Does Your PCI DSS Stand on Sound Policies and Processes?
Thursday, March 08, 2007
Posted in: General
Last week I attended a two-day PCI DSS seminar at Visa in Foster City taught by PCI expert Chris Mark. I wanted to brush up on the Payment Card Industry Data Security Standards and see what I could learn from the experts and players in the PCI space. The PCI DSS, developed by Visa, MasterCard, Discover, American Express, and JCB is a set of security standards directed at organizations that store, process, and/or transmit cardholder data to prevent credit card compromise. The scope of entities covered by that definition is significant; it includes merchants, banks, processors, gateways, the card brands and more.
[If you want to know more about the PCI DSS, check out one of the card brand web site links above, The PCI Security Standard Council, or even better visit the PCI Demystified Blog moderated by PCI expert Mike Dahn if you really want to dig into the nuts and bolts].
It was helpful for me to hear Chris put the PCI DSS Requirements into business context. There was a mountain of useful information to digest, and for me the big takeaway was the discussion around the need for policies and processes beyond the technology elements and the interdependencies between requirements. Chris framed it up nicely when he said "policies remain static until an event stimulates change." To illustrate this, Chris pointed to the USA Patriot Act which was static until rushed into law in the wake of the events of 9/11/01—the stimulus.
When PCI DSS requirements are not joined with policies and process, a single change in either side of the equation—can wreak havok in the form of brand damage, penalties, fees and fines. For example, consider the consequences of not monitoring, measuring and verifying whether your information security policies are published and understood by employees, contractors, and business partners.
The same holds true for all business requirements and activities, not just regulatory compliance. I think Chris is ahead of the game here as it applies to the PCI DSS.
Comments
Great resource material on PCI DSS
Posted by on 12/04 at 09:32 AM