Companies get checklist on PCI security rules

The organization that administers the credit card industry's data security rules has released a new set of compliance guidelines -- a move that reinforces the widespread perception that efforts to comply are going slowly at many companies.

PCI Security Standards Council LLC, which was set up by Visa, MasterCard, American Express and other credit card companies in 2006, this month issued a 15-page document that details a "prioritized approach" for complying with the rules.

The new framework maps the 12 security controls mandated by the Payment Card Industry Data Security Standard (PCI DSS) to a list of six milestones. Bob Russo, the council's general manager, said the goal is to help companies that have yet to start on their PCI DSS compliance efforts and are wondering where to begin.

The first version of the security standard, which applies to all entities that accept credit and debit card payments, went into effect nearly four years ago. But many businesses still aren't fully compliant, said Jim Huguelet, a PCI consultant in Bolingbrook, Ill.

"I think there are a lot of merchants who feel overwhelmed at the amount of remediation [work] they need to undertake," Huguelet said. That, he added, has led to a state of "paralysis" in which companies either are doing nothing or are only implementing the easier PCI requirements, which by themselves do little to reduce the overall threat of data breaches. The milestone-based framework finally gives those companies a template for moving forward, Huguelet said. "The journey of a thousand miles begins with a single step," he noted. "And the PCI [council] has now officially announced what those first steps should be."

Russo said the milestones are meant to provide an organized compliance methodology that ensures that the highest-risk issues are addressed first. In addition, a spreadsheet-based tool released with the framework can be used to plot progress against the milestones and to give auditors a snapshot of a company's compliance status.

The first milestone focuses on purging sensitive card-authentication data from systems and limiting the amount of information that companies collect and retain. Others revolve around network and application security, user access control and the protection of stored data.

This version of this story originally appeared in Computerworld's print edition.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.