Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cloud
    • Cloud
    • Cybersecurity
    • IT Management

    PCI Compliance Thoughts for the New Year

    By
    Brian Prince
    -
    December 21, 2010
    Share
    Facebook
    Twitter
    Linkedin

      The onset of the new year will bring with it new compliance regulations.

      The updated version of the Payment Card Industry Data Security Standard (PCI DSS) will go into effect Jan. 1. Though companies technically have until 2012 to implement any changes-validation against the previous version of the standard will be allowed until Dec. 31, 2011-it is not too early for organizations to be thinking about how they will be impacted (PDF) by the changes.

      “The good news is that the PCI standard has matured quite well now, which is witnessed in the fact that this version mostly had clarifications and guidance,” said Sumedh Thakar, vice president of engineering at Qualys. “This should make it easy for merchants to stay compliant even with the new standard.”

      But the revisions to the rules touch on a number of areas, such as logging, risk-based assessments of security vulnerabilities and project scoping, to determine all the places where cardholders’ data resides-all of which could change how some businesses do things. Among the new requirements, Thakar noted, is to “give a risk rating to vulnerabilities found during internal scans and fix all vulnerabilities rated high.”

      “Merchants will have to put in place some sort of risk rating program that suits their environment by associating risk value to various assets,” he said. “This will be ultimately good for the merchants. Instead of having to fix all vulnerabilities, they can prioritize and fix only the high values ones. However, it is something that will require the merchants to put some thoughts and efforts into.”

      The updated rules also offered some clarifications regarding virtualization, a hot topic for many companies.

      “What we’re hearing is that auditors and risk management offices have become much more aware of virtualization and are asking very pointed questions,” said Renata Budko, co-founder and vice president of marketing at Hytrust. “Internal controls and audit definitely become hot topics as far as virtualization is concerned.”

      “Separation of duties, exhaustive logs, hypervisor hardening and local root password management are the areas that come up most often,” she added. “There is also a lot of talk about making sure that the changes made today scale up with the introduction of cloud architecture in the near future.”

      The changes the PCI Security Standards Council has made around virtualization are really minor clarifications, Thakar said, meaning that the council does not view virtualization as too much of a special case.

      “Whatever controls DSS mandates are still in effect, like firewalls and logs and scans, it’s just the technology to do these things changes,” he said. “My suggestion to merchants will be [to] make [the] best use of virtualization technologies but ensure that DSS requirements are followed in the spirit that the council intends them to be applied.

      “The latest good news is that Amazon EC2 has declared themselves PCI DSS 2.0 compliant,” he added. “We expect other IAAS [infrastructure-as-a-service] providers to do the same,” he said. “This really opens up a lot of possibilities for merchants to move their PCI services into public or private clouds and still be PCI compliant, so we do expect a lot of merchants to take notice of this.”

      Any organization that has to comply with PCI 2.0 should revisit their governance, risk and compliance processes and ensure that they are streamlining their operations, said Torsten George, vice president of worldwide marketing at Agiliance.

      “In this context, it is important not only to focus their attention on PCI assessment, but also cover the other phases that make up the PCI 2.0 compliance life cycle, namely scoping, assessment, remediation, certification and maintenance,” he said.

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×