Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, February 27, 2009

PCI council offering “milestones” for compliance

The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint.  The Prioritized Approach Tool offers six “milestones” that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.

When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told on Friday.

Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.

Several major breaches in the last few years, including Heartland Payment Systems and TJX, were caused by hackers who were able to seize sensitive credit card data by taking advantage of protection shortfalls across private networks and wireless access points.

De Veyra said the new tool likely will help small companies—designated as tier-four merchants by Visa and MasterCard—get started on their compliance efforts.  “Prioritization doesn’t mean much if you have to do everything at once,” she said.

The new guidance comes at a time when PCI DSS is fielding widespread criticism over the high-profile Heartland breach, where potentially a record number of card numbers were stolen.

Posted on 02/27