PCI DSS is working, but there are challenges to overcome
by Jeremy King - European Director, PCI Security Standards Council - Monday, 12 December 2011.
Name an internal expert - One of the simplest and most effective means of maintaining ongoing compliance is through a dedicated internal resource you have named. Through this, you can have an individual or team that not only helps prepare for a compliance assessment, but establish the protocols to monitor and maintain not only ongoing compliance, but also security. Our Internal Security Assessor (ISA) program gives internal champions the same training as QSAs, so they know what to look for and how to keep an organization on track and within the PCI requirements for the entire year.

Implement a risk-based approach- Once you have your internal staff on board, itís time to set your agenda. Whether you are well into your PCI process, or just beginning, a great reference for you to consult is the PCI Prioritized Approach document. The Prioritized Approach provides guidance that will help merchants identify how to reduce risk to cardholder data as early on as possible in their compliance journey. The tool groups together the requirements of PCI DSS into six key milestones for merchants to consider in their card data security strategy. This risk based- approach eliminates the biggest vulnerabilities first and allows you to share with your assessors, acquiring banks and the card brands on how you are progressing along your journey.

Make security part of your DNA - Again, this goes to a previous bullet: think security rather than compliance. The PCI DSS is a fantastic foundation for establishing a core group of best practices that can serve as the foundation for your security efforts. Remember, the DSS is the floor, not the ceiling; you should always be looking to build additional layers of security on top of it. This layered approach will allow you to focus on the security part of your business, building it into every business project or activity you commence, and allow you to move beyond a compliance sideshow to one where you are an increasingly difficult target for the bad guys. All it takes is some concerted effort. The more difficult you make it for the bad guys, the more quickly they are likely to look elsewhere.

Remember, PCI DSS is a solid foundation for you to develop and maintain security practices that help enable the entire business. Get the basics sorted by following these tips and then build your layers on top for a more secure business.


Chrome extension thwarts user profiling based on typing behavior

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Jul 29th