PCI Council issues priority tool for compliance

By Robert Westervelt, News Editor 04 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The PCI Security Standards Council has issued a new tool designed to walk companies through the compliance process by setting a series of six milestones companies must meet before being signed off as compliant by a security assessor.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The milestones were set by weighing certain risk factors and threats to credit card data that often lead to a breach. The PCI Prioritized Approach framework is meant to be used as a roadmap to give merchants a prioritized check-off list, said Bob Russo, general manager of the PCI Council. Russo said the tool could help improve communication on compliance progress between merchants, quality security assessors (QSAs) and acquiring banks.

"It will keep track of how close to being compliant you are so when your acquirer asks if you're doing something with this you can actually show some progress and let them know how close you are to being compliant," Russo said.

PCI compliance: A preview of PCI virtualization specifications: The PCI Data Security Standard has little to say about virtualization – for now. Michael Cobb explores which best practices are likely to appear. Heartland breach highlights PCI limitations: The benefits of complete PCI and the necessity of full compliance are now being widely questioned, says Eric Ogren, principal analyst, The Ogren Group. PCI is about eliminating data, not securing it, former QSA says: Former QSA turned Forrester analyst John Kindervag calls PCI a "communicable disease." Anything introduced to the network is in PCI scope if credit card systems aren't segmented.

The PCI Council issued version 1.2 of PCI DSS in October. The standards were updated to address wireless security, antivirus use and the review of firewall rules. Russo said he doesn't anticipate another update (version 2.0) until 2010.

Ultimately, the council hopes the is PCI Prioritized Approach framework helps acquiring banks track merchant compliance. The new tool is available on the Council's website. It consists of a downloadable worksheet that allows merchants to sort through specific PCI DSS requirements by a priority list of milestones.

The priority list starts by listing steps merchants must take to ensure credit card data isn't stored followed by ensuring technologies are in place to secure the perimeter, payment applications and other software that may contain credit card data and the monitoring and access to systems. If merchants determine that credit card data must be stored, the fifth milestone offers a checklist for protecting the information. It covers the protection and storing of cryptographic keys to properly maintain inventory logs. The final milestone deals with conducting application penetration tests and reviewing controls and procedures.

"There are many merchants out there that know how important PCI DSS is, but they need a little help," said Lib de Veyra, vice president, emerging technologies at JCB International Co., and chairperson of the PCI Standards Council. "This is a good way to approach it by dealing with the highest risks first."

SearchSecurity radio:

While PCI DSS should be pretty clear to IT pros and compliance executives, the new tool should prove valuable to companies trying to prioritize compliance initiatives based on risk factors, said Jack Santos, an executive strategist with the Burton Group who has had experience with PCI projects. Santos said compliance initiatives are continuing at many firms despite the down economy.

"Security is one area in this down economy that is holding its own," Santos said "In fact there may be even a slight increase in security spending because people are more worried than ever about data leakage and breaches."

The Council plans an information webinar to review the new compliance tool on March 18 at 11:30 a.m. and 7:30 p.m.

Tags: PCI Data Security Standard,  Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT PCI Data Security Standard Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Experts, vendors search for PCI's holy grail Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary