Compliance standards like Payment Card Industry Data Security Standard (PCI DSS) help define a minimum set of controls that need to be in place to protect some form of information. In the case of PCI you have card holder data. I have been subjected to working with PCI a lot lately. What I have noticed is that companies are not using PCI (and other standards) to augment their security program, but are building their security program to these minimums.
The approach one should take with compliance programs is to apply them as constraint requirements against their security program. Implement a real security program and along the way make sure you hit the checkmarks for the standard you will be audited against. I believe one actually ends up with a stronger security posture by taking this hybrid approach.
This all may seem like common sense, but you would be surprised at the companies that get this 100% backward.
Tip: Want to know what level of compliance your organization has to be? Compliance levels are owned and decided upon by the card companies themselves. For instance if you accept Visa and do less than 20,000 transactions per year you are level 4.
For more information on PCI DSS:
https://www.pcisecuritystandards.org/
No comments:
Post a Comment