
	Home > Ask the Security Experts > Expert Archive: Security Management Questions & Answers > Why are there still various independent credit card security standards?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Why are there still various independent credit card security standards?

EXPERT RESPONSE FROM: Mike Rothman, past SearchSecurity.com expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 25 January 2008
If there is supposed to be a consolidated security standard among American Express, Visa and Mastercard, why are there still independent security programs that you have to follow for each vendor? For example, AmEx has its DSOP that has to be followed.

The Payment Card Industry Data Security Standard (PCI DSS) is that consolidated standard that you refer to. Yet, it is perceived to be a minimum level of security required to protect private customer data. Each of the major credit card issuers reserves the right to build additional security requirements on top of PCI DSS.

This is not a bad thing because as we all know, PCI DSS is not the end-all and be-all for security. It's true that it's the most specific and therefore most useful of the standards for compliance, but it's by no means foolproof. I've long held that organizations should stay focused on security and not compliance. If a company is doing a good job on security, then in all likelihood it will be compliant with most regulations.

American Express' Data Security Operating Policy (DSOP) (pdf) isn't really another set of requirements to follow. Rather, the DSOP clarifies AmEx's expectation of documentation and scanning for merchants of a certain size. Amazingly enough, the transaction volumes roughly equate to the way retailers are tiered into specific levels for PCI DSS.

The DSOP also specifies the ramifications of not promptly notifying AmEx of a potential breach. There is a lot of legalese in this section, but the gist is that AMEX will rake a company through the coals if it doesn't quickly and fully disclose a potential data breach. This is consistent with the overarching PCI DSS focus on pushing the liability of data breaches down to the retailers.

More information:

Read about Visa's payment application best practices (login required).
Learn how to apply ISO 27002 to PCI DSS compliance.

BROWSE BY TAG

Expert Archive: Security Management, Security Audit, Compliance and Standards, PCI Data Security Standard, Enterprise Data Protection, Identity Theft and Data Security Breaches, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Expert Archive: Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Using a QSA to write up a PCI DSS report on compliance (ROC)
	How can gap analysis be applied to the security SDLC?
	Comparing cheap security products and appliances to costly appliances
	What are some tips on protecting my security budget in a poor economy?
	What value do research firms provide to their subscribing enterprises?
	What certificate offers the best ROI for an IT project manager?
	Is insider activity or outsider activity a bigger enterprise threat?
	How does information security prevent fraud in the enterprise?
	Differences between an SAS 70 data center and a Tier III data center

PCI Data Security Standard

PCI DSS compliance help: Using frameworks, technology to aid efforts

Chip and PIN adoption

Chip and PIN adoption serves lesson for U.S. payment industry

Heartland CIO is critical of First Data's credit card tokenization plan

Heartland CIO on end-to-end encryption, credit card tokenization

Heartland CIO on PCI, E3 project

Wireless network guidelines for PCI DSS compliance

Visa probes tokens, encryption for PCI card data protection

Feds push cybersecurity jobs, PCI DSS changes ahead.

Voltage, RSA spar over tokenization, data protection

Identity Theft and Data Security Breaches

Verizon report goes deep inside data breach investigations

Health Net healthcare data breach affects1.5 million

Massive T-Mobile UK security breach involves insiders

Chip and PIN adoption serves lesson for U.S. payment industry

Group to shed light on secure identity management threats

Heartland CIO is critical of First Data's credit card tokenization plan

Heartland CIO on end-to-end encryption, credit card tokenization

Heartland CIO on PCI, E3 project

Visa probes tokens, encryption for PCI card data protection

University data breach exposes 163,000 women to identity theft

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

PCI DSS (Payment Card Industry Data Security Standard ) (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy