Burton Group

Burton Group

March 19, 2007 14:51 ET

Payment Card Industry Data Security Standard-a Great Start but Not a Security Panacea, Says Burton Group

Analyst Firm Recommends More Robust Practices for Protection of Cardholder Data

SALT LAKE CITY, UT--(CCNMatthews - March 19, 2007) - Burton Group, an IT research firm, released a research report that contains a list of recommendations to help merchants and payment service providers get the most out of the payment card industry (PCI) data security standard (DSS) compliance work.

According to Diana Kelley, vice president and service director for Burton Group's Security and Risk Management Strategies service, PCI DSS does a good job helping companies understand how to prevent and detect a cardholder data security breach, but does not go into detail regarding how to address a breach.

Kelley points out PCI DSS is not the only set of practices companies must consider when handling cardholder data. She recommends a full-spectrum approach including the following steps:

Get the Facts

For detailed readiness work, the PCI DSS Security Audit Procedures is required reading. Both documents are available from the PCI SSC website at www.pcisecuritystandards.org. These are the same documents the PCI auditors and the payment-card brands use to assess compliance and will help an organization prepare for compliance attestation.

Segment the Scope

Segmenting servers and networks reduces the scope of PCI audited systems, thus reducing compliance work. Technologies that provide segmentation include firewalls, routers with access control lists (ACLs), and physical security.

Don't Store What You Don't Need

Applications architected with PCI DSS compliance in mind are designed to prevent storage of unnecessary data. Point of sale (POS) applications that store full magnetic strip data are out of compliance with PCI DSS. So, before purchasing a payment application, or creating one in-house, carefully review what can and cannot be stored. Application security and controls can help here.

Be Prepared and Be a Partner

Success comes from merchants and providers who work with auditors in a noncontentious, partnership model to achieve compliance. If there are gaps in compliance, the auditor can mark a control as either "not in place" or "not in place" with a "target date" for remediation. Showing there is a plan with a target date for remediation lets the payment-card brands know that actions are being taken to correct the problem.

Get Involved

There were a number of changes between version 1.0 and 1.1 of the PCI DSS. Members of the payment community helped drive these changes. If your organization thinks a requirement in the DSS is unfeasible, talk with your auditor to determine if compensating controls or an alternative can be found. If not, talk to the SSC.

Build a Compliance Program

New regulatory mandates and industry standards are introduced all the time. Avoid "fire drill" mode and take a comprehensive approach to compliance by utilizing re-usable frameworks which are built on generally accepted control and risk-management frameworks (such as COSO, CobiT, ISO 27001, and NIST SP800-30).

Click here for a Burton Group Take 5 -- a complimentary 5 minute, audio-enhanced presentation, with more information to help merchants and payment service providers get the most out of PCI DSS compliance work.

About Burton Group

Burton Group (www.burtongroup.com) helps technologists make smart enterprise architecture decisions in increasingly complex environments. Burton Group's research and advisory services focus on technical analysis of infrastructure technologies relating to security, identity management, web services, service-oriented architecture, collaboration, content management, and network and telecom.

Contact Information