With security breaches causing more high-profile harm to corporations and their customers than ever, companies today face intense scrutiny as to how well they secure the privacy and integrity of account information and other confidential files. Incidents, like the hacker attack on the central database of retailer TJX resulted in the theft of credit and debit card information of nearly 50 million customers, are driving government and industry regulators to step up compliance requirements.
Companies are feeling the heat, with security professionals consistently ranking policy and regulatory compliance at or near the top of their priority lists - dedicating more time and money to meeting security mandates. This pressure is unlikely to abate any time soon, with influential industry groups, such as the Payment Card Industry, (PCI) increasing their requirements in specifications such as the 12–point best practice areas outlined in its PCI Data Security Standard ( DSS). PCI DSS requires businesses be audited annually by an outside firm. And as states such as
With just one-third of major retailers estimated to be in compliance with the PCI standard, far too many businesses are still struggling to meet conditions that specify how merchants safeguard customer account information using encryption, firewalls, vulnerability assessments, and other means. Companies are also required to be scanned for vulnerabilities at least once a quarter and be audited annually by a third-party firm to stay in compliance.
Companies that don’t comply run the very real risk of severe consequences – ranging from financial fines for each compliance violation to permanent exclusion from credit acceptance programs. Of course, companies that fall short of the standard, jeopardise not just the trust of their customers but also the privacy of their clients’ account information.
Still many companies complain that PCI standards are too rigorous. Certainly, there is a high degree of complexity involved in meeting these requirements, but companies don’t have to go it alone. Businesses can turn to a third party technology provider, such as IBM, for help meeting PCI standards and achieving compliance with other regulations and internal policy mandates.
IBM has the experience and solution set to help businesses address any deficits in their PCI compliance strategy to bring their organisation to standard. Through its Internet Security Systems (ISS) services and products, IBM Tivoli Security Compliance Insight Manager and managed security services, IBM provides companies with the choice of either tackling PCI compliance on their own or enlisting IBM as a full partner. The company offers support from the assessment phase through the implementation stage, including a comprehensive portfolio of hardware and software ranging from anti-spam and intrusion prevention software to risk management solutions that organisations can use to meet all twelve best practice areas within PCI DSS. IBM ISS is also globally-accredited to assess a company’s PCI compliance.
The breadth and depth of the company’s security solutions and industry expertise have helped IBM assume a leadership role in PCI compliance. And increasingly, companies will need security solutions and this level of expertise, not just to meet PCI compliance standards but to effectively mitigate risk and sustain the trust of their customers.
This was first published in September 2007