
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Why are there still various independent credit card security standards?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Why are there still various independent credit card security standards?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 25 January 2008
If there is supposed to be a consolidated security standard among American Express, Visa and Mastercard, why are there still independent security programs that you have to follow for each vendor? For example, AmEx has its DSOP that has to be followed.

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, PCI Data Security Standard, Information Security Threats, Identity Theft and Data Security Breaches, Enterprise Data Protection, Identity Theft and Data Security Breaches, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing low-cost security appliances to bigger, pricier appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

Identity Theft and Data Security Breaches

How to prevent and build protection against online identity theft

Heartland breach highlights PCI limitations

FBI investigates coordinated ATM scam

Encrypt now to meet new Mass. data protection law

Recovery plans essential for preventing data loss disasters

Internal auditors and CISOs mitigate similar risks

Cybersecurity expert sees PCI DSS problems ahead for retailers

PCI is about eliminating data, not securing it, former QSA says

Data breach discovery, disclosure outpaces 2007

PCI groups to focus on wireless, pre-authorization changes

Identity Theft and Data Security Breaches Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

PCI DSS (Payment Card Industry Data Security Standard ) (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

The Payment Card Industry Data Security Standard (PCI DSS) is that consolidated standard that you refer to. Yet, it is perceived to be a minimum level of security required to protect private customer data. Each of the major credit card issuers reserves the right to build additional security requirements on top of PCI DSS.

This is not a bad thing because as we all know, PCI DSS is not the end-all and be-all for security. It's true that it's the most specific and therefore most useful of the standards for compliance, but it's by no means foolproof. I've long held that organizations should stay focused on security and not compliance. If a company is doing a good job on security, then in all likelihood it will be compliant with most regulations.

American Express' Data Security Operating Policy (DSOP) (pdf) isn't really another set of requirements to follow. Rather, the DSOP clarifies AmEx's expectation of documentation and scanning for merchants of a certain size. Amazingly enough, the transaction volumes roughly equate to the way retailers are tiered into specific levels for PCI DSS.

The DSOP also specifies the ramifications of not promptly notifying AmEx of a potential breach. There is a lot of legalese in this section, but the gist is that AMEX will rake a company through the coals if it doesn't quickly and fully disclose a potential data breach. This is consistent with the overarching PCI DSS focus on pushing the liability of data breaches down to the retailers.

More information:

Read about Visa's payment application best practices (login required).
Learn how to apply ISO 27002 to PCI DSS compliance.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy