PCI Compliance
Photo: Bernie Madoff
COMPLY, OR ELSE
Monday, March 2nd 2009
What Does the Merchant Maven say about PCI Compliance?
People in the Credit Card Processing industry are always asking me: “ Why Should My Company Spend Time and Money Worrying about PCI Compliance? “
I suppose it’s similar to what’s going down with old Bernie ” $5 Billion Dollar” Madoff. The former president of the NASDAQ apparently failed to comply with any regulations whatsoever.
WHAT IS PCI?
First of all, PCI stands for Payment Card Industry. Many of you have heard about the recent breach of security at Heartland Payment Systems. Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month.
Do a google search on Heartland Payment Systems breach. Don’t let it happen to your business.
Many organizations who are subject to PCI DSS compliance are probably asking “why should I spend the time and money required to pass a PCI audit if Heartland Payment Systems—and 2008’s victim Hannaford Groceries—passed their audit and were breached anyway?”.
No question about it…….this is a GREAT question!
The basic purpose of the more than 200 PCI DSS requirements is to provide best practice guidelines that, if followed, would reduce the risk of cardholder data, and other critical information, being compromised. In other words, the intent of the requirements is to improve IT security to reduce the risk of data compromise. What is happening far too often, unfortunately, is that PCI DSS compliance has become a project to “pass the audit at minimum cost”. And auditors and assessors are unwittingly contributing to the problem by trying to enforce the individual requirements of the specification rather than their intent. One such example is requirement 11.5 which states: “Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.”
Almost every organization I have seen that faces PCI compliance interprets this requirement as needing to install a piece of software that will show the auditor/assessor a report that proves changes to critical system and configuration files are being captured. That is it, and that is normally enough to get the all important audit check mark. And that is exactly why organizations that are making worldwide headlines can pass their audit have their cardholder data compromised anyway.
The 11.5 requirement requires that alerts be issued when unauthorized change is detected. The intent of this requirement is obvious—detect change to critical files and configuration settings, analyze them quickly to determine if each change was authorized and compliant and, if not, investigate immediately because security of the data is at risk. Determining if a change is “unauthorized and compliant” requires some analysis and if that analysis is not done, what’s the use in monitoring for change? Frankly, there is not much use.
IMPROVE SECURITY, REDUCE RISK
If PCI DSS requirements are implemented according to their true intent—improve security to reduce risk of compromise—we should seldom hear about massive breaches and data compromise from organizations that passed their PCI DSS audit.
In Summary…………… what does themerchantmaven says about PCI Compliance?
YOU NEED TO Get With the Program.
ONE SOURCE FOR PCI COMPLIANCE
Find a reputable company, with references who can manage PCI compliance for you. Some companies have a monthly and/or quarterly fee they charge ranging from $25 to $50 per month. Direct Technology Innovations, based in Fort Lauderdale charges a modest $12.95 per month. Reach DTI at www.directtec.com
