‘Ssssshh – Do I have to tell anyone that I have lost something important?
Beyond PCI DSS - Protecting more than just card data
The latest version of the PCI Data Security Standard, which was formally released last month (Version 2.0, 28 Oct 2010), provides Merchants, Service Providers, Auditors and Banks with an opportunity to briefly review how far (or not) the Card Payment Industry has come in securing it’s Card Holder Data.
Many IT Managers and Financial Directors still loath the words ‘PCI Compliance’, however, the essential common sense of the 12 requirements are slowly being understood as general good practice for data security.
Version 2.0 offers no seismic shift in the standard or its approach. Clarifications of the existing requirements, a more detailed reporting/testing process and a longer three-year cycle of updates all demonstrate that the standard is bedding into a mature yardstick for data security.
Now is a good time to pause and reflect why these requirements cause so many organisations so much pain. We should also scratch our heads and ask why it is that we have not done all this before?
Clearly, a big part within our organisations and companies has been played by a culture that has seen security as an optional add-on, or something to be considered when the budget exists, or as is the case with many, a naive understanding that security will be someone else’s problem. The media is full every week of cases of data theft: Law company websites being compromised, major hotel chains being breached and high street retailers being attacked.
Or what about the reports that Card Details have been sent out in clear text emails in what appears to be an unthinking legitimate process, or the reports of yet another loss of Personally Identifiable Information (PII) on a USB/CD/Laptop/unencrypted email or spreadsheet.
The pillars and concepts of PCI Security are not rocket science. They consist of 12 requirements that any Information Security Manager worth his salt would be able to pull together as sensible, common sense measures that any organisation that takes security seriously should be doing to some degree or level.
To contact Nettitude's editor email firstname.lastname@example.org.