Verizon experts speak at European PCI DSS Roadshow, July 2 2013 in Paris, France
Experts from the security industry gathered in Paris, France on July 2, 2013 at the Annual European PCI DSS Roadshow to discuss the impact and ongoing challenges companies face in adhering to the Payment Card Industry Data Security Standard (PCI DSS). With 2013 promising another evolution in the standard, companies must be ready to adapt to new technological changes impacting the world of financial transactions and storage. The reality is however, that many are still not prepared.
While compliance helps drive security, the two are not equal. Security is not just about creating procedures and satisfying internal audits; it’s about developing a deep understanding of risk in order to be able to manage it on an ongoing basis.
Experts from Verizon - Gabriel Leperlier, Head of PCI for Verizon France and Nicolas Villatte from the Verizon Risk Team were deeply engaged in the discussions debating the importance of PCI DSS compliance and the business critical link between lack of compliance to and an increased risk of data breaches.
It is actually quite simple for companies to gain a deeper insight into PCI DSS – which will help them to achieve a high level of success throughout the compliance assessment and beyond into implementation. Key guidelines are as follows:
- Start early! One of the common misconceptions about PCI DSS compliance is when to begin compliance project planning. For the best chance of success, organizations should really look to beginning the compliance journey as soon as they decide to accept payment cards or explore a new acceptance channel – for example, connected with an ecommerce venture, or a new point of sale (POS) system.
- Limit the scope: The scope of PCI DSS compliance is driven by the way cardholder data is being stored, processed, and transmitted at any merchant or service provider. That organizations should segregate the cardholder data environment to the maximum extent possible, by implementing firewalls between different network subnets, would seem a given. However, this can actually be difficult to do, and especially in legacy environments where security has historically been focused on protecting the organization’s perimeter.
- Only keep what’s really necessary: There is one golden rule in PCI DSS compliance: if you don’t need it (i.e. cardholder data), don’t store it!
- Follow the intent behind controls: Security staff at many organizations tend to look for a readymade checklist or an off-the-shelf tool to simplify their security compliance tasks. However, while a checklist or tool can provide an organization with a quick and verifiable methodology to achieve a control objective, what is more important is to meet the intent of that control in its entirety. At times, a checklist/tool may give a rosy picture, while things might not be as good as they look. So while a checklist is always useful, it’s much more important to also apply judgment to determine whether the efforts invested really match the baseline intent of the requirement.
- Involve all stakeholders: PCI DSS compliance is not only an IT project – rather involvement from all organizational stakeholders should be secured up front. The project team should include representatives from all functional groups - information security, business operations, administration /facilities, human resources and, (last but not least!) Information Technology. PCI DSS requirements span all organizational departments, and the active engagement of these functions has a crucial role to play in driving – and then maintaining – PCI compliance.
- Don’t be Complacent: PCI DSS is a unique standard that is devised, maintained, and enforced specifically to protect payment card data, and requires special attention and focus – even (and perhaps especially) if an organization has already implemented other security standards. The level of detail that goes into the PCI DSS can be a little overwhelming – and certainly the standard leaves little scope for assumptions and flexibility, and may require changes to business practices or technology components usually followed in meeting compliance requirements. Organizations should therefore always pay specific attention to the detail required when embarking on a PCI DSS project.
- Vendor compliance is also key: In the journey towards PCI DSS compliance, organizations can forget about the respective compliance of their vendors/service providers. PCI DSS requires all controls to be met to achieve compliant status – partial compliance is not an option! It is therefore crucial that the compliance status of vendors/service providersis also taken into consideration if they are involved with the data handling process. Even when work involving cardholder data is transferred to these organizations, accountability still lies with the initiating (main) organization.
- Document everything! Organizations looking to achieve PCI DSS compliance should perhaps remember one final mantra - document what you do, and do what you document. PCI DSS requirements strongly emphasize evidence of documentation and evidence of implementation effectiveness. These two fundamental requirements are achievable if and only if an organization religiously documents all implemented controls and maintains implementation of controls as documented throughout the entire process.
The Annual European PCI DSS Roadshow was organized by Vigitrust, an expert in the provision of IT security services, advising its clients on European Data Protection acts, PCI DSS, and more as well as providing educational & consulting services for businesses preparing for compliance with legal and industry-led security frameworks.