RSS Alerts

Share

More services

Related Stories

  • PCI DSS broadens appeal beyond credit card data security
    The PCI Data Security Standard (DSS), originally developed to protect credit card data, can be used to vet cloud providers for data security practices, as well as provide a template for compliance with information security laws, noted Sean Bruton, senior director of client services and security with managed hosting services provider NeoSpire.
  • Two-thirds of PCI DSS compliant firms had no credit card breaches
    A full 64% of organizations that are compliant with Payment Card Industry’s Data Security Standards (PCI DSS) had no breaches involving credit card data over the past two years, according to a new study by the Ponemon Institute and database security firm Imperva.
  • Nearly two-thirds of merchants store unencrypted card data
    A full 63% of merchant computer systems store unencrypted payment card data, a violation of the Payment Card Industry Data Security Standard (PCI DSS), according to scans of more than 475 systems by SecurityMetrics.
  • PCI Council to offer awareness training
    The PCI Council will conduct a series of awareness training courses for stakeholders looking to educate their employees on the finer points of the Payment Card Industry’s Data Security Standard (PCI DSS).
  • Small and mid-sized retailers lax on credit card security, survey finds
    Less than half of the small to mid-sized retailers surveyed had completed a Payment Card Industry Data Security Standard (PCI DSS) self-assessment, according to a poll by the National Retail Federation and First Data Corp.

Top 5 Stories

News

Companies should go beyond PCI DSS compliance, says Layer 7

22 July 2011

Companies need to go beyond compliance with Payment Card Industry Data Security Standards (PCI DSS) to ensure credit card safety, according to Phil Walston, vice president of development and product management at Layer 7 Technologies.

Walston cited the 2011 PCI DSS Compliance Trends Study, which found that 88% of respondents believed that PCI DSS compliance either did not reduce the number of data breaches that their organizations experienced or were not sure whether it had an effect on data breaches.

“Clearly, PCI DSS is not a catch-all; it doesn’t solve all your problems”, Walston told Infosecurity. “In some cases, you can think you have very secure exchanges of card holder information, and in fact not have that at all. That is one of the gross exaggerations people have about PCI DSS — if you implement PCI DSS, do an audit, pat yourself on the back, and say it’s all done, you’re somehow considerably safer than you were before”, he added.

The 2011 PCI DSS Compliance Trends Study, conducted by the Ponemon Institute for database security firm Imperva, surveyed 670 US and multinational IT security practitioners on PCI DSS compliance.

The survey found that only 33% of respondents believe that expenditures on PCI DSS compliance add value to the organization. Half of respondents said that their organization views PCI DSS compliance as a burden. For a fuller discussion of the survey results, see Infosecurity’s April 25 coverage.

Walston said that the increasing use of mobile devices to conduct credit card transactions is complicating the credit card security issue. “Right now, a number of our customers want to open up their APIs [application programming interfaces] because they believe it is a path to money. MasterCard, for example, is in the process of opening up their developer APIs”, he noted.

“The credit card companies believe they are behind on this…So they have this conflicting issue. On the one side, they want to make their APIs open so that developers can write cool apps that drive volume through their network. At the same time, they want to lock down the security”, he said.

Walston said that Layer 7 Gateway offers protection for companies beyond PCI DSS compliance. The Gateway authenticates, authorizes, and encrypts communications with external entities. Through various pattern recognition mechanisms, it inspects outgoing messages to filter out unwanted card holder information leaking from internal systems.

“It’s not just about protecting cardholder information in terms of encryption or tokenization, you also have to be very serious about the systems themselves”, Walston added.

This article is featured in:
Application Security • Compliance and Policy  • Data Loss  • Internet and Network Security • Wireless and Mobile Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012