PCI Primer ” Start With Self-AssessmentIf you're a small or medium sized financial institution and you've avoided looking at the Payment Card Industry's Data Security Standard, it's still out there waiting. PCI-DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. For financial institutions that means yet another set of security requirements to be compliant.
However, according to information security expert Tony Bradley, co-author of the book "PCI Compliance," financial institutions don't have to spend more money to begin compliance efforts. "Rather than spending your budget on hardware and software solutions, look to open source software solutions, or the low cost solutions available in the market. There is more of a learning curve involved in using open source, but it can save you money," Bradley says. Another place to start is from the assessment of what you already have in place, he says."Go to the PCI Council website, (https://www.pcisecuritystandards.org/) and download the auditing checklist. Go through the checklist first to see if you're secure. This is the chance to do a self audit of your network and information security program," he adds.
Save the expense of spending money on an outside auditor on the initial assessment, and perform it yourself. He recommends this approach for even the larger entities. "In your first self audit, you take care to recognize and plug the gaping holes. So when the external auditor comes in, you'll make them earn their pay and search for the hidden or hard-to-spot ones," Bradley says. PCI compliance doesn't have to be all about the money and hardware/software that your institution has in place. In approaching the PCI-DSS, before you pull out the checkbook, step back and take a look at what areas can be improved without spending a dollar," he says. "It doesn't have to be about money -- many security problems stem from people and processes."
Bradley says institutions (and other businesses that need to be PCI-DSS compliant) should try to understand the requirements and figure out a smart way that doesn't get in the way of doing business and doesn't cost a fortune either. "First you have to have the right policies and procedures in place to be compliant. You have to be intelligent about looking at securing your networks, and looking at the resources you have to secure them. Know where your risks are and don't hunt a mouse with an elephant gun."