Learn how to adhere to the PCI security standard by automating regulatory compliance and best practices reporting typically used to identify and validate IT configuration changes throughout operating systems, database management systems, applications and network devices.
WHITEPAPER
Using Automated, Detailed Regulatory
Compliance and IT Best Practices Reporting
to Achieve and Maintain Compliance
with the Payment Card Industry (PCI)
Data Security Standard
Alex BakmanChairman and Chief Technology OfficerEcora SoftwareIntroductionUntil recently, ensuring compliance was most often viewed as an Some organizations have even been forced out of business by aevent rather than as a critical, ongoing business process. Taking a violation of the PCI Data Security Standard.tactical approach, an organization would learn of an upcomingaudit and then begin to prepare documentation and gather Who Must Be In Compliance?information in what was often a time-consuming and cumbersome At the most fundamental level, any company that comes into contactmanual process. with credit card information must be in compliance with the PCI DataToday, however, with the growing pressure of government Security Standard.compliance requirements and industry regulations, ensuring There are varying levels of compliance proof or validation, however,continuous compliance need to become integrated into the way an with specific requirements for merchants and specific requirements fororganization does business. And, as is the case with any integrated service providers, as well as various levels based on the number ofbusiness process, the ability to simplify and automate the process transactions processed annually. A merchant that processes morehas had to become essential. than six million Visa transactions each year is assigned to "level 1,"One new standard that is changing the way many organizations as is an organization that has experienced a security breach, foroperate is the Payment Card Industry (PCI) Data Security Standard. example. Those at level 1 are subject to significantly higher levels ofscrutiny than merchants at level 2, 3, or 4.When customers use their bankcard at the point of sale, over theInternet, on the phone, or through the mail, they want assurance that For service providers, there are three levels of compliance. Level 1their account information is secure. To that end, in June 2001, Visa encompasses members and non-members of all payment gateways.developed the Cardholder Information Security Program (CISP), a Level 2 is made up of service providers who process more that onemandated security program for large Internet merchants. In 2004, million transactions annually, and level 3 includes any serviceall major bankcards-Visa, MasterCard, Discover, and American providers who are not in level 1 and who do less than one millionExpress-agreed to adopt a single, unified security program as the transactions in any given year.standard for data security. The new standard, called the Payment Audits for PCI compliance vary depending on a merchant's or serviceCard Industry Data Security Standard or PCI, is intended to protect provider's level.cardholder data-wherever it resides or is transmitted-and requiresthat merchants and service providers that store, process, or transmit . Merchants at levels 1 - 3 and all service providers mustcardholder data meet specific security requirements. Ultimately, PCI complete a quarterly network scan through a certified PCIoffers a systematic approach to safeguarding sensitive data for all vendor. Auditors then present the results of the scan to thecard brands. compliance agency.. Merchants at level 1 and service providers at levels 1 andWhy Is PCI Compliance Important? 2 must also complete an annual on-site security audit.Ensuring compliance with the PCI standard is important for a number Even compared to Sarbanes Oxley, Gramm-Leach-Bliley orof reasons, but perhaps the most significant reason is to protect HIPAA audits, the PCI on-site audit is very thorough and tightlybrand reputation. The public scrutiny that accompanies any breach managed by the governing body. Ideally, preparation for thisin security can be very damaging to an organization's image. audit should be automated.Any organization doing business inCalifornia, for example, is requiredto disclose any security breachpublicly under state regulation CA-1386, and there is no faster way tolose customer confidence than to beforced to report publicly that creditcard numbers have been stolen. Infact, a recent study by the PolemonInstitute reports that data breachdisclosures, in time, will result in the loss of as many as 20 percent ofexisting customers. . Merchants at level 2 and 3 and s... [download for more]
