PCI Puts Pressure on Retailers

 
 
By Cameron Sturdevant  |  Posted 2007-10-19
 
 
 
Until now, most retailers have escaped the embrace of regulatory compliance, but the Payment Card Industry Data Security Standard, or PCI DSS, is changing all that.

A 12-part, private-industry-defined rule set, PCI DSS governs cardholder data handling and transaction processing among merchants, banks and card processing companies.

The PCI standard references technologies such as firewalls, wireless protocols and encryption methods, with the goal of guiding companies that handle credit card data to build and maintain secure networks, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, monitor and test networks, and maintain an information security policy.

The rule set entails outside auditing only for large credit card processors, but since any retailer found to leak cardholder data can be required to submit to this external auditing—on penalty of losing card processing privileges—its a set of regulations that few businesses can avoid.

Click here to read more about compliance without tears.

For IT organizations, the compliance disruption that comes along with PCI DSS can serve as an opportunity to build more secure networks, improve change management systems, and tighten up server and application configurations to achieve compliance and operational efficiency.

eWeek Labs identified a number of PCI DSS mandates that could significantly improve operations.

For starters, by following Requirement 3.1, which mandates that companies "Keep cardholder data storage to a minimum," organizations can significantly reduce storage costs. Your organization can also reduce liability by not storing this kind of sensitive data, which increasingly requires mandatory disclosure if it is breached.

Another section of the PCI standard that boils down to IT management best practices is one that governs network monitoring. For example, sections of PCI Requirement 1 ask for a "current network diagram with all connections to cardholder data." This is the perfect justification for acquiring a mapping tool, which is essential for understanding what is happening in your infrastructure.

Requirement 1 also asks for descriptions of roles, groups and responsibilities of network management. This is an opportunity for IT managers to implement best practices for network and system management.

Because PCI is sweeping up large numbers of retailers that have not been faced with much outside regulatory responsibility, there is a swelling number of products offered that boast get-certified-quick offers. Dont assume a PCI compliance vendor will cover all the bases. Carry a printout of PCI DSS requirements with you into every compliance vendor meeting. Ask vendors for specific points they cover and where they are weak. Expect to use several tools to get coverage of all 12 requirements.

Check out eWEEK.coms for the latest news, commentary and analysis on regulatory compliance.

Rocket Fuel