The Payment Card Industry Data Security Standard (PCI-DSS) has now been around for over 6 years, but a day we speak to organizations that have yet to implement any PCI measures. So what is the real affect PCI compliance and why should any company spend money thereon while others are avoiding it?
Often the pushback is from Board Level, posing for clear-cut justification for PCI investment. Other times it comes from within the IT Department, seeking to avoid the disruption PCI measures will incur.
Regardless of where resistance comes from, the consensus is that adopting the quality may be a sensible thing to try to to from a security perspective. But like numerous things in life, the sense view is outweighed by the perceived pain of achieving it -this thinking is usually mentioned as ‘The life belt Paradox’, more of which later.
This including the anecdotal feedback that whilst the Acquiring Banks (payment card transaction processors) promote the necessity for PCI measures, they seldom have the main target and continual drive to watch the status of compliance, making it only too easy for Merchants (anyone taking card payments) to hold on even as they’re .
Prioritizing PCI Measures
With 12 headline Requirements covering 230 sub-requirements and around 650 detail points, encompassing technology, procedure and process, there’s no denying that the PCI-DSS is complex and is probably going to cause disruption. But the advantages ultimately outweigh the pitfalls, particularly when there are shortcuts to compliance, which follow the ‘How does one eat a whale?’ philosophy (one piece at a time, just in case you were wondering).
This ‘prioritized approach’, advocated by the PCI Security Council , focuses attention on the foremost important ‘biggest bang for buck’ measures first, with the others broken into five levels of priority.
We would also always advise that so as to regulate costs and minimize disruption, that you simply understand the context and impact of every aspect to ascertain which other Requirements are often taken care of by implementing an equivalent measure – as an example , file integrity monitoring is specifically mentioned in Requirement 11.5, but actually applies to numerous other Requirements throughout the quality . for instance , Device Hardening measures laid out in Requirement 2 all come to file integrity monitoring because configuration files and settings got to be assessed for compliance with best practices, and once a tool has been hardened, it’s vital that monitoring is in situ to make sure there’s no ‘drift’ faraway from the secure configuration policy adopted.
Similarly log management and therefore the got to securely backup event logs from beat scope devices may only be detailed in Requirement 10, however, using event log data to trace where changes are made to devices and user accounts may be a good way of auditing the effectiveness of your change management processes. Tracking user activity via syslog and event log data is usually seen as a way of providing the forensic audit trail for analysis after a breach has occurred, but used correctly, it also can act as an excellent deterrent to would-ne inside man hackers if they know they’re being watched.
As evidence of the worth of this approach, implementing firewall and anti-virus measures properly, with checks and balances provided via automated event log processing and file-integrity monitoring gets you around 30-35% compliant before you are doing anything .
The Future of PCI-DSS
The PCI Security Standards Council insists that PCI is more about security than compliance. And it really does work – implemented correctly, the PCI-DSS will keep card holder data protected under any circumstances.
In the future, neglecting PCI Compliance measures could mean you’re gambling with even higher stakes. With PCI being such a comprehensive framework, big-thinkers are arguing that PCI compliance should be leveraged to supply security for ALL company information as an entire and protect against the mainstream issue of fraud . Losing card holder data is one thing, but risking your customers’ personal information is potentially much more damaging and your customers won’t many thanks if you’ve got been irresponsible.
This is certainly the case in Europe where, at the recent PCI Security Standards Council Meeting in London, the united kingdom Government’s Information Commissioners Office recommended that organizations should look to implement PCI for general Data Protection. this is often echoed across Europe where ISO 27001 is taken far more seriously, especially in Germany where their snappily entitled ‘Bundesdatenschutzgeset’ (or BDSG – Federal Data Protection Act) has real teeth.
If a German organization loses the private Information of its customers then it’s required by law to ‘confess’ by placing a minimum of two, full-page advertisements within the National press informing the general public of the potential fraud they need been exposed to. albeit you do not believe the facility of advertising, you would not want to check what this type of publicity does for your brand and your sales.
The closest parallel within the US is that the Nevada ‘Security of private Information’ law, and Nevada Senate Bill 227 specifically states a requirement to suits the PCI DSS, or how about The Washington House Bill 1149 (Effective Jul 01, 2010) which “recognizes that data breaches of credit and open-end credit information contribute to fraud and fraud and may be costly to consumers”.
Which brings us back to the ‘Safety Belt Paradox’. 50 years ago, the State of Wisconsin introduced legislation requiring seat belts to be fitted to cars. But only a few people used them, because they were uncomfortable and slowed you down when starting a journey, albeit most would admit they were an honest idea.
So it had been only in 1984 when the primary US state (New York) made the wearing of a seatbelt compulsory that the important benefits were realized. Only then did common-sense become standard practice. Maybe Personal information Protection needs an equivalent treatment?
NNT may be a leading provider of PCI DSS and general Security and Compliance solutions. As both a File Integrity Monitoring Software Manufacturer and Security Services Provider, we are firmly focused on helping organisations protect their sensitive data against security threats and network breaches within the most effective and price effective manner.
NNT solutions are straightforward to use and offer exceptional value for money, making it easy and affordable for organisations of any size to realize and retain compliance in the least times. Each product has the rules of the PCI DSS at its core, which may then be tailored to suit any internal best practice or external compliance initiative.