Can you be PCI compliant & secure?

Illena Armstrong, editor-in-chief, SC Magazine

With the release of the newest version of the PCI Data Security Standard (DSS), companies again are reviewing their security programs. The Payment Card Industry (PCI) Standards Council, the group that manages payment industry requirements, made no major changes to version 1.2 of PCI DSS, but they surely tweaked some of the suggested ways organizations meet them. And, with the group's lifecycle for changes to v1.2 in process, already there is market chatter that deeper modifications will hit with the next version of the 12-step standard come 2010.

Meant to secure all cardholder data that companies touch, PCI DSS has been perceived as both a blessing and a curse. While some of SC Magazine's recent research indicates that many IT security pros perceive PCI requirements as helpful when compared to other mandates, there still are those questioning the effectiveness of these rules.

As Reporter Angela Moscaritolo reports this month, compliance with PCI DSS doesn't necessarily mean that cardholder data is safe from cyberthieves. The recent Heartland Payment Systems breach and other notable incidents seem to have brought home the limitations of PCI DSS and other cybersecurity-related mandates. In the case of Heartland, there are those who say that PCI DSS needs bolstering to address the securing of data in motion.

For now, the clarifications noted in v1.2 are supposed to ease the work companies undertake to meet requirements and protect customer data, providing explanations on even the types of technologies organizations should consider using. For example, by June 2010, affected companies no longer will be able to implement Wired Equivalent Privacy for wireless networks as a measure to safeguard cardholder info. Instead, the updates emphasize using strong encryption to address the transmission and authentication of critical data over wireless networks.

 In an effort to provide some pointers on how to get secure, comply with PCI, and explain what types of security practices and solutions can ease the process of doing both, we've asked a number of industry specialists to join us on March 24 for our second eConference dedicated to PCI. Experts include The Museum of Modern Art's Steven Peltzman, the PCI Security Standards Council's Troy Leach, and Bank of America's Doug Fowler. This free event is sure to answer many of the questions you may have about PCI standards, so please be sure to join us.