This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."

Download it now to read this article plus other related content.

The Equalizer
PCI is an equalizer of sorts among companies with established IT personnel and procedures in place, and smaller entities that process much fewer credit card transactions each year.

"[The standard] is taking companies that have traditionally been involved in the area of delivering products and services, and getting them much more involved in IT security," says Ed Kountz, a senior analyst at Jupiter Research.

Merchants that process 150,000 to six million online credit card transactions per year are classified as level 2, while those handling 20,000 to 150,000 e-commerce card transactions annually are designated level 3. All others fall into level 4.

It's the smaller companies who process fewer than 150,000 transactions per year that are most likely to drag their feet on PCI compliance, preferring instead to have a "wait-and-see" attitude, notes Russell Rowe, president and founder of Chief Security Officers, a Scottsdale, Ariz.-based company authorized by Visa to perform PCI assessments.

SANS's Paller concurred. "A lot of people are waiting to see what happens if they don't [comply]," he says. "It's a little like HIPAA when it was first passed; 'let's find out who is hurt'" before expending the time and energy to comply.

In that regard, LoyaltyLab is an anomaly. Engel designed the company's security policies and network to be PCI-compliant--and then some--from the ground up. "We have had

    Requires Free Membership to View

background checks from employee number one, and we do segregation of duty, which you just don't find in many small companies." For example, LoyaltyLab's database administrator is not permitted to decrypt stored credit card numbers.

Engel recognizes he had the luxury of designing the system rather than retro-fitting an older system for PCI compliance: "It proves yet again the notion that it costs a heck of a lot less to design something securely than to make it secure as an afterthought."

This was first published in May 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: