Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« 77% Polled Believe Privacy Is Possible | Main | You Will Be Judged By The Company You Keep: 4 Good Reasons (And More) To Ensure Your Business Partners Have Good Information Security Programs »

Boiling Down PCI DSS Compliance; It's Really Just Common Sense Information Security

I subscribe to many (sometimes I think too many) assorted email newsletters that cover a wide range of compliance issues. One came through today from the IT Compliance Institute with the subject line, "PCI fails, Fidelity breach, death by upgrade, more…"

PCI fails? Sounded interesting so I went to their story about it.

(Title corrected on 8/9; thanks Grit!)

Well, that certainly was misleading; the story wasn't about the failure of the PCI DSS itself as the title implied. However, the statistics it provided were interesting:

"Gaps remain in PCI DSS compliance, Visa figures show Major retailers still noncompliant and retain prohibited account data

8.1.07 The latest figures from Visa concerning compliance with the Payment Card Industry Data Security Standard (PCI DSS) show increased levels of compliance, but also indicate that a handful of major retailers continue to retain prohibited account information.

Of 1,057 Level 1 or Level 2 US retailers (i.e., the largest ones) about 42 do not claim to have stopped retaining prohibited account data, which includes credit card security codes and PINs.

Otherwise, 40 percent of Level 1 retailers reported full compliance with PCI DSS, up from 35 percent in May and 18 percent in May 2006.

Thirty-three percent of Level 2 retailers were in full compliance, up from 26 percent in May."

I'm not surprised. Particularly about the retention issue; most organizations do not address retention much at all.

There are many articles written and various IT folks opining about how arduous and unreasonable the PCI DSS requirements are; but when you look at them, and thoughtfully consider them, you see that they really are just reasonable security practices. They are the types of controls any responsible organization would put into their contract with any business partner to whom the organization entrusts their sensitive and personally identifiable information (PII).

Ben Rothke boils down PCI DSS requirements quite nicely in an article he recently did, "PCI Is Security Simplicity, Not Complexity - Payment card industry data security: the standard that makes people stupid."

Great title!

Ben deconstructs PCI DSS into 6 primary control areas. They make sense. And his message is a good one; stop trying to make the requirements so hard and see them for what they are, sound data protection activities.

His article does a nice job of shrinking the PCI DSS mountain back down to a molehill. Check it out and see for yourself.

Compliance is achievable, and it *WILL* help prevent information security incidents and privacy breaches.

Tags:                      
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 8, 2007 2:45 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/482

Comments


Did I miss something or does the title of this article contain a typo? Shouldn't DCC be DSS? Anyway, Rebecca, you're one of my favorite bloggers and I always find your articles dead on with my thoughts. Keep up the good work.

BTW - get some sleep. Posting at 2:45AM indicates some really strange sleep habits. :)

Posted by: Grit | August 9, 2007 8:29 AM

Thank you so much for that, Grit! I really appreciate it. Arrgghh!! At least I got it right in the body of the blog. :)

I was doing some communications with Washington DC at the time; I must have had a Freudian finger slip on the title...

Posted by: Rebecca | August 9, 2007 9:52 AM

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.