Newly released statistics show Visa making strong progress in driving Payment Card Industry security compliance. But other card brands' compliance efforts, and PCI Security Council communications, still need improvement.
No matter how large or small your business is, if you take credit/debit cards or paycards from American Express, Discover, MasterCard and/or Visa, you will have to meet PCI Data Security Standards. These preventative measures are used to protect cardholders from security breaches that could lead to identity theft. If you do not met, these standards per your contractual obligations, you can be fined and/or sanctioned by the credit card company and/or acquiring bank. Read on. . .
Compliance and IT Strategy is Based on Grounded Infrastructure
If companies are going to grow into entities that are truly greater than the sum of their parts, they need to respond faster and smarter to market challenges with better decision-making capabilities. One vital concern, which is often overlooked in discussions of information visibility, is the need for stringent alignment of departmental objectives with corporate strategy.
Business activity alignment is the ability to take your theories and put them into practice - in essence, taking the strategic plan and translating it into tactical steps. This results in more clearly defined executive roles, as well as an enhanced ability to leverage technology towards growth. Additional business benefits include achieving a balance of cost and investment towards organizational goals; a balance between internal limits and external growth; enhanced collaboration for better decisions and departmental alignment; and a 360-degree view of customers for better customer experiences as well as marketing and sales efforts.
To ensure alignment, management should focus on the development of a common set of metrics within the organization, which naturally requires a common set of definitions. Typically, different parts of the organization develop metrics specific to themselves and their purposes - resulting in a lack of consistency in reporting and an inability to aggregate information to senior management. According to a 2007 report 57 percent of companies do not have a common set of metrics to work with.
The challenges become apparent when management tries to aggregate departmental information to make enterprise decisions. A lack of consistent definitions and metrics makes it particularly difficult for management to determine which way alignment needs to tilt, if at all. One caveat: small and midsize companies must strike a balance between letting groups identify and define the best metrics for themselves versus defining metrics in the best interests of the organization as a whole.
The result of strict alignment of activities with corporate strategy is that individual departments are no longer paying lip service to the business plan; instead, it serves as a coherent action plan, with all cogs working toward the same objective instead of grinding the machine to a halt.
Defining the optimal IT infrastructure is a critical task that can no longer wait with all of the changes mandated by PCI-DSS, HIPAA, and Sarbanes-Oxley requirements that change an enterprise's operating environment. The template helps you:
In order comply with the PCI-DSS requirements the IT infrastructure needs to be defined in such a way that an enterprise can build and maintain a secure data scheme, databases, application systems, network, network components, and other items related to authorization, data retention, data storage, data transmitting and security - including disaster recovery and business continuity plans. The IT Governance Infrastructure, Strategy, and Charter Template address these needs directly.
Credit Card Companies aim to secure cardholder data wherever it resides, requiring that members, merchants, and service providers maintain the highest information security standards. While the threshold for PCI compliance is only a minimum standard, businesses recognize that failure to meet PCI requirements can lead to both financial penalties and long-term damage to customer trust and brand equity.
PCI requirements maintain that companies shall encrypt data at rest, which is a challenging and expensive endeavor for most retailers to undertake.
The PCI DSS security requirements apply to all "system components. " A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications.
The PCI-DSS Compliance Kit aid level 4 merchants with infrastructure tolls that address issues that all of these merchants face.
PCI-DSS Coordinator - With the onset of the new compliance requirements Level 4 merchants need to have one point of contact for alll of the issues associated with meeting the requirement.
e-Commerce, wireless, and Internet personnel- The PCI-DSS standard hits all of these areas and thepersonnelinvolved need to understand the new responsibilities that they have.
Formal Security Audit Program - With onset of the mandated reqiuirement a formal audit program is required by even the smallest merchant.
Security Polices and Procedures - Structure and rules are required any many Level 4 merchants do not have the infrastructure in place to address these issues directly.