The Payment Card Industry- Data Security Standard (PCI-DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The main objective behind the formulation of this standard is to prevent credit card fraud and to protect card holder information. This standard is applicable to all organizations which accept card payments, and store, process, or exchange card holder information.
However, from the perspective of organizations, achieving PCI-DSS compliance can be quite a challenging affair. Even a minor slip or compromise could result in huge financial losses as well as loss of reputation. While organizations have been employing various methods to ensure compliance with PCI-DSS, these methods suffer certain serious inadequacies :
In most organizations, encryption across computer networks is inconsistent. Therefore, credit card data are protected in some cases, but not in others
Some merchants store credit card data unnecessarily, and also fail to prevent them from being transmitted to less secure parts of the network
Some organizations fail to maintain a log of network activity, which can help reveal instances of attempted hacking. Hence, it becomes impossible to track unauthorized access to credit card data
Compliance management systems deployed by some companies are not proactive but reactive. So they do not scan for vulnerabilities or abnormal system activities. Hence they fail to completely protect the system from security attacks
Certain organizations employ disparate systems for compliance to HIPAA, SOX and other regulations, but fail to understand that these systems do not address PCI-DSS requirements
Therefore, achieving PCI-DSS compliance necessitates the adoption of a fool-proof method with 12 basic requirements:
Installation and maintenance of a firewall configuration to protect card holder data
Preventing usage of vendor-supplied defaults for system passwords and other security parameters
Protection of stored card holder data
Encrypted transmission of card holder data across open, public networks
Usage and frequent update of anti-virus software
Development and maintenance of secure systems and applications
Restriction of access to card holder data
Assignment of a unique ID to each person with system access
Restriction of physical access to card holder information
Tracking and monitoring of all access to network resources and card holder information
Regular testing of security systems and processes
Formulation and maintenance of a policy that addresses
IT complianceand security
However, using disparate systems to meet these multiple requirements is not the answer. It is important for organizations to resort to an integrated
compliance management software solution, which offers key features to support these requirements. By doing this, organizations can not only ensure secured storage, processing and exchange of card holder information but also safeguard their brand image and reputation.
