|
With the recent rise in data breaches and identity thefts, implementing a sound information security program is no longer optional. Companies processing credit card information are encouraged to embrace and implement sound data protection strategies to protect the confidentiality and integrity of payment information. As a result of this recent trend, a consortium of payment card providers collaborated to introduce the Payment Card Industry (PCI) Data Security Standard (DSS) to ensure that companies take due care and diligence in storing, processing and transmitting credit card data. The goal of PCI is to improve data protection strategies that will allow consumers to swipe their credit cards with more confidence and assurance that the confidentiality and integrity of their information will not be compromised.
Some of the challenges for achieving PCI compliance are outlined in this white paper, as well as successful tips to help organizations navigate through these challenges. Although challenges exist, organizations should remain encouraged and focused because there are benefits for achieving PCI compliance as outlined in this white paper. By achieving PCI compliance organizations eliminate unnecessary fines and penalties, heighten the awareness of PCI standards and requirements, and assist in the preparedness and readiness for upcoming PCI assessments and audits.
This white paper provides guidance on how to achieve PCI compliance and a summary analysis of the 12 security requirements of the PCI security standard. A good first step toward achieving PCI compliance is embracing it while realizing no standard is perfect. The key to embracing PCI and achieving compliance is to understand that at the “heart” of the PCI standard are sound, fundamental security practices for data protection that seek to protect data confidentiality and integrity. One of the keys to understanding PCI is realizing that it’s not a security panacea, but rather the starting point to help organizations put in place a process for implementing and regularly reviewing sound information security principles for data protection. Thus, making PCI work resides in your ability to seamlessly align and integrate PCI with your existing information security policies, procedures, standards and guidelines.
Embracing PCI
So, it’s safe to say that PCI is here to stay, at least for the foreseeable future. If you are an industry participant or entity that stores, processes or transmits cardholder information, I have a newsfl ash for you – “Embrace PCI”…and make it work for you. The guidance that PCI DSS provides is the starting point to get organizations (back) on the right track toward compliance, improving data protection strategies, and adopting a holistic and comprehensive approach to information security. This will ultimately help reduce fraud and inject more confidence in the global credit issuance industry. This is positive news, which one would think should be received in a positive light; however, there are many who would argue that PCI is not realistic or attainable. There are quiet whispers for a more lenient and cost-effective approach – the microwave approach to information security and assurance.
PCI DSS consists of 12 major security requirements which provide some level of guidance for protecting payment information. These requirements encourage industry participants to develop, implement and maintain fundamental security practices to establish the necessary framework for sound data protection strategies. One should keep in mind that the guidance provided by PCI DSS contains basic requirements that are often incorporated into the fabric of traditional Information Security and Assurance programs. Therefore organizations that are diligent and serious about information security and assurance should be ahead of the game in achieving compliance {PCI, HIPAA, FISMA, SOX}. However, the problem for many industry participants, partners and merchants is that PCI DSS is all there is to their Information Security and Assurance program – and many are not taking the proper steps to protect their payment information. Essentially, they don’t take PCI DSS far enough by incorporating it as part of a larger, continuous process to validate and measure their basic and fundamental security practices. In other words, PCI is not a security panacea – it’s not an end-all, be-all check list or a replacement for a corporate information security strategy as many companies have been regarding it.
|
