Compliance Management, Security Strategy, Plan, Budget

PCI council offering “milestones” for compliance

The organization charged with administering the Payment Card Industry Data Security Standard (PCI DSS) is trying to give merchants a compliance blueprint.

The Prioritized Approach Tool offers six "milestones" that businesses should try to reach in their pursuit of compliance, said Lib de Veyra, the newly appointed chairman of the PCI Security Standards Council, which manages the guidelines.

When faced with a standard as robust as PCI DSS, many companies, particularly the smaller merchants, need help deciding which risks they should address first, de Veyra told on Friday. The tool, to be published Tuesday on the council's website, also helps retailers and their acquiring banks demonstrate and measure progress.

Rated by order of criticality, the milestones are: Limit data retention, secure the perimeter, secure applications, control system access, protect stored cardholder data and finalize remaining compliance efforts, ensuring all controls are in place.

"You take care of Milestone One and you've significantly reduced the risk in the event of a data breach because, where's the data?" de Veyra said.

Meanwhile, Milestone Two speaks to securing the perimeter, in addition to internal and wireless networks. Several major breaches in the last few years, including Heartland Payment Systems and TJX, were caused by hackers who were able to seize sensitive credit card data by taking advantage of protection shortfalls across private networks and wireless access points.

De Veyra said the new tool likely will help small companies -- designated as tier-four merchants by Visa and MasterCard -- get started on their compliance efforts.

"It's very easy to focus on the bigger guys because the criminals go after the big fish," he said. "But at the same time, small merchants are part of the ecosystem. We have to make sure they get the right tools and give them appropriate education and awareness."

Avivah Litan, vice president and distinguished analyst at Gartner, applauded the standard, saying the approximately 250 subrequirements of PCI DSS can be daunting for certain businesses. However, since the standard does not offer phases for compliance, the milestones may not prove too helpful.

"Prioritization doesn't mean much if you have to do everything at once," she said. "Prioritization usually helps when it's attached to a timeframe and scheduling."

The new guidance comes at a time when PCI DSS is fielding widespread criticism over the high-profile Heartland breach, where potentially a record number of card numbers were stolen. The payment processor was deemed PCI compliant when the incident happened.

De Veyra said the council is awaiting more information about the breach but plans to continue to investigate.

"If there is something wrong with PCI DSS, we want to address it," he said, adding that the council also wants to ensure that qualified security assessors, which check merchants for compliance, are doing their jobs. Even so, merchants must continuously monitor their systems for conformity to the standards.

"The [audit] report is only as good as when the report was issued," he said. "The reality is that this is about security, and you have to be vigilant and pay attention to what you're doing on a daily basis."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.