Lessons Learned From PCI Compliance

Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance.

1. Know Where Data Lives

First off, you must know how credit card data flows through your system, where the data resides in the enterprise, and who has access to it. Assessors ask for this information at the outset of an assessment because it determines the scope of the project. They aren't there to review your entire security infrastructure, just the systems that collect, process, transport, and store credit card data. A surprising number of companies don't have a good grasp of this information. "It's common for a client to completely miss a particular data flow and have no idea that credit card data is being forked off to system X, Y, or Z," says a QSA at Neohapsis, who asked to remain anonymous.

Companies express an "extreme amount of frustration" over the amount of effort they have to put in to put the full picture together, says Ted Keniston, a QSA and managing consultant with the global compliances group at Trustwave. "We should be validating this information, not determining it."

Having a complete picture of credit card data isn't just a courtesy to your assessor; it also affects your ability to protect customer information, because you can't secure what you don't know about.

2. PCI Is A Moving Target

Let's say your assessor has just stamped you "compliant." You breathe a sigh of relief. The PCI assessment is annual, so you don't have to worry about it for another 12 months, right? Not so.

PCI compliance is only valid and only applies to the state of the network and systems at the time of the assessment. The moment you make changes to systems that fall under the 


Rest of article and pdf of entire article


inside-pci-compliance_884972.pdf

Recent Entries

Radiant Being Sued by Restaurants for violating PCI Compliance
Radiant being sued not over it's Aloha system which is PCI-validated but over the use of PC Anywhere.Restaurants Sue Vendor…
Lessons Learned From PCI Compliance
Assessors reveal mistakes companies make with data security standard. -- To help companies get ready for a an evaluation, we asked…
2009 Encryption and Key Management Industry Benchmark Report
Report from trust catalyst detailing the trends and obstacles to data encryptions, applications affected, and why it's important (average cost…
Tokenization Vs. End-to-End Encryption: Experts Weigh in
Pros and Cons of the Emerging Technologies Eyed to Improve Data SecurityOctober 19, 2009 - Linda McGlasson, Managing Editor Print Email Save  Digg Delicious RedditTokenization or…
Visa Announces New Data Encryption Practices
Visa has announced new global best practices for data field encryption, also known as end-to-end encryption - a much-discussed solution…
Heartland Tests End-to-End Encryption; Gets Good Reviews
In the first step of its move toward end-to-end encryption, Heartland Payment Systems (HPY) last week completed the first phase of its…
Mobile Barcodes Explained - Aztecs in the Matrix
Mobile barcodes are on the verge of becoming a global phenomenon, but what exactly are they, what do they do,…
How PA DSS Will Change the Application Business Forever
By David Taylor -- Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications…
Tokenization and your store
New approach shapes how retailers secure private information and consumer confidence against data breachesWith stores located in various states and,…
Americans prefer online banking - ABA survey
For the first time, more US bank customers express a preference for managing their finances online compared to any other…
IKEA Execs Discuss Launch Of US Loyalty, Use Of Mobile Medium
Written by Amanda Ferrante   Tuesday, 15 September 2009 00:00Well known for its innovative approach customer relationship management, home furnishings retailer IKEA has…
First Data And RSA "Legitimize" Tokenization-Then What?
The conventional wisdom is that when large vendors enter a niche market, those vendors "legitimize" that market. But the announcement…
New driver license legislation proposed
Some believe that new proposed driver license legislation would help states better secure IDs while also protecting citizen privacy. Others…
Patients are keen on self-service healthcare
American are taking a shine to self-service healthcare.They may not be snatching the scalpel out of their doctor's hands and…
Touchscreen Technology Website
News from 3M on multi-touch and also launch of new "education" site touchtopics.com which is to explain all various touchscreen…
PCI Best Practice Supplement for Merchants
August 2009 release of best practice doc, PCI_skimming_prevention_form.pdf, directed at skimming attacks. Illustrates how exposed terminals in POS are targeted by…
Cloud Computing - Does Amazon fail PCI Compliance?
There's an ongoing debate about the ability of cloud computing services to meet enterprise regulatory compliance requirements, including the Payment…
End-to-End Tokenized Encryption
EPX now extends data protection to what I call the 'first inch" of a transaction, i.e., from the plastic to…
Guidelines - PCI DSS Wireless Guideline Supplement
Dcument purpose  - This document provides guidance and installation suggestions for testing and/or deploying 802.11 Wireless Local Area Networks (WLAN)…
Healthcare - Building Kiosks From Scratch
In an era of consumerism, physician group practices are looking for ways to improve customer service and gain loyalty. So…



  |