RSS Alerts

Share

More services

Related Links

Related Stories

  • PCI DSS webinar this Thursday afternoon
    Infosecurity is pleased to be hosting a webinar looking at the increasingly complex world of PCI DSS security this Thursday @ 3pm UK time.
  • PCI Standards Council beefs up card transaction security requirements
    The Payment Card Industry (PCI) Standards Council has published the latest version of its security requirements for card-based transactions.
  • Comment: PCI DSS compliance in the cloud
    With the PCI DSS compliance deadline rapidly approaching, Star’s Hugo Harber examines the issues card processors must address to maintain compliance when storing data on hosted cloud services
  • Tripwire scores PCI deal with Reading FC
    PCI DSS compliance is fast becoming a hot topic in boardrooms and at Reading football club – one of the Championship's largest clubs – as Reading FC has successfully migrated to a virtualised IT infrastructure.
  • PCI-DSS compliance does not always guarantee security
    Newswire reports that some of the firms who have experienced data breaches in recent months were PCI-DSS-compliant highlights the fact that - even if a company has passed the standard on the regulatory front - this does not guarantee the integrity of their IT security systems, says Tufin Technologies, the security lifecycle management specialist.
  • PCI-DSS failure could hit brands, gaming firms told
    The potential damage to a brand justifies the high cost of Payment Card Industry Data Security Standard (PCI-DSS) security compliance work, a major payment card operator told a gambling conference.

Top 5 Stories

News

New PCI DSS hurdles loom

01 July 2010

Extensions to the IT security and governance rules laid down by the PCI Security Standards Council, are looming.

From today, Visa is reportedly tightening up its security rules on smaller companies accepting card payments.

In September, a further security mandate will require large-scale card-accepting businesses to be fully PCI DSS compliant from the start of that month onwards.

Infosecurity's sister publication Computer Weekly has just reported that first aid charity St John Ambulance has installed PCI DSS governance systems from LogRhythm, and other major organisations are also tendering for similar systems.

So what can companies do to meet the needs of what appears to be an increasingly draconian set of PCI DSS standards?

According to Jeff LoSapio, security practice manager for application security specialists Fortify, what is needed is a change of mindset at the SME end of the market.

"Smaller companies accepting card payments need to start thinking like larger scale companies. With cyber threats at an all time high they are increasingly a target and need to take PCI seriously", he said.

LoSapio, previously vice president of Fishnet Security, says the most important aspect of the PCI rules is that companies should regard meeting the security mandate as a best practice requirement that their IT department must achieve.

This is similar, he says, to HMRC, which imposes best practices on payroll departments, rather than a minimum target that has to be reached.

LoSapio adds that the PCI rules are becoming more complex, meaning that any company that accepts card payments should, if they have not already done so, start reviewing their IT security systems to prevent any problems further down the line.

The current (v1.2) rules, he explained, are split neatly into 12 requirements, grouped into six logically related groups, which are called control objectives.

The first stage in meeting these objectives, says LoSapio, is to check whether the security rules actually apply to your company, whether now or in the future. This can be achieved by going to the PCI Security Standards Council website and using the many audit utilities on the portal.

The site, he says, has a number of resources available to merchants and service providers, including a self-assessment questionnaire, from which companies can better understand whether their organisation needs to be compliant with the progressively-evolving card security rules.

Coupled with the array of fact sheets on the council's website, LoSapio says that much of the process of preparing for PCI DSS compliance can be achieved before the need to employ a consultant arises.

"By using the range of self-help files and questionnaires on the PCI Council's website, companies can save themselves a lot of expensive legwork in terms of pre-compliance procedures", he said.

This article is featured in:
Compliance and Policy  • Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012