Tuesday, April 29, 2008

PCI compliance and security breaches...

From David Ochel

There is no such thing as one hundred percent security, at least not in today's IT infrastructures. Any merchant or processor thinking that validated compliance with the PCI Data Security Standard (DSS) makes them immune against any hacking attempt whatsoever, or the liability incurred as a consequence of a breach, needs to realize this. Information security is about managing risks, and the PCI DSS provides a set of security requirements that address many of the most often seen vulnerabilities, and related attacks, in infrastructures that process payment card data. Compliance with the requirements means that an organization has properly implemented a baseline security program that contributes to keeping the overall security risks in the payment card processing world at a reasonable level. It may be reasonable for the industry as a whole to calculate that a few breaches a year, as opposed to hundreds and thousands of them, are acceptable. That doesn't mean that for your organization it is acceptable to risk being one of these few.

Measures implemented in an infrastructure that are fulfilling the PCI DSS requirements may be reasonably suited to address all of the potential IT security risks in an individual organization, or they may not be. The only way to know is to implement a risks-driven IT security practice. Identify, qualify and quantify the information security risks that exist in your specific business and operational environment, and then reduce these risks to a management-accepted level by implementing appropriate security mechanisms and monitoring their effectiveness. A large enterprise with thousands of employees and dozens of branches may determine that the risk of data compromise in their internal network is significantly higher than in a small firm with a dozen co-workers, and act accordingly by encrypting sensitive data on these lines.

Regardless of whether this is required by PCI DSS or not.

Information security needs to be managed intelligently. Compliance with industry and legal requirements that address specific areas of concern needs to be maintained, but this needs to happen in the larger context of managing overall risks in specific environments. Implementing an information security management system that addresses an organization's specific threat situation and protection needs, in combination with maintaining whatever compliance is imposed by third parties on the organization, is the way to go. This is why standards like ISO/IEC 27001, and initiatives like FISMA, not only give you a set of controls, but also require you to perform a risk
assessment on your own. PCI DSS compliance should be a side-effect of good information security management, and not the other way around.

No comments:

Post a Comment

Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.