Solutions to Reduce PCI Scope
CSO - In today's turbulent economic environment, every organization is doing its best to limit losses and manage costs. In a similar vein, when it comes to achieving and maintaining PCI compliance, one way to manage costs is to limit or reduce the scope of PCI requirements.
Doing so can help to significantly reduce the overall costs and resources required to successfully negotiate a compliant PCI audit. This article will help show how this can be done.
Getting it done
It happens to many businesses that process credit cards for payments. They get that dreaded, unanticipated letter--be it from their acquiring bank, card brand, other financial institution or payment processor--stating or even mandating that the business become compliant with the PCI Data Security Standard (DSS).
Suddenly, all of those years of ignoring information security quickly comes back to haunt them. For many of these businesses, 60 Minutes is not a news show; rather it's the amount of time they dedicate to information security on a monthly basis.
After these organizations have been served proper notification and given an expected target date for PCI compliance, they hear that compliance clock ticking. (Editor's note:See A Tale of Two PCI Audits.) Unfortunately, they soon realize that they do not have the in-house talent to properly identify and remediate their PCI compliance gaps. There also may be other planned and capitalized IT projects in the works that have stringent timeline requirements. How is it possible to add a major compliance remediation effort to an already filled IT plans and programs dance card?
If a business is processing credit card payments for goods or services, then PCI DSS becomes a mandatory industry requirement. In this instance management can do the right thing by rallying internal staff and pulling relevant management and technical personnel into a special project team to address these new requirements. The team concludes it would be best to hire a PCI Qualified Security Assessor (QSA) from an authorized firm to assess their business and IT environment.
Once the QSA (can be one or more assessors depending on the project scope) arrives on-site, they conduct interviews with key organizational personnel, conduct physical securityinspections and personally review a representative sample of PCI system and network configurations. Following the on-site visit, the QSA will produce a report articulating the nature of the measured gaps with respect to the environment and all PCI requirements.
The team will then convene a post engagement meeting to review the results of the gap assessment. Generally this is done as a collective review, with concerns and anxieties shared by all the appropriate stake-holders. Often the client cannot believe there are so many PCI compliance issues to address. Every gap that is listed must be remediated in some fashion. All of those years of ignoring, or short-sheeting Information Security now becomes a major issue, along with the realization that this is going to be an expensive endeavor, likely impacting existing projects and putting a strain on existing staff.
Reprinted with permission from
Story Copyright CXO Media Inc., 2006. All rights reserved.
In today's turbulent economic environment
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
