PCI compliance, when fully achieved and properly maintained, is crucial in developing strong information security. Information security is, in turn, crucial in developing customer relationships that will ensure long term success.

The PCI DSS (Payment Card Industry Data Security Standard) is a set of 12 requirements that any merchant who stores, processes, or transmits sensitive information must conform to. This PCI compliance was designed to increase the level of information security and, as such, the consumer confidence in making those kinds of transactions.

Information security is a critical component of any business environment. Consumers are becoming more and more aware of the value of their own personal information, and they are, therefore, becoming more and more protective of it. Somehow a merchant must be able to prove that they are secure and properly positioned to protect that data while they have it.

For some consumers, a simple graphic is enough. Something claiming that someone has certified them as secure. For others, that’s not enough to convince them that there is a sufficient level of information security. So how are merchants supposed to convince these consumers that their data would be safe?

Then what are their option? They could list all the individual requirements of the various credit card companies and how their business practices conform to them. Of course, the average consumer probably wouldn’t take the time to delve into the technical jargon – and probably just assume that all the “fine print” was just a diversionary tactic.

Recognizing this problem, the Payment Card Industry instituted the PCI DSS so that there would be a standard by which all of those merchants can be measured, and, because the five major credit card companies were behind it, consumers could know that a relevant organization was judging the security measures being used.

PCI compliance, then, is one of the other critical components of any business environment. It is not, however, a particularly easy thing to accomplish. Not surprising, really, given the nature of the data it is supposed to protect.

So why go through with it? Well, other than the fact that it is a requirement, there’s the obvious drawbacks of not reaching PCI compliance (the likely security breaches), and the stiff fines and penalties if you do get breached (including the possible loss of the ability to accept payment cards at all). More than the immediate financial losses, though, is the inevitable loss of your reputation. Once your apparent lack of information security becomes known to the public, your future and long-term success will be thrown into question. Many companies can fight their way through monetary problems, but a bad reputation can follow them for years.

Some of the requirements for PCI compliance are common sense things, while others are more specified and often overlooked by many merchants. They range from installing and maintaining firewalls and virus protection to maintaining a policy that addressees information security throughout the company.

Some things, however, can have a tendency to slip. The third requirement states simply that you must “protect cardholder data.” Seems obvious, but where this can start to slide is when, over time, information security begins to get a little loose and the data finds itself on many different systems – rather than centralized where it can be easily defended – or passwords fail to get changed, and testing procedures are forgotten.

PCI compliance was designed to help merchants avoid this kind of information security entropy. Part of PCI compliance includes regular testing, assessments, and validation. Assessments can be performed by specially qualified assessors, or, if your company is small enough, you may be able to do the simpler Self-Assessment Questionnaire (PCI SAQ). If these are done properly, a company can continue to deliver a secure environment in which a consumer can confidently conduct transactions.

PCI compliance, when fully achieved and properly maintained, is crucial in developing strong information security. Information security is, in turn, crucial in developing customer relationships that will ensure long term success.

By: Andy Eliason

Datacraft’s wholly owned subsidiary

“The professionalism and technical expertise shown by Security-Assessment.com was invaluable throughout the evaluation. The validation of our PCI compliance demonstrates to our customers that we take the responsibility of being a trusted processor … We help clients plan, build, support, manage, improve and innovate their IT infrastructures. Datacraft combines an expertise in networking, converged communications, security, data centre, storage, converged communications, …

A CISO’s Guide to Security Outsourcing : Information Security

The CISO should build a process whereby ongoing assurance is maintained that the vendor remains in compliance with information security standards and contractual requirements. …. By Ed Rarick, PCI Evangelist at Tripwire Auditors definitely need to be more exacting and tougher when evaluating a company’s adherence to the specification. But an audit is a point-in-time event that says “as of today” your security level and change and control processes are at an acceptable …

More Clouds with a Chance of Storms

Question: What exactly are the top security issues that cloud vendors need to address? Somehow I am getting a sense of déjà vu on cloud security. Don’t get me wrong folks, but the cow is already out of the barn. … Rising consumer data protection laws around the world; PCI Compliance and the need to ensure end to end data protection; Banking regulations. It is clear that many of the business and regulatory issues can be addressed with properly secured cloud architectures …

PRAGMATIC SECURITY: “I’m from the Government Cyber

The fundamental problem is that security policies often build too big of a hedge around the actual requirements for security. Scott Adams jokes about this with Mordac The Preventer of Information Services; Mordac once decided Dilbert’s … I’m skeptical that it may do much good, since we already have laws against intrusion into somebody else’s computer, or theft of data, and because security compliance standards can be faked, and because security compliance audits don’t …

PCI Compliance Builds Information Security | Privacy Guard

PCI Compliance Builds Information Security PCI compliance, when fully achieved and properly maintained, is crucial in developing strong information security.

 Mail this post

Technorati Tags: pci compliance, pci security, pci security standards, visa cisp pci, visa pci compliance

This entry was posted on Sunday, May 3rd, 2009 at 5:27 pm and is filed under privacy guard credit. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.