Employee Training and Awareness are Crucial
Requirement No. 5: Employee training and awareness are crucial
One often-overlooked aspect of PCI DSS is the important need to ensure that employees-from merchants' retail salespeople to online store customer representatives to anyone else with access to cardholder data-understand how to properly use highly-sensitive cardholder data. Many malicious attackers think of employees as the "weak link in the chain." They will rely on tactics such as spam, phishing and malicious Web sites (as well as social engineering techniques) to coerce employees into being unwitting players in the theft of credit and debit card information.
Requirement No. 6: Your auditor is your friend
PCI DSS auditors, or Qualified Security Assessors (QSAs) and Approved Scanning Vendors (ASVs), exist to help organizations become more secure. Organizations should not be afraid to challenge their auditor if they believe that the auditor is unfairly evaluating processes and controls. But they should also accept it when real weaknesses are discovered by their auditor, and they should work with them to improve their compliance posture (and, by implication, reduce the likelihood of risk).
Requirement No. 7: PCI DSS is a starting point
The PCI DSS standard provides a starting point-a minimum set of processes and controls-that organizations must implement to ensure compliance. However, just like any security regulation, best practice or standard, PCI DSS is no "magic bullet." Nothing precludes organizations from implementing more stringent processes and controls than what is defined in PCI DSS. In fact, risk-based evaluations should drive whether organizations implement processes and controls that go above and beyond the minimum baselines defined in PCI DSS.
So then, what are the "like-to-have" aspects of PCI DSS compliance? Ultimately, they are the things-processes, controls, technologies and legal agreements-that give the organization a belief that they have reasonably reduced risk. For some organizations, this may mean deeper background checks on prospective employees and intense security training. For others, it may mean extremely detailed business partner agreements that expand on the minimum requirements of PCI DSS.
For still others, it will be more complex encryption or the abandonment of higher-risk technologies such as wireless Internet. For most, it will be some combination of these processes and controls. Regardless of the details, by implementing a program-based approach to PCI DSS compliance, coupled with some basic-but critical-processes and controls, organizations can both reduce their risk and improve security, while ensuring that they are compliant with the PCI DSS.
John Linkous is the IT Security and Governance, Risk and Compliance (GRC) Evangelist at eIQnetworks, Inc. In this multifaceted role, John is responsible for establishing the company's risk and compliance management product strategy, working with product management and engineering teams to ensure that products meet customer needs.
John has over 15 years of technology management and consulting experience, specializing in enterprise systems management, information security and regulatory compliance, with diversified global clients across a broad range of sectors. His knowledge of information security and compliance issues, ability to communicate and bridge the gaps between technology and business, and his clear writing style have made him a sought-after keynote speaker and author. John is the author of numerous published books and white papers.
Prior to joining eIQnetworks, John was vice president of operations at Sabera. Previously, he was co-founder and partner of a national IT consulting firm, specializing in enterprise infrastructure design and security. Before that, John was CIO of one of the nation's largest privately-held public relations firms. John began his career as a consultant at the National Aeronautics and Space Administration (NASA). John holds a B.A. degree in History and English Literature from the University of Maryland, and maintains numerous industry technical certifications. He can be reached at firstname.lastname@example.org.