This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

    Requires Free Membership to View

12-step Program for Compliance

Unlike some government regulations, the PCI standard is praised for its clarity. Here are the 12 basic requirements.
  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt the transmission of cardholder data and sensitive information across public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

Straightforward Mandate
Whether it's mandating encryption or intrusion detection, eliminating vendor-supplied passwords, or ensuring that antivirus audit logs are kept current, PCI's clarity has won many converts. The standard sets out 12 requirements, which are detailed in multiple sub-requirements.

"[PCI is] very specific, clear and pragmatic," says Lynn Goodendorf, CISSP and vice president of information privacy protection at Intercontinental Hotels Group's U.S. headquarters in Atlanta. "People who have worked with traditional technology standards might not be happy because PCI doesn't meet a lot of the historical criteria to be called a standard. You can give it a different name, but PCI does seem to be very [useful] in terms of strengthening data security."

PCI is a common-sense approach to security, says Jennifer Mack, Cybertrust director of compliance product management. Customers "are loving PCI because now they have some driver to force their company into spending," she adds.

Barak Engel, CSO at LoyaltyLab, a San Francisco-based company that serves as its clients' outsourced CRM application, says PCI's clarity helps with encryption. "Everybody talks about encryption, and people have come to view encryption as a magic bullet. Deploying encryption properly is something the PCI standard provides a lot of detail on. It gives you solid and specific guidelines," he says.

Self-regulation of the sort PCI represents beats federal oversight, according to PCI implementers and observers.

"Most [other] regulations in the U.S. and other countries are written in broad language to allow for differences in various industries and business size," Goodendorf says. "This makes it difficult to impose technical specifications on technology vendors and to have a high level of confidence that compliance is adequate."

Plus, standards are generally easier to update over time than laws, she adds.

PCI also could lay to rest some ambiguity generated by the 1999 passage of GLBA, a piece of legislation that pushed banks, insurance companies and other financial institutions to protect consumers' financial information. GLBA's vague wording raised questions among other kinds of companies that collect consumers' private financial data, including credit card information, about the proper procedures they ought to implement to secure that data.

SANS's Paller notes that PCI is the only standard or regulation "at a low enough level to actually make a difference. Every other standard in security is at the 10,000-foot level."

Not everyone agrees on PCI's effectiveness. Earlier this year, Gartner Group released a report critical of PCI, noting that the standard "is too broad in scope, too detailed in some areas and not enough detailed in others.... That standard reads like a 'Best Practices Security Manual,' which, while laudable, goes beyond the immediate goal of protecting cardholder data."

Certainly, PCI is not a one-size-fits-all proposition, notes LoyaltyLab's Engel. "Each environment has certain quirks that need to be addressed." For example, by complying with PCI, LoyaltyLab is able to assure that its customers--such as 1-800-FLOWERS--had peace of mind that their customers' credit card data is secure, Engel says. In turn, the company had to identify a hosting provider who would be willing to "play ball with us," in part by agreeing to virtually separate LoyaltyLab's corporate network from the hosted environment. "Our list of requirements was a little bit longer," Engel says, but managed hosting provider RackSpace met the criteria.

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: