PCI DSS for all

Get in step

Anton Chuvakin, principal at Security Warrior Consulting, and the author of several books on data security, says PCI already is the leading data security standard based on the sheer number of companies that accept and process credit cards. While other standards – such as ISO 2700x, the National Institute of Standards and Technology's Federal Information Security Management Act (FISMA) and other mandates associated with federal regulations, such as the Sarbanes-Oxley Act of 2002 or the Health Insurance Portability and Accountability Act (HIPAA) of 1996 – play an important role is setting minimum levels of data security, none are as prescriptive as PCI DSS, he says.

Small companies without their own full-time data security staffs will benefit from the specifics of the standard, which details not only what needs to be done to comply but also prescribes how to do it, Chuvakin says. There are a lot of security procedures that smaller companies should do, but instead choose not to, often because they either do not know how to do it or do not have the budget. PCI DSS provides them with a roadmap to effective and industry-accepted security procedures that will improve their data security, Chuvakin says.

Selling the value

The challenge for small and midsize businesses is that many do not necessarily understand what needs to be done to be compliant, they do not know how to implement what they do know and they do not have the IT and security budgets to do the job effectively and efficiently. As well, data security is hardly a stagnant process, but rather a process that is constantly in flux, depending on the whims and cleverness of those trying to steal what a company possesses.

Security best practices from just a few years ago are today becoming mandated by law or part of standards, says Greg Bell, global information protection and security lead partner at KPMG. Companies that are required by their contractual agreement to employ PCI DSS have tools to do so, but those that are not required to comply have a proactive framework for data security that can enhance their business operations.

Although PCI is designed to protect specific types of credit card data across global networks, the same policies and procedures can safeguard employee, customer or supply chain information, intellectual property or medical records just as efficiently for companies that do not use credit cards, Bell says.

“Most mature organisations have a foundation of blocking and tackling in place [for data security],” he says. The piece that is often missing is a formation of action that explains who does what when a breach or other data loss occurs. That, he says, is the chief benefit of the PCI standard.

As companies try to do more with less – such as fewer staff members doing more work across multiple disciplines – many are starting to migrate to more prescriptive security measures. There is no one-size-fits-all for data security, Bell says. One has to build a foundation appropriate for each company.

From the inside

Bell recommends that companies considering using PCI DSS understand their risks and the various vectors from which the risks might arise. Not all risk is due to criminals and hackers, he says. In some cases, the threat could come from employees, partners or perhaps even something as innocuous as a reconfigured server. “Risks are changing faster than the standards,” he says.

So where does that leave an enterprise wanting to adopt some PCI edicts? Emily Mossburg, a principal in the security and privacy practice of Deloitte & Touche, says smaller companies that don't have full-time data security staffs still can benefit from taking advantage of PCI DSS.

Mossburg recommends that all companies employ at least some minimal aspects of the standards. For example, she says it is important to install and maintain a firewall configuration that protects confidential information while blocking attacks from the web. Not all data needs to be on the company's primary network, she says. A segmented network can be used to protect PII and IP. Access control lists also can secure corporate data. While acknowledging the value of the standard, she says companies should consider the kinds of data they transmit before committing to an expensive data encryption program.