Rising to PCI Challenges and Opportunities
PCI DSS provides a control framework for enterprises to improve operational, security and audit performance. However, the benefits of PCI DSS extend beyond audit costs and results. As a security model, the requirements can help companies to control costs and build a more efficient and reliable IT infrastructure that delivers better service, whilst incurring less risk. Implementing PCI DSS also creates the opportunity to improve business processes and enterprise information security operations.
PCI DSS is regulated by contracts between the sponsoring major credit card companies and their members, merchants and service providers. PCI is enforced through validation requirements to maintain and demonstrate compliance. These requirements vary amongst the payment card companies they are dependent on merchant 'level' and are tied to risk recognition and transaction or account volume. In their most comprehensive form, the requirements include onsite security audits, self assessment questionnaires, mandatory penetration testing and network scans. The PCI standard requires continuous validation of security effort.
The PCI standard provides an integrated framework that combines technology, policies, education, awareness and industry best practices. By getting ahead of the compliance curve, organisations that implement PCI DSS can reduce long-term compliance costs and instil best practices across the entire enterprise, making it easier and less expensive to adhere to new future requirements and creating a leaner, more efficient organisation.
Attenda has recently joined the PCI Security Standards Council. As a Participating Organisation, we will work with the Council to evolve the PCI Data Security Standard (DSS) and other payment card data protection standards. To date, for our clients, partners and prospects, we have taken the approach that our services were successfully reviewed during the course of each client's PCI DSS assessment. We are supporting our clients in their PCI DSS audits and have gained a wealth of experience in meeting the requirements of this standard. From an infrastructure perspective, we can design the architecture to meet the requirements of PCI DSS, this could include components such as firewalls, Intrusion Prevention Systems, backup systems, anti-virus systems, core network systems, operating systems and databases.
During 2010, our intention is to adopt a different approach to PCI compliance. We will look to build-in 'already PCI compliant' elements to the solution architectures and services that we provide, spanning the 12 sections of the PCI DSS process, thus providing the correct combination of technology and service, to reduce the cost, effort and risk associated with gaining and maintaining PCI compliance.