosec Skills to learn more.
Sources
- General Duties of Businesses that Collect Personal Information, CPRA
- Art. 32 GDPR – Security of processing - General Data Protection Regulation, Intersoft Consulting
- PCI DSS v3.2.1 Quick Reference Guide, PCI Security Standards Council
- What's New in PCI DSS v4.0?, PCI DSS Guide
- When Cyber Insurance Meets data privacy legislation, Ken Chickwanha Linkedin
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- How PCI DSS acts as an (informal) insurance policy
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing