The PCI Security Standards Council has issued a new tool designed to walk companies through the compliance process by setting a series of six milestones companies must meet before being signed off as compliant by a security assessor.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The milestones were set by weighing certain risk factors and threats to credit card data that often lead to a breach. The PCI Prioritized Approach framework is meant to be used as a roadmap to give merchants a prioritized check-off list, said Bob Russo, general manager of the PCI Council. Russo said the tool could help improve communication on compliance progress between merchants, quality security assessors (QSAs) and acquiring banks.
"It will keep track of how close to being compliant you are so when your acquirer asks if you're doing something with this you can actually show some progress and let them know how close you are to being compliant," Russo said.
Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group.
PCI is about eliminating data, not securing it, former QSA says: Former QSA turned Forrester analyst John Kindervag calls PCI a "communicable disease." Anything introduced to the network is in PCI scope if credit card systems aren't segmented.
The PCI Council issued version 1.2 of PCI DSS in October. The standards were updated to address wireless security, antivirus use and the review of firewall rules. Russo said he doesn't anticipate another update (version 2.0) until 2010.
Ultimately, the council hopes the is PCI Prioritized Approach framework helps acquiring banks track merchant compliance. The new tool is available on the Council's website. It consists of a downloadable worksheet that allows merchants to sort through specific PCI DSS requirements by a priority list of milestones.
The priority list starts by listing steps merchants must take to ensure credit card data isn't stored followed by ensuring technologies are in place to secure the perimeter, payment applications and other software that may contain credit card data and the monitoring and access to systems. If merchants determine that credit card data must be stored, the fifth milestone offers a checklist for protecting the information. It covers the protection and storing of cryptographic keys to properly maintain inventory logs. The final milestone deals with conducting application penetration tests and reviewing controls and procedures.
"There are many merchants out there that know how important PCI DSS is, but they need a little help," said Lib de Veyra, vice president, emerging technologies at JCB International Co., and chairperson of the PCI Standards Council. "This is a good way to approach it by dealing with the highest risks first."
While PCI DSS should be pretty clear to IT pros and compliance executives, the new tool should prove valuable to companies trying to prioritize compliance initiatives based on risk factors, said Jack Santos, an executive strategist with the Burton Group who has had experience with PCI projects. Santos said compliance initiatives are continuing at many firms despite the down economy.
"Security is one area in this down economy that is holding its own," Santos said "In fact there may be even a slight increase in security spending because people are more worried than ever about data leakage and breaches."