In one form or another, the 12 PCI
DSS requirements have all been discussed before in preceding
articles. However, what has not been discussed in detail is the
effort required to implement a solid information security program
that not only protects your company’s finances and reputation but
that can also be used to prove due diligence should the worst case
standards that have been reviewed in this series, PCI DSS has some
specific processes that need to be implemented in order for a
company to be PCI compliant. But rather then go over variations on a
theme, let us take some time to examine the effort necessary to
become compliant to this or any of the other standards that have
The PCI security
standards council has created a document,
“10 Common Myths of PCI DSS,” which helps to highlight the
main elements involved in implementing any security program and
which debunks many of the myths surrounding information security.
The first myth
this article discusses is the one that in information security,
there can be found a “silver bullet,” a single product that can
provide any institution with total coverage in terms of their
Unfortunately, this silver bullet does not exist. Instead, when
considering one’s security and the procedures, rules or devices
which need to be implemented, consider them as a part of a holistic
security system designed to protect the institution at every
The second myth
is that the risk can be outsourced.
If there is a security breach, a company that tries to argue
that it isn’t their fault because they hired some other company to
protect them is fooling themselves. The company whose business it is
to deal with sensitive information is ultimately responsible for
securing this information – no one else.
If a company does outsource its information security, the
same amount of care, documentation, diligence and effort that would
be required if the security was kept in house is still necessary.
This does not mean that outsourcing cannot be used as a
cost-effective measure. What it does mean is that while a company
can outsource the duties of maintaining an effective security
program, a company cannot outsource its
liability for failing to maintain security nor can it
outsource the damage to its reputation this failure may cause.
Another myth is
that information security is the Information Technology department’s
Actually, successful information security requires a
multidisciplinary approach that is strictly a business issue.
When information is compromised, this has a direct impact on
a company’s financial standing and reputation that no single
department can properly analyze or defend against.
The essential nature of a good security department is its
ability to cross multiple departments (and coordinate multiple
department heads) in order to successfully protect a company’s
intellectual property and account information.
common myth is that implementing a security program is a one-time
affair. While some heavy
lifting may be necessary when initially implementing a security
program, the real benefit comes from the regularly maintained and
updated ongoing process.
For example, the first risk assessment can be a burden to all
involved as discovery is conducted and decisions about the
importance of certain types of data are worked out.
However, without ongoing maintenance, the program and all
that initial effort can and likely will become worthless within a
relatively short time-frame (a year perhaps). By failing to identify
new exposure points created during normal business operations the
company soon finds itself just as vulnerable as before the security
program was implemented.
Security is ongoing or not at all. To implement security devices
that are not continuously analyzed, reviewed and adjusted is a waste
Finally, the PCI
security standards council directly rebuts a common complaint, that
security is too complicated.
Actually the truth is that with the various standards
available, security has never been easier to implement.
The complications come in calculating how much to spend.
Information security is indeed an expense, though not a
prohibitive one. But as
with electric fences, locked doors and security guards, good
information security is the cost of doing business in the
information age. As this series has (hopefully) shown, there are
effective security programs from various regulatory agencies that
are just itching to be implemented.
Whichever standard you chose to follow or use as a
guide when creating your own security program, remember that
information security is a multidisciplinary and iterative process,
and increasingly an absolutely necessary and fundamental part of
doing business. As we’ve
shown, there are no silver bullets. But there are blueprints
provided by the regulatory agencies that can assist you in keeping
your business safe when there is a security threat – or a full moon
By John Barchie,
John Barchie Biography
Back to Top
Information Request Form
Select the items that apply, and then let us know how to contact you.