I subscribe to many (sometimes I think too many) assorted email newsletters that cover a wide range of compliance issues. One came through today from the IT Compliance Institute with the subject line, “PCI fails, Fidelity breach, death by upgrade, more‚Ķ”
PCI fails? Sounded interesting so I went to their story about it.
(Title corrected on 8/9; thanks Grit!)
Well, that certainly was misleading; the story wasn’t about the failure of the PCI DSS itself as the title implied. However, the statistics it provided were interesting:
“Gaps remain in PCI DSS compliance, Visa figures show
Major retailers still noncompliant and retain prohibited account data
8.1.07 The latest figures from Visa concerning compliance with the Payment Card Industry Data Security Standard (PCI DSS) show increased levels of compliance, but also indicate that a handful of major retailers continue to retain prohibited account information.
Of 1,057 Level 1 or Level 2 US retailers (i.e., the largest ones) about 42 do not claim to have stopped retaining prohibited account data, which includes credit card security codes and PINs.
Otherwise, 40 percent of Level 1 retailers reported full compliance with PCI DSS, up from 35 percent in May and 18 percent in May 2006.
Thirty-three percent of Level 2 retailers were in full compliance, up from 26 percent in May.”
I’m not surprised. Particularly about the retention issue; most organizations do not address retention much at all.
There are many articles written and various IT folks opining about how arduous and unreasonable the PCI DSS requirements are; but when you look at them, and thoughtfully consider them, you see that they really are just reasonable security practices. They are the types of controls any responsible organization would put into their contract with any business partner to whom the organization entrusts their sensitive and personally identifiable information (PII).
Ben Rothke boils down PCI DSS requirements quite nicely in an article he recently did, “PCI Is Security Simplicity, Not Complexity – Payment card industry data security: the standard that makes people stupid.”
Great title!
Ben deconstructs PCI DSS into 6 primary control areas. They make sense. And his message is a good one; stop trying to make the requirements so hard and see them for what they are, sound data protection activities.
His article does a nice job of shrinking the PCI DSS mountain back down to a molehill. Check it out and see for yourself.
Compliance is achievable, and it *WILL* help prevent information security incidents and privacy breaches.
Tags: awareness and training, Ben Rothke, Information Security, IT compliance, IT Compliance Institute, PCI DSS, personally identifiable information, PII, policies and procedures, privacy, risk management