Payment Card Industry Data Security Standard - Not a Security Panacea

According to Diana Kelley, vice president and service director for Burton Group's Security and Risk Management Strategies service, PCI DSS does a good job helping companies understand how to prevent and detect a cardholder data security breach, but does not go into detail regarding how to address a breach.

Kelley points out PCI DSS is not the only set of practices companies must consider when handling cardholder data. She recommends a full-spectrum approach including the following steps:

• Get the Facts - For detailed readiness work, the PCI DSS Security Audit Procedures is required reading. Both documents are available from the PCI SSC website at www.pcisecuritystandards.org. These are the same documents the PCI auditors and the payment-card brands use to assess compliance and will help an organization prepare for compliance attestation.
• Segment the Scope - Segmenting servers and networks reduces the scope of PCI audited systems, thus reducing compliance work. Technologies that provide segmentation include firewalls, routers with access control lists (ACLs), and physical security.
• Don't Store What You Don't Need - Applications architected with PCI DSS compliance in mind are designed to prevent storage of unnecessary data. Point of sale (POS) applications that store full magnetic strip data are out of compliance with PCI DSS. So, before purchasing a payment application, or creating one in-house, carefully review what can and cannot be stored. Application security and controls can help here.
• Be Prepared and Be a Partner - Success comes from merchants and providers who work with auditors in a noncontentious, partnership model to achieve compliance. If there are gaps in compliance, the auditor can mark a control as either "not in place" or "not in place" with a "target date" for remediation. Showing there is a plan with a target date for remediation lets the payment-card brands know that actions are being taken to correct the problem.
• Get Involved - There were a number of changes between version 1.0 and 1.1 of the PCI DSS. Members of the payment community helped drive these changes. If your organization thinks a requirement in the DSS is unfeasible, talk with your auditor to determine if compensating controls or an alternative can be found. If not, talk to the SSC.
• Build a Compliance Program - New regulatory mandates and industry standards are introduced all the time. Avoid "fire drill" mode and take a comprehensive approach to compliance by utilizing re-usable frameworks which are built on generally accepted control and risk-management frameworks (such as COSO, CobiT, ISO 27001, and NIST SP800-30).

Burton Group (www.burtongroup.com) helps technologists make smart enterprise architecture decisions in increasingly complex environments. Burton Group's research and advisory services focus on technical analysis of infrastructure technologies relating to security, identity management, web services, service-oriented architecture, collaboration, content management, and network and telecom.