There’s one section in the standard that is more important than any other, says Tom Wills, security and fraud senior analyst at Javelin Strategy and Research. Requirement 6.2 – “apply a risk-based approach for addressing vulnerabilities” – needs to become the over-arching requirement in the entire standard, he says. “This would mean all security controls should be based on carefully assessed risk, and not on following a checklist.”
Security that’s based on actual risk, not on rote compliance, is the only effective strategy to control against financial losses that result from compromised data. Wills wants to see the PCI council take section 6.2 from the middle of the document and put it in a headline position, with every other requirement rolling up to that. “That would send a clear message to the PCI stakeholders that security does not equal compliance, and that putting security first is what we need.