|
The Equalizer
PCI is an equalizer of sorts among companies with established IT personnel and procedures in place, and smaller entities that process much fewer credit card transactions each year.
"[The standard] is taking companies that have traditionally been involved in the area of delivering products and services, and getting them much more involved in IT security," says Ed Kountz, a senior analyst at Jupiter Research.
Merchants that process 150,000 to six million online credit card transactions per year are classified as level 2, while those handling 20,000 to 150,000 e-commerce card transactions annually are designated level 3. All others fall into level 4.
It's the smaller companies who process fewer than 150,000 transactions per year that are most likely to drag their feet on PCI compliance, preferring instead to have a "wait-and-see" attitude, notes Russell Rowe, president and founder of Chief Security Officers, a Scottsdale, Ariz...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
.-based company authorized by Visa to perform PCI assessments.
SANS's Paller concurred. "A lot of people are waiting to see what happens if they don't [comply]," he says. "It's a little like HIPAA when it was first passed; 'let's find out who is hurt'" before expending the time and energy to comply.
In that regard, LoyaltyLab is an anomaly. Engel designed the company's security policies and network to be PCI-compliant--and then some--from the ground up. "We have had background checks from employee number one, and we do segregation of duty, which you just don't find in many small companies." For example, LoyaltyLab's database administrator is not permitted to decrypt stored credit card numbers.
Engel recognizes he had the luxury of designing the system rather than retro-fitting an older system for PCI compliance: "It proves yet again the notion that it costs a heck of a lot less to design something securely than to make it secure as an afterthought."
|
 |
|
