Preparing for PCI
March 20th, 2007 by datasecurity Posted in Compliance, Merchant, PCI DSS, Service Provider
Many companies have been PCI DSS compliant for a few years. I get reports from people saying year 3 is much easier than their first time around. Others are just dipping their feet into the waters of PCI compliance. What is it they should be aware of when navigating the process for the first time?
We wrote a two part segment on Meet Your Auditor, basically tips on how to pick and utilize your PCI auditor.
The Burton Group just released what they call “a list of recommendations to help merchants and payment service providers get the most out of the payment card industry (PCI) data security standard (DSS) compliance work.”
They mention one very important point: “Payment Card Industry Data Security Standard - Not a Security Panacea” There is a difference between security and compliance and you should understand that going into the process. PCI is a MINIMUM baseline. Your level of security beyond that will depend on your risk tolerance.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
4 Responses to “Preparing for PCI”
By William Bell on Mar 22, 2007
I have stared down this particular issue once or twice in my career as it related to PCI compliance. One thing that has to be made very clear to management when you begin to undertake becoming PCI compliant is that it was not designed to be a security program. Often security managers become so heavily focused on conforming their business to meet the letter of the PCI law, that they forget that PCI is intended to be adequate measures to ensure the reasonable security of card holder data, and not a full fledged security mantra. I challenge my colleagues to be very careful about how many new programs they champion in the name of PCI as this can lead to disastrous effects on a longterm security strategy.
By datasecurity on Mar 25, 2007
I agree with you William. PCI is not a security program, it is a compliance program. One thing people keep getting confused is that Compliance does not equal Security.
I think of compliance much like universal health care, everyone should get a minimum level. Those who want more security are welcome to it, but the goal of PCI is not to secure the world, it’s to secure the world’s credit card data.