PCI: How to break the piggy bank!

For any company, merchants included, who haven’t been meeting the PCI Data Security Standards, I have some bad news: you’re about to spend at least twice the money you never spent on security and privacy in the first place.

If you purchased bargain basement discounted Point-of-Sale systems, you’re in for a surprise courtesy of Visa’s Application Securityrequirements. In fact PCI has adopted these standards and will begin enforcing them in 2008 and 2009. The requirements associated with the Application Security portion will target all levels, not just the top tier.

If you lucked out in the PCI Compliance lottery by outsourcing everything to do with credit card data, that outsourcing is likely to get expensive as the outsourcer will likely pass those costs on to its customers.

If you seriously need to get up to speed quickly, I would advise following the steps outlined in a recent SearchSecurity Article. I’ve numbered the steps as Mike Rothman presented them in the article:

  1. First, pick off the low-hanging fruit such as Requirement 1, which is to have a firewall to protect cardholder data, and Requirement 5, which mandates the use and updating of antivirus software.
  2. Requirement 2, which is to change default passwords and other security parameters.
  3. Also take a look at Requirement 4, which requires encryption to protect cardholder data that is sent over open networks. Simply using SSL allows an organization to check the box on that requirement.
  4. After picking off the simplest stuff, address the requirements that can be difficult or nebulous, like Requirement 3 to protect stored cardholder data, or Requirement 6 to develop and maintain secure systems and applications.

The last thing you want to do is try PCI ComplianceĀ blind-folded. You and/or your team need to understand the requirements before you attempt to comply and before you bring in any outside consultant to document data flows or perform site assessments because it is easy to go broke and/or break the company complying with PCI.


Posted on November 8, 2007, in Security / Risk, Security Management and tagged , , , , . Bookmark the permalink. 2 Comments.

  1. I do not agree that companies will need to spend “twice the money” as expected on PCI compliance. In fact, sound security practices that address the most common security issues are relatively easy to implement. One must stay rational at all times.

  2. Rational. Hmm. This is pretty simple, really.

    You either do security and privacy right up front, or you get to pay more to ‘bolt it on’.

    Most organizations either ‘get’ security or they ‘get around’ security. You can try to argue the impact of applying security after-the-fact, but the point is simple – going back to apply a fix to something after it’s already in-place and working WILL cost more than implementing the same controls originally.

    The entire reason these compliance regulations / requirements exist is because security isn’t and hasn’t been “common” and these “sound security practices” you reference weren’t implemented.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: