PCI DSS is not design to be attained like your Girl or Boy Scout Badge
April 04, 2009
I am currently working on writing a security chapter contribution, mostly around the Payment Card Industry Data Security Standards, for Ted Hart's new Nonprofit book due out in 2010. A very smart gentleman I know from Visa asked me to assure that people reading it knew that gaining and maintaining PCI DSS for their organization wasn't viewed as a Girl or Boy Scout Badge. So I intend to do just that. To drive home the point to corporate management so they understand that to avoid being compromised security is a daily process, 24/7, especially after you attain your PCI DSS or PA-DSS compliance certification!
The RBS and Heartland breach is fascinating as someone had to be asleep at the switch over there for criminals to load up malware into their systems to steal cardholder data. Hello, who was monitoring their systems and couldn't see what was going on. Daily log reviews are essential to finding the in's and out's of the Bad boys and girls and there are methodologies to see any wireless intrusions from within and without.
The toughest part of the PCI DSS compliance is your first compliance assessment. (I still find it interesting that in 2009, security 101 is still not being followed by so many organizations)! That is where you are going to spend the most amount of money on upgrades and education. After you become compliant you with your QSA would have put a strategic risk management plan in place to assure that you are monitoring your systems and applications 24/7 to assure that the criminals that are continually pounding away at you, can't gain access. The PCI DSS (Badge) of compliance is great when you attain it, but you have to make sure that security and privacy becomes a part of your corporate culture and daily monitoring to assure that your (Badge) stays current.
Payment applications and web-sites not coded to security standards, home computers, along with employees, bring some of the greates risks to our security today. I am amazed at just how many merchants are still not PCI DSS compliant when this program goes a long way to reducing criminal activity in both the physcial and online industries. It is obvious that more education or government intervention on security and privacy is required before we get buy in from business owners and nonprofit boards on PCI DSS.
Government's, Card Association's, merchants, and industry professionals must all work together if we want to get our industry locked down to minimize criminal activity.