|
Compliance Pains
Nebel has spent several months working with half a dozen companies on their PCI compliance. Some are large retailers, while others have approached his firm because they've suffered a security breach, or the Securities and Exchange Commission (SEC) is investigating them.
"We're called in to do a PCI audit when something bad has happened and a company is in trouble," he says.
Joseph Krause has also seen his share of troubled clients as senior security engineer for Chicago-based AmbironTrustWave, one of the largest auditing firms in the world. He says the company is working with about 300 service-provider clients--organizations that process, store and transmit cardholder data. Add in the merchants and everyone else, and his firm is dealing with about 30,000 clients just on PCI compliance. For at least two of his large-customers, the path to compliance has been especially difficult.
"A couple of larger companies needed a significant redesign of their IT infrastructure just so they could address the PCI controls," Krause says. "The biggest factor is encryption. If you can't encrypt your data, you have to isolate it."
Companies bound by multiple regulations and industry standards have had a particularly tough time, he says, because controls that are sufficient for one or two regulations won't necessarily cut it under PCI.
"Companies nowadays are dealing with many different compliance regimes with different data sets," Krause says. "HIPAA couldn't care less about credit card numbers. An encryption solution that operates on the systems where HR data is housed and works for HIPAA doesn't apply to PCI."
For others, he says, it can be a nightmare pinpointing every corner of the network where credit card data can travel.
|
