PCI compliance and application security
February 1st, 2008 by admin Posted in Compliance, Payment Applications, pa-dssI really like the reminder that Mike Rothman has to say about compliance, “The sad truth is that compliance is still the engine that is running most security operations.” Let’s not forget that the people who complain about compliance are also those who’s jobs are based on necessity for it. Business is an easy formula: make more money and reduce your costs. Is security is perceived as an unnecessary cost, it too will be reduced.
So instead of bemoaning and fighting the various aspects of compliance, why not leverage them to benefit the business. Mike continues:
As we focus on 2008, the first order of business for security professionals should be implementing a structured security program that is focused on protecting what’s most important to the business, setting goals and milestones to ensure accountability and communicating how and why certain security controls are implemented. The end goal is to distinctly show the value and importance of security to the operations of the business.
So what’s next? Well, those long time readers of this blog will know that it’s in inclusion of the Visa USA PABP into the PCI suite of standards under the PA-DSS moniker.
“With the PA-DSS managed by the council, we will ensure that payment application providers and their products are subject to data security requirements consistent with the current PCI DSS.” Bob Russo,
general manager, PCI Security Standards Council
Furthermore, Visa has taken a proactive approach and outlined a series of Payment Application Security Mandates. These mandates outline the phasing out of vulnerable applications and phasing in of validated application with a fine deadline in 2010.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
1 Trackback(s)