While on the “A Perfect Fit: Understanding the PCI Security Standards“ Webcast this morning.
There were a few things that I took note of that are worth repeating:
PCI Compliance (Fines, Dates, etc) is enforced by Card Associations/Brands and their Acquirers not the PCI Council.
There was a neat chart that depicted the relationship between the different standards:
I learned of three new “Fact Sheets” published by PCICo From: https://www.pcisecuritystandards.org/education/fact_sheets.shtml
Payment Card Industry Security Standards Overview
PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect cardholder payment data.
Getting Started with PCI Data Security Standard
PCI security for merchants and payment card processors is the vital byproduct of applying information security best practices in the Payment Card Industry Data Security Standard (PCI DSS).
Ten Common Myths of PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) secures cardholder payment data that is stored, processed or transmitted by merchants and processors.
The Ten Commons Myths of PCI DSS is quite good (I especially like the first 4 of these),
Myth 1 – One vendor and product will make us compliant
Many vendors offer an array of software and services for PCI compliance. No single vendor or product, however, fully addresses all 12 requirements of PCI DSS. When marketing focuses on one product’s capabilities and excludes positioning these with other requirements of PCI DSS, the resulting perception of a “silver bullet” might lead some to believe that the point product provides “compliance,” when it’s really implementing just one or a few pieces of the standard.
-- Take a second and read through the audit procedures, especially section 12, how is a product going to to this ? find all of the other sections that a product cannot address., in my experience products can address a fraction of the requirements, they are met by processes around systems and their logical controls. Products can you you address Encryption, Log Management, Firewalling, IDS/IPS, File Integrity Monitoring, Anti-Virus/Malware, Vulnerability Assessment, among others – but each of these still will require operational processes and monitoring controls.
Myth 2 – Outsourcing card processing makes us compliant
Outsourcing simplifies payment card processing but does not provide automatic compliance. Don’t forget to address policies and procedures for cardholder transactions and data processing. Your business must protect cardholder payment data when you receive it, and process charge backs and refunds. You must also ensure that providers’ applications and card payment terminals comply with respective PCI standards and do not store sensitive cardholder data. You should request a certificate of compliance annually from providers.
-- There are other business processes in place that deal with payment cards that are not necessary apparent, and while you can use out-sourcing to reduce scope, you will still have work to do. There are no real shortcuts here.
Myth 3 – PCI compliance is an IT project
The IT staff implements technical and operational aspects of PCI-related systems, but compliance to the payment brand’s programs is much more than a “project” with a beginning and end – it’s an ongoing process of assessment, remediation and reporting. PCI compliance is a business issue that is best addressed by a multi-disciplinary team. The risks of compromise are financial and reputational, so they affect the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and
-- Too many times have I seem IT Audits or IT Reviews dropped on a IT Manager because it has “IT” in it, There is much more business and process and operational and organization controls then logical controls in the PCI Standard. IT supports business processes and is an enabler, you need business and department heads involved with PCI Compliance, especially to explain and understand the flow of cardholder data that IT may not know about.
Myth 4 – PCI will make us secure
Successful completion of a system scan or audit for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data.
-- Compliance != Security && Security != Risk Management (Compliance does not equal Security and Security does not equal Risk Management) – The PCI Standard is a baseline that is a best-practice approach to payment card security, it is not a risk based approach that is tied to your your organizational Risk Assessments and will not address non-payment assets or information. Compliance is a snapshot in time, you need to make sure that the processes are operating effectively after the review/audit has been performed. The process should also include continuous assessment of risk and implementation of controls to reduce the risk of new threats.