This page contains a Flash digital edition of a book.
Feature
THE PROBLEM WITH PCI
In the last issue of Retail Fraud, we heard a lot about the positives
of PCI DSS compliance, but the process is not without its critics
HE Payment Card Industry Data there place for maverick thinkers, for thousands of clients to the Internet, then
T
Security Standard (PCI DSS, more individuals with a passion and raw talent use heavily-armoured DMZs to provide
commonly just PCI) attempts to for radical, lateral thinking? services across ‘the cloud’ to corporate
make merchants handling credit Looking outside of PCI, there are other employees, business partners, and
card payments more secure by methods that can be used to enhance the contractors. If credit card data is
requiring those merchants to implement a security posture of an organisation, such as transmitted across this type of ‘extended
series of specific security controls. While PCI maintaining digital security awareness infrastructure’, how does that affect the
is a good thing in that it forces companies through constant, pervasive network scope of a PCI implementation?
to implement the best practices contained security monitoring (NSM) principles. Such Overall, PCI contains many advantages
therein, it could actually harm the efforts alternative methods may never make it for enterprises that implement the controls
of the information security profession by into the PCI DSS, so may be overlooked by described, but the main driver is obviously
perpetuating ‘check box’ security. organisations, especially when there is money. VISA & MasterCard do not want to
By implementing a mandatory contention for an already-overstretched continue to stump up for losses incurred by
framework with specific controls, budget, out of which must be borne merchants, and the obvious way to do this
companies may well believe that those significant costs to comply with PCI. is to force the merchants to take
controls are all that is needed to be secure, By forcing companies to comply with the responsibility for their security, by
and so stop questioning the goals and PCI DSS, the responsibility for information prescribing the actions they need to take to
techniques of information security, and security is aligned with the audit function, be ‘secure’. Whether this actually stops the
cease approaching the ongoing problem as non-compliance becomes a financial rampant levels of security breaches taking
of information security with an inquisitive, risk. While this is a positive step, it may also place, time will tell; it is clear that the best
challenging mind. It is this need to be open reduce the reputation of the expert voice practices embodied in PCI have been
to new approaches to solving unique of information security professionals, when implemented for some time, but security is
problems that engenders a particular those professionals recommend still no further forward than it was decades
attitude in security professionals, and one approaches that are not in the PCI DSS. ago. Perhaps it is time for a more creative
which drives innovative solutions. Where is Consider BP’s decision to directly connect shake-up of the security world. RF
RETAILERS WORKING TOGETHER
IN QUEST FOR COMPLIANCE
M
ERCHANTS facing the often government departments and the financial vast area to be addressed for PCI,
daunting and complicated industry. Guest speakers are regularly in ProCheckUp felt the best way to support
task of becoming PCI attendance, and include acquiring banks as merchants was to facilitate them sharing
compliant now have well as representatives from Visa and best practice. We have found this to be
somewhere to turn for MasterCard. This gives merchants the hugely successful and enables merchants
advice and support following the opportunity to hear the latest to avoid pitfalls others may have
expansion of The UK PCI DSS User Group. developments in PCI and to ask questions experienced. The group is a relaxed
The PCI User Group was formed back in regarding their specific situations. informal environment, one morning bi
2005 for merchants and retailers to come Problems faced by some retailers include monthly and results in some excellent time
together and talk about the issues finding reliable companies to outsource to, saving solutions. The demand to join has
surrounding PCI DSS. The aim is for establishing what should be done with meant we have had to move the group
merchants to be able to share experiences paper trails such as application forms and from our offices to a hotel, the great thing
with fellow professionals and to learn from credit card slips and conveying the about that is it allows us to open the
the different businesses and sectors that importance of PCI to board level especially group to more merchants.”
attend the meeting. Until recently the as it can result in high cost implications and The User group has been established in
group was held at the offices of disruption to service. The group has helped the strictest confidence allowing retailers
ProCheckUp who host the group, however to find solutions to each of these problems to speak freely about their concerns and
the increasing interest has meant the through its open communication ethos. experiences. It is made up only of people
decision to expand the group and move to The group is facilitated by ProCheckUp directly involved in PCI to ensure maximum
a hotel has been taken. an independent security organisation productivity. If anyone is interested in
The group is made up of representatives specialising in ASV services. Charlotte joining the User Group details can be
from major high street retailers, Davies of ProCheckUp said “With such a found on www.pcidssusergroup.com. RF
ISSUE 3 DECEMBER 2008 • 33
Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44
Produced with Yudu - www.yudu.com