Companies get checklist on PCI security rules

A new set of compliance guidelines have been released

The organization that administers the credit card industry's data security rules has released a new set of compliance guidelines -- a move that reinforces the widespread perception that efforts to comply are going slowly at many companies.

PCI Security Standards Council LLC, which was set up by Visa, MasterCard, American Express and other credit card companies in 2006, this month issued a 15-page document that details a "prioritized approach" for complying with the rules.

The new framework maps the 12 security controls mandated by the Payment Card Industry Data Security Standard (PCI DSS) to a list of six milestones. Bob Russo, the council's general manager, said the goal is to help companies that have yet to start on their PCI DSS compliance efforts and are wondering where to begin.

The first version of the security standard, which applies to all entities that accept credit and debit card payments, went into effect nearly four years ago. But many businesses still aren't fully compliant, said Jim Huguelet, a PCI consultant in Bolingbrook, Ill.

"I think there are a lot of merchants who feel overwhelmed at the amount of remediation [work] they need to undertake," Huguelet said. That, he added, has led to a state of "paralysis" in which companies either are doing nothing or are only implementing the easier PCI requirements, which by themselves do little to reduce the overall threat of data breaches. The milestone-based framework finally gives those companies a template for moving forward, Huguelet said. "The journey of a thousand miles begins with a single step," he noted. "And the PCI [council] has now officially announced what those first steps should be."

Russo said the milestones are meant to provide an organized compliance methodology that ensures that the highest-risk issues are addressed first. In addition, a spreadsheet-based tool released with the framework can be used to plot progress against the milestones and to give auditors a snapshot of a company's compliance status.

The first milestone focuses on purging sensitive card-authentication data from systems and limiting the amount of information that companies collect and retain. Others revolve around network and application security, user access control and the protection of stored data.

More about: American Express, Mastercard, Milestone, Visa
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: credit cards, pci, pci standard, security
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/171/gadwin-web-snapshot/

Gadwin Web Snapshot

Gadwin Web Snapshot will effectively capture the entire page including all design elements when capturing web pages. It makes an image of the browser’s content ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia