PCI Compliance: Shackle or Launch Pad?

Writing by admin on Tuesday, 13 of July, 2010 at 4:05 am

The Payment Card Industry (PCI) Security Standards Council (SSC) was founded by leading payment card brands in 2006. The council has developed the Data Security Standard (DSS) as a single set of requirements in a move to enhance the security of payment account data. Any organization that stores, processes or transmits cardholder data is required by contractual obligation to be compliant with the DSS.

But, some organizations often perceive PCI compliance to be a valueless and externally mandated one-time activity, which consumes resources they would rather spend on other efforts. However, many other organizations have effectively launched security programs around DSS or have expanded their security programs using DSS. So which is it: a shackle or a launch pad?

PCI compliance is the result of organizations (that store, process or transmit cardholder data) being irresponsible with regard to information security. Organizations have chosen profit over security and as a result, rules and consequences have been put in place.

Some of the changes made in networks and systems will affect an organization’s compliance status. An organization is very likely to drop out of compliance if it does not incorporate the data security principles associated with PCI compliance into its daily operations, putting cardholder data at risk in some way. One-time proof of minimal compliance does not mean an organization’s data or its customers’ data is secure. Data security is only achieved and maintained by long-term, consistent and focused efforts.

PCI compliance would be a good start for an organization lacking compliance maturity and its true value can be released only if the firm takes long-term, consistent and focused commitment towards information security. Since, PCI compliance applies only to the parts of an organization’s network that store, process or transmit cardholder data, it is not a complete security program. The principles of data security associated with PCI compliance can be of benefit generally in an organization not just within the context of PCI.

The PCI Data Security Standard (DSS) is comprehensive and specific enough to be the foundation for (or at least a component of) a solid information security program of any organization irrespective of size. The DSS includes requirements for security management, policies, procedures, network architecture, software design and development and other critical protective measures. Due to the breadth of areas covered by its requirements, the DSS can help an organization consider and address most areas of information security. In short, it can act as a springboard to security compliance in letter and spirit.

Category: PCI Data Security Standard, Security Testing Services

• Add this post to
• Del.icio.us -
• Meneame -
• Digg

No comments yet.

Name (required)

Mail (will not be published) (required)

Website

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>