Complying with Industry Regulations

By Paul Meadowcroft  |  Posted 2010-01-13 Print this article Print

2. Complying with industry regulations

Compliance with the PCI DSS may be perceived by the industry as another regulatory burden that they could do without, particularly when it comes to implementing the more challenging requirements (such as protecting stored cardholder data). However, as fraudsters become increasingly sophisticated and data breaches among retailers continue to make the headlines, PCI DSS-compliance should be viewed as an opportunity to review security processes.

Organizations that work with the card schemes are obliged to undergo annual verification of their compliance with PCI DSS each year by qualified assessors. PCI DSS requires organizations to address the two most vulnerable areas: encrypt transmission of cardholder data across open, public networks and during storage. The improved security resulting from this approach is a considerable benefit, not only in terms of demonstrating compliance with the PCI DSS but also in mitigating risk for an organization-and avoiding fines and penalties associated with non-compliance.

3. Implementing industry best practices

Specific reference to the use of encryption is increasingly found in privacy mandates and industry best practices that attempt to go beyond the traditional focus on "people and processes." Furthermore, encryption is often favored by regulators and policymakers because of the black and white nature of the technology. Data is either encrypted or it is not, which in theory means it is either secure or not-a very measurable parameter which is well received by auditors and regulators.

For example, Visa recently issued its global industry best practices for data field encryption, also known as end-to-end encryption. Also included in Visa's best practices is guidance to use robust key management solutions and encryption consistent with international and regional standards. This includes the management of encryption/decryption keys within secure cryptographic devices such as PIN Entry Devices (PEDs) or HSMs.

Paul Meadowcroft is Enterprise and Government Business Unit Director for the Information Systems security activities at Thales. Paul has more than 15 years experience in information security. Paul is an expert on a wide range of information security topics, including the use of cryptography, key management, public key infrastructures and payment systems. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel