How to Ensure Your Company's PCI DSS Compliance

By John Linkous  |  Posted 2009-08-05 Print this article Print

Complying with the Payment Card Industry Data Security Standard ensures that your company can continue to do business with the Payment Card Industry, but it doesn't ensure that your company will be secure as well. Companies don't want to be in a position where they could have prevented a cybercrime if they had only gone beyond the minimal amount of work to truly become PCI-compliant. Here, Knowledge Center contributor John Linkous discusses seven requirements companies must meet to both improve security and ensure that they are compliant with the Payment Card Industry Data Security Standard.

As organizations continue to struggle with implementing the Payment Card Industry Data Security Standard (PCI DSS), the number of recommendations and interpretations of how to implement it continue to spiral. The importance of compliance with the standard is obvious: credit card fraud is a multibillion dollar criminal enterprise, and credit card information is the key commodity that enables these crimes.

However, the details of PCI DSS compliance are still often misunderstood. Listening to security software vendors, in particular, one would think that PCI DSS compliance is simply about buying and implementing the right types of software: Security Information and Event Management (SIEM), Data Loss Prevention (DLP), Network Admission Control (NAC), and Intrusion Detection and Prevention Systems (IDS/IPS) software-and then walking away.

The bad news is that compliance with this important standard requires much more than software. The good news is that, for most organizations, a basic set of requirements-the "must-have's" of PCI DSS compliance-can help to frame a successful PCI DSS program.

Fundamentally, the PCI DSS standard exists to protect one type of data: cardholder data, a catchall term that includes both visible information found on the credit card (such as the cardholder's name, card number and expiration date), as well as data encapsulated in the magnetic strip. The standard impacts any organization that stores, processes or transmits any part of cardholder data. Of course, that broad definition includes many different types of organizations, including the following four:

1. Merchants

From single-store, brick-and-mortar retail establishments to the largest international retailer, each of these must comply with PCI DSS if they accept credit or debit cards. Fortunately, smaller merchants typically outsource some or all of their technology to service providers. These service providers maintain a large part of the responsibility for ensuring that merchants' data remains secure according to the PCI DSS standard.

2. Payment processors

A critical component in the chain of credit and debit card use, payment processors are responsible for securely routing card payment requests on behalf of merchants to financial institutions.

3. Financial institutions

These are the issuers of credit and debit cards, who manage the cardholder's account and are responsible for determining whether or not a transaction should be approved, based on factors such as the cardholder's available funds, cardholder standing, and unusual or potentially fraudulent recent card activity, etc.

4. Service providers

These are vendors who provide cardholder-related equipment and/or services to merchants and other organizations. Under PCI DSS, service providers are fully responsible for implementing PCI DSS processes and controls on the cardholder data they manage-even if the cardholder is not their direct customer. As a result, many smaller merchants can work with their service provider to help ensure that they achieve and maintain compliance with PCI DSS.

John Linkous is the IT Security and Governance, Risk and Compliance (GRC) Evangelist at eIQnetworks, Inc. In this multifaceted role, John is responsible for establishing the company's risk and compliance management product strategy, working with product management and engineering teams to ensure that products meet customer needs. John has over 15 years of technology management and consulting experience, specializing in enterprise systems management, information security and regulatory compliance, with diversified global clients across a broad range of sectors. His knowledge of information security and compliance issues, ability to communicate and bridge the gaps between technology and business, and his clear writing style have made him a sought-after keynote speaker and author. John is the author of numerous published books and white papers. Prior to joining eIQnetworks, John was vice president of operations at Sabera. Previously, he was co-founder and partner of a national IT consulting firm, specializing in enterprise infrastructure design and security. Before that, John was CIO of one of the nation's largest privately-held public relations firms. John began his career as a consultant at the National Aeronautics and Space Administration (NASA). John holds a B.A. degree in History and English Literature from the University of Maryland, and maintains numerous industry technical certifications. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel