PCI compliance tips and common mistakes

Tip

PCI compliance tips and common mistakes

Why are so many companies struggling to achieve PCI DSS compliance?

Jan Fry, head of PCI Services at pentesting consultancy Procheckup (which sponsors the PCI DSS

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

UK User Group), said he has spotted some common mistakes companies make when starting a PCI DSS compliance program, and suggests the following:

Treat PCI DSS as a separate project.

Companies often try to fit PCI DSS around existing projects. If they have a new website going live or a new firewall to put in place, they will try to fit the compliance efforts around that.

That means the PCI compliance deadline is tied to that of the main project. The main project roadmap may be up to three years, but as long as the company can show that key areas are being addressed, such as encryption of credit card numbers, then the acquirers are usually quite satisfied with that.

Focus your PCI DSS efforts.

Some companies believe the standard needs to be applied across the whole infrastructure in the same way. In reality, you can apply stricter controls in important areas, and be less stringent in other part of the systems.

Restrict usage of credit card details.

Companies should exercise more control over the movement and usage of credit card data. Some companies will allow the marketing department or a third-party organisation to access credit card details. That just expands the scope of the PCI DSS compliance programme to the whole company and out to the third parties, so their project becomes huge.

If they assessed it more closely and asked, for instance, how much use marketing gets out of the credit card data, they could reduce the scope of their project and reduce cost as well. One of the best ways to tackle PCI DSS is to restrict the number of areas where card data is allowed to go.

To make that happen, organisations may need to redesign their business processes so that card data is controlled more tightly. The benefit then is to reduce the scope, cost and complexity of the compliance program while still remaining compliant.

PCI compliance is not enough.

Ticking all the boxes to become PCI DSS compliant may still not guarantee that you are secure, and one Qualified Security Advisor (QSA) may interpret the standard differently from another.

PCI DSS is not a complete solution, especially on internal security; it is not a bulletproof solution. The standard misses certain areas, and there are still ways to be compromised. For instance, there is no enforcement of encryption within a network for the transfer of credit card data. I always recommend not stopping once you have achieved compliance. There is always more that a company can do.

Return to the PCI learning guide.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in February 2010

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.