A Methodical Approach to PCI Compliance |
|
By: Andy Eliason Posted: 2008-04-28 08:10:02 |
| The PCI DSS, or Payment Card Industry Data Security Standard, is a set of standardized requirements that merchants who store, transmit, or process sensitive information must adhere to. These requirements can be complex and time consuming, but if you take a more methodical approach to PCI compliance, some of those mandated procedures might not be so bad.The fist step is to analyze your priorities. How important is PCI compliance to you? But before you answer that question, you need to understand some of the recent happenings in the payment card industry.More and more, stories of security breaches are reaching the public notice. The poster-child for huge losses of sensitive information is the TJX company. Beginning in July of 2005, hackers spent nearly 18 months exploiting weaknesses in their system and stealing countless credit card numbers.The financial damage to TJX has been estimated in the hundreds of millions of dollars by some companies. The damage to their reputation, on the other hand, is no less detrimental to the company, even if it is a little harder to put an exact figure on.So, have you properly prioritized PCI compliance? It's a number one priority, now? Good. Let's move on.The next step is to identify the people in your company that will be responsible for PCI compliance measures. Assemble this team and make sure they understand their responsibilities. There has to be a dedicated person (or team) to oversee the compliance procedures or it will not get done. Let's face it, responsibilities that are not specifically assigned are very easily shifted around until no one knows who was supposed to what, or when it was supposed to be done.You must then determine your merchant level. There are four different levels, and each have different requirements for PCI compliance depending on the size of your company - or, in other words, the volume of transactions your company processes.Once these items have been addressed, you need to make sure that everyone in your organization is aware of your Informations Security Policy and that it is strictly enforced. This is, in fact, one of the specific requirements of PCI compliance.Specifically, requirement 12 states that merchants must: "Maintain a policy that addresses information security." The reason for this requirement is simple. The strictest measures in the world don't mean much if the individual employees in the company don't understand the sensitive nature of the information they are supposed to protect, and their own responsibilities toward it.This requirement encompasses practices such as developing daily operational security procedures, developing usage policies (how and when to access networks, etc), and making sure that all employees and contractors understand these policies.Next, as you come closer to PCI compliance you will likely discover many areas where you security procedures are somewhat lacking. Address these issues immediately and employ the necessary corrective measures.Finally, you are going to want to record and document all your self-assessments, scans, and follow up activities for later use. For full PCI compliance you will be required to validate your compliance with the Payment Card Industry Data Security Standard, and properly kept records will make this process much easier.The 12 requirements of the PCI DSS can, at times, seem overwhelming and overly complex. Because of that, many merchants are postponing their work toward PCI compliance. Yet, given the dangers of security breaches and the damage that can be done to your finances and reputation, there really is no excuse for extended procrastination. And a simple, methodical approach to compliance with the PCI DSS is all it takes to get things started. |
| Trackback url: https://article.abc-directory.com/article/4108 |