 |
|
|
|
Web Based Solutions
Payment Card Industry Data Security Standard - Not a Security Panacea
Burton Group has announced a new research report with "a list of
recommendations to help merchants and payment service providers get the most
out of the payment card industry (PCI) data security standard (DSS) compliance
work."
According to Diana Kelley, vice president and service director for
Burton Group's Security and Risk Management Strategies service, PCI DSS does a
good job helping companies understand how to prevent and detect a cardholder
data security breach, but does not go into detail regarding how to address a
breach. Kelley points out PCI DSS is not the only set of practices companies
must consider when handling cardholder data.
She recommends a full-spectrum approach including the following steps:
Get the Facts - For detailed readiness work, the PCI DSS Security Audit
Procedures is required reading. Both documents are available from the PCI SSC
website at www.pcisecuritystandards.org. These are the same documents the PCI
auditors and the payment-card brands use to assess compliance and will help an
organization prepare for compliance attestation.
Segment the Scope - Segmenting servers and networks reduces the scope of
PCI audited systems, thus reducing compliance work. Technologies that provide
segmentation include firewalls, routers with access control lists (ACLs), and
physical security.
Don't Store What You Don't Need - Applications architected with PCI DSS
compliance in mind are designed to prevent storage of unnecessary data. Point
of sale (POS) applications that store full magnetic strip data are out of
compliance with PCI DSS. So, before purchasing a payment application, or
creating one in-house, carefully review what can and cannot be stored.
Application security and controls can help here.
Be Prepared and Be a Partner - Success comes from merchants and
providers who work with auditors in a noncontentious, partnership model to
achieve compliance. If there are gaps in compliance, the auditor can mark a
control as either "not in place" or "not in place" with a "target date" for
remediation. Showing there is a plan with a target date for remediation lets
the payment-card brands know that actions are being taken to correct the
problem.
Get Involved - There were a number of changes between version 1.0 and
1.1 of the PCI DSS. Members of the payment community helped drive these
changes. If your organization thinks a requirement in the DSS is unfeasible,
talk with your auditor to determine if compensating controls or an alternative
can be found. If not, talk to the SSC.
Build a Compliance Program - New regulatory mandates and industry
standards are introduced all the time. Avoid "fire drill" mode and take a
comprehensive approach to compliance by utilizing re-usable frameworks which
are built on generally accepted control and risk-management frameworks (such
as COSO, CobiT, ISO 27001, and NIST SP800-30).
Burton Group (www.burtongroup.com) helps technologists make smart
enterprise architecture decisions in increasingly complex environments. Burton
Group's research and advisory services focus on technical analysis of
infrastructure technologies relating to security, identity management, web
services, service-oriented architecture, collaboration, content management,
and network and telecom.
|