Cyber Security Institute

Friday, May 25, 2007

PCI Compliance: It Pays Off

When it comes to doubters of the PCI data security standard, A. Bryan Sartin of Cybertrust says one statistic speaks for itself: No organization that has been completely compliant with PCI has been compromised.  Sartin, a computer forensic investigator, says he is only “slightly biased” by the fact he teaches PCI compliance.  “PCI is a very good thing,” he insists, adding that “If you are a person who performs security assessments, it’s not a burden. 

Most recently updated in September, the PCI standard requires, among other things, firewalls, the encryption of cardholder and other sensitive data sent across public networks, and restrictions on physical access to cardholder data.

Still, he estimates 70% of companies who are obligated by compliance regulations to have PCI—and who would face fines and cur penalties for non-compliance—have PCI in some form today, and are heading toward full implementation.

To counteract such attitudes, Visa, one of the backers of the PCI standard, has embarked on a carrot-and-stick approach with merchants, rewarding those who comply, and threatening financial penalties and other consequences to those who don’t.

http://www.darkreading.com/document.asp?doc_id=124780&f_src=darkreading_section_318