Sunday, September 27, 2009

What does PCI mean to you?

This week my attention has been dominated by one word, well six officially, but often narrowed down to six or even three letters – PCI.

To give it its full title it is the ‘Payment Card Industry Data Security Standard', and in my meetings this week at Gartner and other panel debates, the subject arose on several occasions. Now I will be the first to acknowledge that I do not know the ins and outs of PCI (as we will now call it), but thanks to the PCI DSS user group (see link) I do know that it is a set of complex regulations that all businesses taking credit card payments must adhere to.

The first debate over PCI is generally in regard to how much of a point the standard has, and how much it is enforced. An article published back in June gave the opinion that the PCI Council had ‘failed to adequately address consumer risk by not mandating end-to-end encryption as part of its requirement, allowing the use of compensating controls in lieu of encryption in order to spare those under PCI requirements from the expense of properly securing the data they were entrusted to protect'.

Paul Henry, security and forensic analyst at Lumension, who gave the opinion, claimed that the amount of data breaches witnessed had become all too commonplace, and that the bar should be raised to increase the minimum acceptable standards to become compliant in light of these many failures.

SC Magazine UK

No comments:

Post a Comment