PCI council offering "milestones" for compliance

Share this article:
The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint.

The Prioritized Approach Tool offers six "milestones" that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.

When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told SCMagazineUS.com on Friday. The tool, to be published Tuesday on the council's website, also helps retailers and their acquiring banks demonstrate and measure progress.

Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.

"You take care of Milestone One and you've significantly reduced the risk in the event of a data breach because, where's the data?" de Veyra said.

Meanwhile, Milestone Two speaks to securing the perimeter, in addition to internal and wireless networks. Several major breaches in the last few years, including Heartland Payment Systems and TJX, were caused by hackers who were able to seize sensitive credit card data by taking advantage of protection shortfalls across private networks and wireless access points.

De Veyra said the new tool likely will help small companies -- designated as tier-four merchants by Visa and MasterCard -- get started on their compliance efforts.

"It's very easy to focus on the bigger guys because the criminals go after the big fish," he said. "But at the same time, small merchants are part of the ecosystem. We have to make sure they get the right tools and give them appropriate education and awareness."

Avivah Litan, vice president and distinguished analyst at Gartner, applauded the standard, saying the approximately 250 subrequirements of PCI DSS can be daunting for certain businesses. However, since the standard does not offer phases for compliance, the milestones may not prove too helpful.

"Prioritization doesn't mean much if you have to do everything at once," she said. "Prioritization usually helps when it's attached to a timeframe and scheduling."

The new guidance comes at a time when PCI DSS is fielding widespread criticism over the high-profile Heartland breach, where potentially a record number of card numbers were stolen. The payment processor was deemed PCI compliant when the incident happened.

De Veyra said the council is awaiting more information about the breach but plans to continue to investigate.

"If there is something wrong with PCI DSS, we want to address it," he said, adding that the council also wants to ensure that qualified security assessors, which check merchants for compliance, are doing their jobs. Even so, merchants must continuously monitor their systems for conformity to the standards.

"The [audit] report is only as good as when the report was issued," he said. "The reality is that this is about security, and you have to be vigilant and pay attention to what you're doing on a daily basis."
Share this article:

Sign up to our newsletters

More in News

Firefox 31 plugs critical memory safety bugs

In total, Firefox 31 brings 11 patches for several flaws affecting the web browser.

Android/Simplocker adds tricks, including ransom message in English

Android/Simplocker ransomware now encrypts archive files, asks to be installed as a Device Administrator, and delivers an English-language ransom message.

Wall Street Journal website vulnerable to SQL injection, gets hacked

The Wall Street Journal confirmed on Tuesday that an outside party exploited a vulnerability and hacked into its new graphics systems.