5 Steps Toward PCI DSS Compliance

Updated: April 30, 2009

The newspaper headlines alone are enough to make an IT-security officer's stomach churn. "4 million Hannaford customers have credit card numbers stolen" read one publication earlier this year after the regional supermarket chain was hit by a data-security breach. The cardholder data was accessed from Hannaford Bros. Co.'s computer systems during the card verification transmission process.

While regulations such as PCI DSS (Payment Card Industry Data Security Standard) exist precisely to prevent such catastrophes and protect cardholder data, achieving compliance can be challenging. However, according to a recent Aberdeen Group study, "PCI DSS and Protecting Cardholder Data: Year-over-Year Progress in Achieving, and Sustaining, Compliance," there are some best practices worth considering. The study's author and Aberdeen analyst, Derek Brink, recommended taking these five steps:

1. According to Aberdeen, 77 percent of best-in-class companies have conducted formal risk assessments, and 68 percent have conducted vulnerability assessments for all system components in the card-processing environment. That requires "looking for network vulnerabilities, uncached systems, known exploits that haven't been remediated and any opportunity for your network to be penetrated," said Brink. This can be accomplished in a variety of ways, from implementing vulnerability-scanning tools to turning to a third-party security solution provider to evaluate and monitor applications.

2. It's not enough to simply saddle an IT manager with the responsibility of maintaining PCI DSS compliance. Rather, Brink recommended appointing a high-level executive or creating a team that is dedicated to this business-critical task. "If you select someone to specifically own a PCI compliance project and be responsible for it, it's much more likely that you'll be successful. Clear ownership is really a key success factor in achieving compliance," he said.

3. Aberdeen reported that 76 percent of best-in-class companies have segmented their network to isolate systems that store, process or transmit cardholder data from those that do not, thus reducing the scope of the PCI compliance effort. But for all its benefits, Brink pointed out, "The biggest challenge is that companies don't do it. Every single qualified security assessor that I speak with recommends segmenting as the first step to take. Yet it's amazing how many companies don't take that step."

4. Simply put, data can't be compromised if it no longer exists. Said Brink, "If you don't have the data at all, then you've reduced the scope of your compliance. We've seen best-in-class companies willing to re-architect parts of their systems in order to eliminate storage altogether." In fact, Aberdeen reported that 50 percent of best-in-class companies have eliminated storage of cardholder data and sensitive authentication data post-authorization.

5. Technology alone won't save the day. "It's amazing to me how few companies are investing in awareness and training issues like protecting card holder data," said Brink. "Companies spend quite a bit on compliance, security tools and technologies to address PCI DSS requirements but they haven't invested in training their people to a large degree." Educating employees on the ins and outs of compliance, however, can broaden accountability, heighten awareness and greatly reduce the possibility of security breaches .

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more