The greatest risk to credit card data is constantly evolving exploits that target both technical and administrative vulnerabilities in information systems. The Payment Card Industry Data Security Standard (PCI DSS) addresses those vulnerabilities, specifically those affecting sensitive cardholder data, and sets forth requirements companies must meet to minimize the impact of those vulnerabilities on security. The PCI standard requires continuous validation of security efforts, so companies complying with PCI DSS can't simply implement solutions and then forget about them.
Experience has shown that PCI DSS compliance is most successful when it's coordinated with corporate business processes. Integrating the DSS with corporate security standards ensures that security controls are rigorously enforced and remain consistent with PCI requirements. Such coordination also contributes to more cost-effective auditing, a stronger enterprise security profile, and a more streamlined and reliable IT infrastructure that can deliver better service while incurring less risk.
Implementing the PCI DSS also opens the door to improving business processes and enterprise information security operations. To recognize these opportunities and how to best take advantage of them, it's important to first appreciate the challenges posed by PCI compliance.
Identifying the Challenges of PCI
Companies must first understand the requirements of PCI DSS to ensure proper implementation. This effort that can be daunting for those less experienced in putting security-related best practices to work. Also, before any work on PCI DSS implementation begins, corporate decision makers must determine the organization's pre-audit PCI status.
Many managers considering PCI DSS implementation soon discover that they face several complex technological challenges; most notably:
- Tracking and monitoring access to the network and systems containing cardholder data
- Encrypting cardholder data
- Controlling logical access to systems with cardholder data
- Authenticating users who access systems containing cardholder data
- Detecting and preventing intrusion and scanning for vulnerabilities
- Penetration testing
- Installing and maintaining firewalls
PCI DSS auditors often discover myriad vulnerabilities, such as inconsistent encryption techniques across merchant systems and networks, storage of unnecessary cardholder data, transmission of cardholder data over unsecured networks, lack of regular vulnerability scanning and inadequate logging?or no logging at all?of network activity.
It's not unusual for companies to assume that, because they're already compliant with Sarbanes-Oxley or HIPAA requirements, they are also PCI-compliant. They soon discover that implemented controls are insufficient to meet the PCI standard.
Exploiting the Opportunities of PCI
Security standards are certainly not new. During the Great Depression, for example, at least one county government in Midwestern America issued Springfield rifles to local shopkeepers so they could shoot at fleeing bank robbers (anecdotal evidence suggests that this practice reduced the crime rate in general).
The 21st century requires new security measures to defend against the new and emerging threats to which virtually all businesses are now vulnerable. Despite these challenges, implementing the PCI standard doesn't need to be yet another painful cost of doing business. Fortunately, compliance with the PCI standard is a lot less dangerous than shooting at bank robbers.
Compliance does provide a similar advantage, though: companies that implement PCI DSS protect their sensitive data, but also prepare their businesses to comply with future security standards that will undoubtedly evolve in response to emerging threats and vulnerabilities. By getting ahead of the compliance curve, organizations that implement PCI DSS can actually reduce long-term compliance costs. Putting the robust PCI standard in place instills security best practices across the entire enterprise, making it easier and less expensive to adhere to new requirements down the road, and creating a leaner, more efficient organization.
Thought leaders in the areas of compliance and information security typically recommend that organizations undertake a systematic, comprehensive approach involving several steps. The first step is to articulate business requirements. This leads to the next step, developing a risk assessment that helps generate both security policy and control1 frameworks. Finally, these frameworks form the basis for a technology architecture, including guidelines and control standards, and help form policy management and feedback processes.
Such a wide-ranging effort happens within the context of the relevant compliance mandates and their various requirements. When a company has to meet multiple compliance mandates, it's faced with a new challenge? ensuring compliance with the fewest possible processes and tools.
