The 12 PCI DSS requirements all come with their own pitfalls and questions, often leaving security professionals frustrated with the regulation's strict guidelines, and eager to seek out advice and a little help for achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Thankfully, this mini-guide offers a variety of tips and information on how organizations can use several frameworks, technologies and standards, such as tokenization, ISO 27002, Secure Hashing Algorithm and other existing controls to help manage PCI DSS efforts and ease the compliance burden.
- Combining compliance efforts to help manage PCI DSS
- Using ISO 27002 to help achieve PCI DSS compliance
- Network isolation as a PCI DSS compliance strategy
- PCI DSS compliance help with tokenization
- Use SHA to encrypt sensitive data
- Building a framework-based compliance program
- Aligning an information security framework to your business model
Compliance Recycling: Combining compliance efforts to manage PCI DSS
While PCI DSS looms large over most enterprises' compliance efforts, it doesn't necessarily mean abandoning other compliance efforts.
In this tip, expert Diana Kelley explains not only how to use existing controls to achieve PCI DSS compliance, but also how other compliance frameworks can ease the PCI DSS compliance process. Also learn how to leverage valuable mappings among existing frameworks and how some of the policies and tools implemented for PCI DSS may provide unexpected compliance benefits for other initiatives.
How to use ISO 27002 to help achieve PCI DSS compliance
The Payment Card Industry Data Security Standard may be fairly straightforward, but often fails to define the processes that will ultimately lead to PCI DSS compliance. Meaning, if organizations simply follow the PCI DSS blindly, they may not achieve the overall security goals.
In this tip, expert Richard E. Mackey Jr. explains why the ISO 27002 can not only help organizations comply with the PCI DSS, but also provide more structure to an organization's overall compliance program.
Network isolation as a PCI Data Security Standard compliance strategy
While they may be appropriate for protecting credit card information, the PCI Data Security Standard requirements are probably too rigorous and costly to be applicable to the bulk of the data an enterprise handles on a daily basis.
One way to minimize your overall infrastructure's exposure to the rigors of the 12 PCI Data Security Standard requirements is to use a stand-alone network to isolate payment card data. As Mike Chapple explains, this network isolation approach eliminates a number of requirements, and minimizes the risk of being responsible for the next high-profile data breach.
Getting PCI DSS compliance help with tokenization
PCI DSS compliance is top of mind for everyone in the payment lifecycle. Protecting sensitive credit card data can be an albatross, but a relatively new technology promises to erase the burden.
In this tip, Ed Moyle explains how tokenization works and the pros and cons of the technology, including how it can help alleviate some the concerns associated with PCI DSS compliance and prevent an embarrassing high-profile data security breach.
Use SHA to encrypt sensitive data
Complying with the PCI Data Security Standard is often on the forefront of many security practitioners' minds. In this expert response, Michael Cobb explains why using SHA-1 to create hashes of credit card numbers to avoid storing them in cleartext is safe, and details how using the Secure Hashing Algorithm can help an enterprise encrypt its sensitive data and help meet the PCI Data Security Standard requirements.
Building a framework-based compliance program to get compliant with PCI DSS regulations
Behind every compliant organization is a thorough and thoughtful security process. Compliance pro Richard Mackey knows how to build a proper compliance program, from assembling requirements and capturing an organization's current state to establishing realistic expectations and finally meeting the demands of regulations.
In this video, Mackey explains which compliance frameworks can help meet information security standards and regulations, such as PCI DSS, as well as how to ensure discipline and begin an organizational commitment that allows a company to meet compliance standards continuously -- in both the short term and the long term.
How to align an information security framework to your business model
Although the need to get compliant drives information security in companies that must comply with HIPAA, PCI DSS and SOX regulations, it does not always resonate with the business operations strategy.
CISOs should consider blending traditional business models with information security frameworks, and not rely solely on regulations to drive security programs. In this tip, learn how to align an information security framework with a business operations strategy.