Newsletters Welcome, Guest Log In | Register
Blogs:

Mike Vizard

IT Unmasked

Revealing the Business Value of Innovation

About this Blogger RSS

< Previous | Next >

Subscribe

Sign up now and get the best business technology insights direct to your inbox.

  • Daily Edge
  • CTO Edge Update
  • Business Tools & Templates
  • Aligning IT & Business Goals
  • Maximizing IT Investments

1

The Payment Card Security Shakedown

Posted by Michael Vizard Oct 22, 2009 2:32:22 PM

There is only thing worse than being threatened with having to pay protection money: paying for the protection and still getting robbed.


That’s pretty much sums up how a lot of people feel about the Payment Card Industry Data Security Standard (PCI DSS) these days. Companies have spent millions of dollars on installing these technologies -- not to mention all the money being spent on auditors -- only to discover that security breaches keep happening anyway.


It might seem there's something fundamentally wrong with the way people are implementing PCI DSS. After all, it’s a pretty complex undertaking, so getting it right is not easy. But the other side of the equation is that PCI DSS only covers a limited segment of the payment process. Clearly, a lot more work has to be done to secure the payment process beyond the scope of the PCI DSS standard.


For example, how the credit card data is stored, where it is stored and how much encryption should be employed to secure that data are things an IT organization needs to sort out. One thing everyone can agree on is that the PCI DSS process is tedious. So if all things are equal among vendors such as Thales, IBM, Oracle and Tripwire, then maybe you should choose the vendor who does the most to help automate the process. After all, a lot of the expense associated with PCI DSS goes for  auditing the process. If the process is automated, chances are it will be done right the first time, and you'll spend less  time, money and energy on  the process.


Although some people question the efficacy of PCI DSS, we probably would be a lot worse off without it. But a lot of work remains to be done to streamline the PCI DSS process. Unfortunately, companies such as Visa, MasterCard and American Express who are setting the PCI specifications aren't doing the actual implementations. As a result, we’re experiencing a lot of pain and frustration right now relative to the benefits, which is why so many companies are out of PCI DSS compliance. Making it easier to comply, without compromising the integrity of the standard, needs to job one of the entire PCI DSS community.

Related Content

Add a comment Leave a comment on this blog post.
Oct 27, 2009 2:43 PM Guest Daniel J. Doughty  says:

Until a commitment is made to have auditors be as tech savvy as the individuals implementing these policies, I don't think we'll ever be much closer to being secure.  With time and persistence, anyone can pass the current auditing standards, but as you mention that doesn't mean that we're actually any safer in the long run.  Every auditor I meet is very polite and trying earnestly to do their best but none of them really seem to know much more than excel. 

 

--these opinions are my own and do not reflect the policies of my employer
Reply

Related Content

Browse

Topic: Standards Bodies

Issuing and interpreting format, framework and protocol standards for business and society

Blog: Group Uses Open-Innovation Approach for New IT Framework

Article: HomePlug Alliance Works Toward Data, Smart Grid Specs

News: Egypt to Create First Arabic Domain Name

Related Topics

IBM, Legislation and Regulation, Oracle, Risk Management, Security

Featured White Papers

Browse

Software Forum: Information On Demand Virtual Experience

This interactive virtual forum presents leading IT experts providing the insights you need to turn your information into a strategic driver for innovation, business optimization and competitive differentiation.

Performance Under Pressure: The State of Enterprise Web Application Quality and Availability

This research study finds that Web application issues are an all-too-common problem and examines these Web-based enterprise application issues from two perspectives: that of an online customer and that of a site manager.

Resource Centers

Browse

Network Optimization

Network management tools and tips to increase network speed and efficiency, regardless of office location.

Featured Whitepapers

Extreme Savings: Cutting Costs with WAN Optimization

Security Information and Event Management

Best practices, strategies and technologies to help you use security information and event log management efficiently and effectively in order to get business value in terms of increased security, reduced risk, regulatory compliance and increased business agility.

Featured Whitepapers

The Top Ten Insider Threats and How to Prevent Them

Decision Management

Applications, management tools and industry advice on how to optimize your data for better business decisions.

Featured Whitepapers

The 11 Secrets of Business Rules Success

Data Management Solutions

Data management and storage solutions, tips and best practices to improve the scalability, reliability, and accessability of your data.

Featured Whitepapers

Intelligent Tiered Storage

Premium Tools

Browse

Budget & Finance Toolkit for IT - 2010 Edition

What kind of year are you planning in 2010?  Growth or continued "survival mode"?  Download a comprehensive collection of templates, forms, instruction and advice that will help you to plan and submit your 2010 IT Budget.

Learn more >

The IT Service Catalog Management Toolkit

Bridge the it-business gap once and for all! A well documented IT services catalog is the conduit for IT services to the rest of the company.

Learn more >