What does PCI compliance really mean?
There are similarities with ISO27001, PCI compliance is set up as an audit of the IT department with a specific emphasis of credit card security as well. Whereas ISO27001 is more of an audit of the processes of a company. This makes sense in a manufacturing environment where it is important that your processes show what occurs in the manufacturing and delivery of a product. A product that has to be created can have errors introduced in the creation step. And this is where Six Sigma(Quality Assurance standard) has come into place.
Our blogpost(at Oversitesentry.com) where we say Six Sigma security is needed.
But as the title mentions, the real reason for PCI compliance adherence are legal liabilities as will be proved.
The 106 page pdf (plus 6 pages in appendix) document of the latest PCI standards (DSS3.0) by pcistandards.org at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
The document outlines many aspects of the Payment Card Industry (PCI) expectations of security. Which are security practices made up of common sense:
1. Implement a firewall, with good access control in all connections to the Internet - including DMZ (DeMilitarized Zone). If you have a single connection and single location it is straight forward, but if it is not, then the standard still tries to keep in mind the additional complexity without losing security aspects.
2. The network defense is not complete without a discussion of a personal firewall on the desktop, and later in the document an antivirus solution. The Microsoft Global Policy should also be discussed. (where all aspects of the desktop can be controlled if so desired.
3. A lot of points are made about changing default configurations and passwords in all systems, this is another good common sense item.
4. Any protocols so deemed "insecure" should be shored up as best as possible (there is a lot of latitude here, since there can be many different potential issues)
5. Using proper logs is important
6. Encrypt where necessary, as the credit card numbers should be encrypted over the Internet or wireless access points. And this has to be "verified". Again this is due to legal concerns.
Later in document - use an intrusion detection system so as to know what is being attacked and how you are attacked. Keeping the logs is important not just for reasons like finding out what is going on in your network, but it is important to reconstruct in case of legal liability. Whenever the document says "Verify" it means if you do not, then a lawyer will make you pay for it in the future.
How do I say this with certainty?
http://www.bankinfosecurity.com/retail-breach-compromised-millions-cards-a-5688/op-1 has a sentence in here of note:
"The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard."
How about this link?
" In St. Louis Missouri, Schnuck Grocery store recently sued two payment processing companies. Currently the details of the lawsuit have not been released, but many can speculate that this is due to the recent breach of credit card data that impacted millions of customers at the the large grocery chain."
How could Schnucks end up suing the payment processors? if they had not done their due diligence in the PCI compliance audits as required by the industry. I believe this does not require the knowledge of the outcome.
So that is why we are confident in saying: PCI compliance has to do with legal liability.
What are you waiting for? The ambulance attorneys will chase you when(not if) a breach occurs.
Contact Us as we can help you with the future audit and legal liabilities beckon.
In the end it is the criminals versus the legal liabilities that you must wrestle with
I post this doctored image of Kmart's logo, as they were hacked as well - although I am not sure of their PCI compliance.