Triware Networld Systems 

27 Years Of Around The Clock Superior Network Systems Service & Support!


   Back ] Up ] Next ]



Information Security & Privacy Regulatory Compliance: Payment Card Industry (PCI) Data Security Standard

Credit card companies are responsible for securing a vast amount of very sensitive information that if it gets into the wrong hands, can directly and severely impact both their customers (in terms of fraudulent charges  and identity theft) and their own reputation. Like many other industries, the credit card industry has increasingly found that security is an absolute and strict necessity for the day-to-day and ongoing operation of their business. Fortunately they have created a clear standard that helps to secure credit account information and can be used to provide guidance when securing other types of company information as well.

So far, this series has evaluated the various standards such as HIPAA, NISPOM, NIST, and ISO and has provided information on how to apply these standards in less regulated situations.  Payment Card Industry Data Security Standard (PCI DDS) is the standard with which all credit card issuers must comply, and the 12 requirements that comprise it fit nicely into any well developed information security program.

Here are the 12 PCI DSS requirements :


Install and maintain a firewall configuration to protect cardholder data


Do not use vendor-supplied defaults for system passwords and other security parameters


Protect stored cardholder data


Encrypt transmission of cardholder data across open, public networks


Use and regularly update anti-virus software or programs


Develop and maintain secure systems and applications


Restrict access to cardholder data by business need to know


Assign an unique ID to each person with computer access


Restrict physical access to cardholder data


Track and monitor all access to network resources and cardholder data


Regularly test security systems and processes


Maintain a policy that addresses information security for employees and contractors 

In one form or another, the 12 PCI DSS requirements have all been discussed before in preceding articles. However, what has not been discussed in detail is the effort required to implement a solid information security program that not only protects your company’s finances and reputation but that can also be used to prove due diligence should the worst case occur.

Like other standards that have been reviewed in this series, PCI DSS has some specific processes that need to be implemented in order for a company to be PCI compliant. But rather then go over variations on a theme, let us take some time to examine the effort necessary to become compliant to this or any of the other standards that have been reviewed.

The PCI security standards council has created a document,  “10 Common Myths of PCI DSS,” which helps to highlight the main elements involved in implementing any security program and which debunks many of the myths surrounding information security.

The first myth this article discusses is the one that in information security, there can be found a “silver bullet,” a single product that can provide any institution with total coverage in terms of their information security.  Unfortunately, this silver bullet does not exist. Instead, when considering one’s security and the procedures, rules or devices which need to be implemented, consider them as a part of a holistic security system designed to protect the institution at every exposure point.

The second myth is that the risk can be outsourced.  If there is a security breach, a company that tries to argue that it isn’t their fault because they hired some other company to protect them is fooling themselves. The company whose business it is to deal with sensitive information is ultimately responsible for securing this information – no one else.  If a company does outsource its information security, the same amount of care, documentation, diligence and effort that would be required if the security was kept in house is still necessary.  This does not mean that outsourcing cannot be used as a cost-effective measure. What it does mean is that while a company can outsource the duties of maintaining an effective security program, a company cannot outsource its  liability for failing to maintain security nor can it outsource the damage to its reputation this failure may cause.

Another myth is that information security is the Information Technology department’s responsibility.  Actually, successful information security requires a multidisciplinary approach that is strictly a business issue.  When information is compromised, this has a direct impact on a company’s financial standing and reputation that no single department can properly analyze or defend against.  The essential nature of a good security department is its ability to cross multiple departments (and coordinate multiple department heads) in order to successfully protect a company’s intellectual property and account information.

Yet another common myth is that implementing a security program is a one-time affair.  While some heavy lifting may be necessary when initially implementing a security program, the real benefit comes from the regularly maintained and updated ongoing process.  For example, the first risk assessment can be a burden to all involved as discovery is conducted and decisions about the importance of certain types of data are worked out.  However, without ongoing maintenance, the program and all that initial effort can and likely will become worthless within a relatively short time-frame (a year perhaps). By failing to identify new exposure points created during normal business operations the company soon finds itself just as vulnerable as before the security program was implemented.  Security is ongoing or not at all. To implement security devices that are not continuously analyzed, reviewed and adjusted is a waste of money.

Finally, the PCI security standards council directly rebuts a common complaint, that  security is too complicated.   Actually the truth is that with the various standards available, security has never been easier to implement.  The complications come in calculating how much to spend.  Information security is indeed an expense, though not a prohibitive one.  But as with electric fences, locked doors and security guards, good information security is the cost of doing business in the information age. As this series has (hopefully) shown, there are effective security programs from various regulatory agencies that are just itching to be implemented.

Whichever standard you chose to follow or use as a guide when creating your own security program, remember that information security is a multidisciplinary and iterative process, and increasingly an absolutely necessary and fundamental part of doing business.  As we’ve shown, there are no silver bullets. But there are blueprints provided by the regulatory agencies that can assist you in keeping your business safe when there is a security threat – or a full moon out.

By John Barchie, Senior Information Security Governance Fellow

John Barchie Biography

John Kenneth Barchie, CISM, CISSP, CNE, MCSE is an Information Technology and Information Security Expert with over 15 years in the high-tech and financial industries. John has been engaged to manage, audit, review and improve over 200 information technology departments and to charter corporate security functions.

Back to Top

Sign up for TNS News Letter

Information Request Form

Select the items that apply, and then let us know how to contact you.

Request a Senior Partner contact me
Request a Web Meeting and / or Web Demo
Refresh >>
Enter code

Business Partners


© Copyrights Triware Networld Systems, L.L.C. ® 1991-2018