Q

How will the planned changes in PCI-DSS affect the channel?

Learn why the upcoming changes to the Payment Card Industry Data Security Standard (PCI-DSS), designed to prevent further corporate data breaches, still represents only a minimal security standard. Security consultants performing due diligence will want to go beyond PCI-DSS in security discussions with clients.

This Content Component encountered an error
How will the planned changes in PCI-DSS affect the channel?

Opportunity knocks.

Each iteration of the Payment Card Industry Data Security Standard (PCI-DSS) brings requirements that are more specific about the controls needed to satisfy the safeguarding of critical data and infrastructure assets. Sometimes these changes mean the selection and adoption of new technology, and oftentimes it means adapting a current PCI-DSS standard to be more effective.

Sometimes these changes are subtle; sometimes they are profound. The upcoming changes in PCI-DSS are a little of both, but rather than focus on them specifically, let's look at PCI-DSS compliance in general.

At this point it should be clear to everyone with a pulse that the delicate balance needed in shifting the requirements from "should" to "shall" are driven by the ever-increasing pace of data breaches and the legislation governing their disclosure and remedy.

What PCI-DSS represents is the minimal standard required by the industry to indicate that a certain level of due care and diligence has been performed. It doesn't, however, certify that an entity that is "PCI compliant" is "secure." It also doesn't mean that risk is appropriately managed and mitigated to an acceptable level. It simply means that certain steps have been taken to become compliant with the requirements defined within the standards.

If you need an example, look no further than the recent case of Hannaford Brothers groceries, a company that was certified as being compliant with PCI-DSS and managed to suffer an egregious security breach.

Why is this unfortunate example an opportunity for the channel? The answer comes in two parts:

First, it's clear that compliance does not equal security. Despite the need for compliance, really digging down deep with a customer to partner with them to manage risk -- for which compliance is a by-product -- provides a true service that is a win-win for both you and your customer.

Second, refuse to offer "compliance made easy" as a solution to your customers. This will earn you respect. As revisions to compliance regulations arise, you will be the trusted advisor who will provide assessments of readiness against those requirements. If you can leverage a well-stocked solutions portfolio to address any warranted technical requirements needed to satisfy certain evolving elements of compliance when combined with strategic risk-focused consulting approach, you will gain the trust of your customers.

This was first published in May 2008

Dig deeper on Regulatory Compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

This Content Component encountered an error
Close