PCI Audit – The Road To ComplianceThe full article was published on http://enterpriseitsecuritymag.com Most of you probably have already heard about PCI DSS. It is the standard that was formed by the five major credit card brands back in 2004. This information security standard borrowed best practices from the payment brands’ internal security programs to be unified under one coherent guideline which is called Payment Card Industry Data Security Standard. The standard is now at its fourth reincarnation, version 2.0. The current version was preceded by version 1.0 which was published on December 2004; version 1.1 which was published on September 2006; version 1.2 which was published on October 2008 and version 2.0 which was published on October 2010. Current version of the standard has more than 220 strict requirements. These requirements touch upon all major information security domains to include: network and infrastructure, configuration management, encryption and data protection, operating systems security, access rights, user identities, password management, physical security, audit management, security testing and policies and procedures. The PCI standard and its enforcement issues are complex and have many facets. Starting with misrepresentation of some local acquiring banks of the global payment brands, through inadequate understanding of the standard by the enforcing parties and onward to corporate managements, which when kept in the dark are not quite sure how to bite this frog. It has been known and it is still a known fact that acquiring banks across the globe (with the exception of the United States perhaps) are sometimes wary when trying to enforce the standard in their domestic environment. Moreover, it is even more complex when acquiring banks are required to enforce this standard and apply fines to some of its largest merchants that are typically responsible for generating a large percentage of those acquiring banks’ revenue. Download the full article here |