Befuddled companies get checklist for complying with PCI security standard
PCI council releases compliance framework for meeting payment card data-security rules
Computerworld - The organization responsible for administering the Payment Card Industry Data Security Standard (PCI DSS) is offering new guidance to companies on how to comply with the rules for protecting credit and debit card data.
PCI Security Standards Council LLC, which was set up by Visa, MasterCard, American Express and other credit card companies in 2006, last week released a document (download PDF) that lists the most efficient order for companies to implement the 12 security controls mandated under PCI DSS. The prioritized approach groups the controls under six milestones that companies can use as a road map towards compliance, according to council officials.
Bob Russo, the council's general manager, said the framework is "the culmination of a lot of input" from various stakeholders within the payment card industry. It's designed, he added, to help companies that haven't yet to start on their PCI compliance efforts and are wondering what they should do first.
The release of the rollout guidance by the council comes nearly four years after the PCI standard first went into effect, imposing a set of data security requirements on all entities that accept credit and debit card payments. The effort to create the framework indicates that many merchants, especially smaller ones, still aren't fully compliant with the standard and need help implementing it, said Jim Huguelet, an independent PCI consultant in Bolingbrook, Ill.
"I think there are a lot of merchants who feel overwhelmed at the amount of remediation they need to undertake to become fully compliant," Huguelet said. That, he added, has resulted in a sort of "paralysis" in which some merchants either are doing nothing in regards to PCI compliance or are only taking on some of the easier requirements, which by themselves do little to reduce the overall security risks faced by companies that process card transactions.
By offering a framework that explicitly ranks the relative importance of the different requirements, the PCI council has finally given businesses that have yet to comply with the rules a way to move forward, according to Huguelet. "The journey of a thousand miles begins with a single step, and the PCI [council] has now officially announced what those first steps for merchants really should be," he said.
The first of the six milestones outlined in the framework deals with the need for companies to purge sensitive card-authentication data from their systems and limit the amount of data that they collect and retain. Among the measures that have to be implemented in this stage are purging magnetic-stripe data and personal identification numbers (PIN) from systems and destroying old data storage devices via measures such as shredding.
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- Capabilities You Need in an IP Address Management Solution A mismanaged IP space can cripple an otherwise healthy network. Take a moment to understand what you need in an enterprise-ready IPAM solution.
- IPv6 Fundamentals IPv6 is needed to sustain the growth of the Internet. The transition from IPv4 will require planning and likely some degree of support...
- Optimize IT Performance & Availability: Four Steps to Establish Effective IT Management Baselines More than ever before, your company's ability to grow hinges on IT performance and availability. Download this how-to report on establishing IT baselines,...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All Legal White Papers | Webcasts