The Payment Card Industry (PCI) Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures created by major credit card companies to safeguard customer information. Credit card companies like Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they process, store and transmit cardholder data.
Image via flarenetwork
The PCI Data Security Standard consists of 12 basic requirements spread among 6 major control objectives. One of the main objectives of PCI is to ensure that a consistent “due care” is used to protect payment account, transaction and authentication data of customers. The goal of PCI is to improve data protection strategies that will allow customers to swipe their credit cards with more confidence and assurance that the confidentiality and integrity of their information will not be compromised.
PCI Compliance
It is imperative that organizations must know their compliance posture before they approach PCI Compliance. The approach of fixing PCI using "one size fits all" approach would only lead to a disaster. To begin with organizations must scope the PCI infrastructure topology and then perform the following:
1. PCI Pre-Assessment and Gap Analysis must be conducted. The Pre-Assessment is crucial and enables an organization to understand what the PCI compliance effort will entail.
2. A remediation program must then be developed and implemented to address the gaps found in the Pre-Assessment.
3. Design a security framework and align the security controls to address the compliance requirements.
How do you think many matured organizations achieve success in their PCI efforts? Very simple…it’s by approaching PCI from a risk-driven model. This type of approach enables resources to be prioritized around business risks, which ensures that resources allocated, are directly in line with those that contribute to the achievement of corporate objectives. This is considered to be the keystone or foundation for an effective PCI compliance program management system. This is a formal system of risk management which can show that the PCI requirements and resulting work have been effectively planned and managed. These organizations view compliance as part of their risk management strategy and not as a standalone project.
Complying with PCI does not preclude an organization from attack. An organization's compliance to PCI represents only a “snapshot” of security in place at the time of the review, and does not guarantee that those security controls would remain in place after the review is complete. This means once the organization is PCI compliant, it has to proactively review the people, process and technology time and again.
I’m sure that everyone would agree that new vulnerabilities are discovered everyday. In such a situation, it becomes mandatory for the organization to be dedicated and disciplined if it wishes to stay on top in spite of all these challenges. However, the ultimate success around PCI depends on how committed management is to it.
To conclude, Payment Card Industry Data Security Standard (PCI DSS) compliance is an ongoing journey once you embark on it and not a destination.
Complying with PCI does not preclude an organization from attack. An organization's compliance to PCI represents only a “snapshot” of security in place at the time of the review, and does not guarantee that those security controls would remain in place after the review is complete. This means once the organization is PCI compliant, it has to proactively review the people, process and technology time and again.
I’m sure that everyone would agree that new vulnerabilities are discovered everyday. In such a situation, it becomes mandatory for the organization to be dedicated and disciplined if it wishes to stay on top in spite of all these challenges. However, the ultimate success around PCI depends on how committed management is to it.
To conclude, Payment Card Industry Data Security Standard (PCI DSS) compliance is an ongoing journey once you embark on it and not a destination.
No comments:
Post a Comment