PCI DSS 2.0 standard receives a cautious thumbs up from the IT security industry

PCI DSS 2.0, which has been developed after consultation with the industry, seeks to raise the security bar for any business accepting any form of credit, debit and charge cards.

The new standard comes into force at the start of January, with various penalties threatened if organisations that do not comply with the best practice and guidelines.

Ron Gula, CEO of Tenable Network Solutions, said that people need to realise that PCI prescribes a set of basic requirements for operating a secure network.

"These requirements are not a guarantee of security and so more organisations need to take steps to go much further than the basics required by PCI", he said, adding that continuous PCI monitoring increases uptime, reduces unplanned outages and helps protect organisations from security incidents.

Amichai Shulman, CTO with fellow IT security vendor Imperva, said that the main virtue of PCI is the standard's incredible opportunity to improve an enterprises overall security posture.

"Nobody is in business to be compliant, explained Shulman. But our experience highlights a simple lesson: if you invest in controls to address PCI there is an incredible opportunity to improve overall security", he said.

Over at data logging specialist LogRythm, meanwhile said that the PCI DSS 2.0 guidelines will assist the many organisations that have still not met the PCI SSC’s previous recommendations.

In March 2010, says the firm, a survey by Redshift Research revealed that just 11% of UK organisations were PCI DSS compliant.

Ross Brewer, LogRythm's managing director of international markets, said that some of the anticipated changes by the PCI SSC can't come too soon.

"Reports show high rates of non-compliance, a fact often viewed as a reflection of the lack of clarity which has negatively affected the standard in the past", he said.

"Guidance on virtualisation and the alignment between PCI DSS and the Payment Application Data Security Standard will also be welcome, whilst the evolving requirement for centralised logging of payment transactions is a definite plus", he added.

Despite this, Brewer says that too any organisations view compliance as a one-time only requirement, instead of an ongoing process that can actually aid their wider business operations.

"For example, companies that heed the PCI SSC's recommendation to continuously log and monitor their networks will also find that they are able to gain deep insight into their IT systems, particularly how data is stored, accessed and used", he explained.

And, says Brewer, by capturing a complete picture of all the activity occurring across their entire infrastructures, organisations can detect any unauthorised event, regardless of whether it is related to credit card security, and can also pin-point inefficiencies in their IT operations.

What’s hot on Infosecurity Magazine?