From today, Visa is reportedly tightening up its security rules on smaller companies accepting card payments.
In September, a further security mandate will require large-scale card-accepting businesses to be fully PCI DSS compliant from the start of that month onwards.
Infosecurity's sister publication Computer Weekly has just reported that UK-based first aid charity St John Ambulance has installed PCI DSS governance systems from LogRhythm, and other major organizations are also tendering for similar systems.
So what can companies do to meet the needs of what appears to be an increasingly draconian set of PCI DSS standards?
According to Jeff LoSapio, security practice manager for application security specialists Fortify, what is needed is a change of mindset at the SME end of the market.
"Smaller companies accepting card payments need to start thinking like larger scale companies. With cyber threats at an all time high they are increasingly a target and need to take PCI seriously", he said.
LoSapio, previously vice president of Fishnet Security, says the most important aspect of the PCI rules is that companies should regard meeting the security mandate as a best practice requirement that their IT department must achieve.
He adds that the PCI rules are becoming more complex, meaning that any company that accepts card payments should, if they have not already done so, start reviewing their IT security systems to prevent any problems further down the line.
The current (v1.2) rules, LoSapio explained, are split neatly into 12 requirements, grouped into six logically related groups, which are called control objectives.
The first stage in meeting these objectives, says LoSapio, is to check whether the security rules actually apply to your company, whether now or in the future. This can be achieved by going to the PCI Security Standards Council website and using the many audit utilities on the portal.
The site, he says, has a number of resources available to merchants and service providers, including a self-assessment questionnaire, from which companies can better understand whether their organization needs to be compliant with the progressively evolving card security rules.
Coupled with the array of fact sheets on the council's website, LoSapio says that much of the process of preparing for PCI DSS compliance can be achieved before the need to employ a consultant arises.
"By using the range of self-help files and questionnaires on the PCI Council's website, companies can save themselves a lot of expensive legwork in terms of pre-compliance procedures", he said.