PCI DSS v3.0 – the marketing game
It seems a few service providers are jumping on the bandwagon, getting PCI DSS v3.0 compliant, and then pushing the message out to their potential and existing client bases saying v3.0 is better than v2.0 and that they’re obviously far more secure than other suppliers that only have v2.0 certification.
PCI DSS v3.0 and PCI DSS v2.0 are two ways of measuring exactly the same thing, and unless miraculously these providers might have invested in doing security properly and going above and beyond PCI DSS, it seems PCI DSS is still the security bar to hit when it comes to marketing one’s services.
It’s not an arms race – companies have until the end of 2014 to validate using v3.0 and should not be pressured to bring forward audit dates, spend more money on QSAs and validation efforts, and being “one of the first”. If it just so happens that January is your annual submission date, then the fact that this must now be done according to PCI DSS v3.0 should be irrelevant.
Concentrate on proper security, and not just compliance – there are bigger business risks to look out for.