Businesses shouldn't let financial pressures put PCI-security compliance on the back burner, and the PCI Security Standards Council has devised has devised a 12-step program to help merchants get there.
View a slideshow of the worst moments in network security.
"Now is the time to be even more vigilant," says Lib De Veyra, the new chairman of the council who is vice president of emerging technologies for JCB International Credit Card Co., one of the five companies that make up the PCI Security Standards Council. "It's the time for criminals to step up their games."
To help with that challenge, the council is about to introduce a prioritized list of its standards set down as milestones to be reached in order, with each milestone ranked so the most critical security measures are implemented first.
The goal is to guide businesses down the path to compliance with the payment card industry data security standards that have been set up to prevent loss of sensitive personal information such as credit card numbers and PINs.
The prioritized list, which is scheduled to be released next month, can help businesses that may be having trouble getting started figure out what do to first, De Veyra says.
It also gives banks that sponsor use of payment cards a way to know that businesses have made progress even if they aren't yet fully compliant. Currently businesses are ranked as either compliant or not De Veyra says.
At the top of the priority list is getting rid of unnecessary sensitive data so if the system is compromised, there is no sensitive data to steal. "This will reduce the impact of a breach," he says.
The second milestone is to harden perimeter security by such means as tightening firewall rules and locking down wireless access points.
Businesses that are compliant with PCI standards have never been breached, says Bob Russo, general manager of the PCI Security Standards Council, or at least he's never seen such a case. Victims may have attained compliance certification at some point, he says, but none has been in compliance at the time of a breach, he says.
As a way to further encourage compliance, the council is sponsoring training for merchants that want to prepare for the evaluation of their PCI compliance by qualified security assessors (QSA). The intent of the two-day program is to give merchants a better understanding of the standards as well as a glimpse of what the QSA looks for during an assessment. "They'll understand the perspective of the QSA so they are better prepared," De Veyra says.
The training session will be held in Chicago April 6 and 7. Other sessions will be scheduled in other locations, Russo says.
Also next month the council will issue two new standards for hardware components used in payment-card processing.
The unattended payment terminal standard sets down the specifications that these terminals must meet in order to gain certification from the PCI council. Automated Teller Machine debit card terminals and self-serve gas pumps fall into this category.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment