5 Myths and Realities of PCI Compliance

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

In the wake of major security incidents such as the Heartland Payment Systems data breach, critics have focused on the perceived flaws of the Payment Card Industry Data Security Standard (PCI) and the role of qualified security assessors (QSAs).

QSAs in particular have been called out by critics such as Heartland CEO Robert Carr, who in a 2009 interview said that PCI audits done by the firm's QSAs were "of no value" in preventing the company's data breach.

PCI supporters, however, say it isn't the standard or standard-bearers that are flawed - it's how merchants and other organizations approach PCI compliance.

"'I was PCI compliant and I was breached' -- this is a very misleading statement," says Bob Russo, General Manager of the PCI Security Standards Council. "When a company is PCI compliant, it is within a snapshot of time. Companies need to ensure that their goal is to be secure and not just gain a compliance certification."

Organizations also need to accept that PCI compliance is a process - not a piece of paper, says Marcus Ranum, a well-known security practitioner and Chief Security Officer of Tenable Security. "The basic problem with PCI is that it is making security into a checklist, and good security can never be attained by a checkmark process," Ranum says. "What organizations need to understand is that PCI is a minimum baseline requirement toward security, and companies just cannot afford to focus on PCI alone in being secure."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

The selection of QSAs "is very critical," says Ranum. Organizations should interview the individuals conducting the assessments, as well as get their resumes and list of client organizations they have worked for to fully understand their expertise in the field. "The standard is solid; there is nothing in the standard which needs change or requires to be addressed immediately," says Russo. "What companies must understand is that they need to focus on effective security practices and controls on a continuous basis and monitor logs, which often go undetected."