We live our lives hoping that we will never need to make claims on our insurance policies. Whether that is home, motor, life or phone, making a claim generally means something isn't how it should be. Ultimately, a policy is there to protect something of value to us, and as the world in which we lives changes, the information you have and the systems you run your businesses on are valuable assets too - so is now the time to think about cyber insurance?
Outsourcing PCI DSS controls to third parties can hugely support a merchant (or service provider) PCI DSS compliance program and can be a great thing if you want to leverage any SAQ reduction criteria, meaning you have less controls to complete yourself so less costs and less complexity; always a good thing, BUT you must have a handle on service providers if you want to take this route.
There’s a critical date approaching in the PCI DSS calendar. Some of you may be wondering “what date could possibly be that important?”
Risk Assessment is a core feature of most modern security considerations, including the PCI DSS. Featuring as Requirement 12.2, it splits into two parts:
- There is a documented process resulting in a formal, documented analysis of risk.
- The process is performed at least annually (or upon significant change)
Unlike other areas of the PCI DSS which are very prescriptive, this requirement on first reading doesn't really show much relationship to the rest of the PCI DSS, but don't be fooled.
I am sure many of you are reading this title thinking "what is he talking about, v3.2 went live ages ago" and you would be correct, however version 3.2 of the PCI DSS continues with the concept of future requirements, meaning the one year countdown to the 31st January 2018 has begun.