PCI Primer ” Start With Self-Assessment

If you're a small or medium sized financial institution and you've avoided looking at the Payment Card Industry's Data Security Standard, it's still out there waiting. PCI-DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.

Initially created by aligning Visa's Account Information Security (AIS)/Cardholder Information Security (CISP) programs with MasterCard's Site Data Protection (SDP) program, the standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. For financial institutions that means yet another set of security requirements to be compliant.

However, according to information security expert Tony Bradley, co-author of the book "PCI Compliance," financial institutions don't have to spend more money to begin compliance efforts. "Rather than spending your budget on hardware and software solutions, look to open source software solutions, or the low cost solutions available in the market. There is more of a learning curve involved in using open source, but it can save you money," Bradley says. Another place to start is from the assessment of what you already have in place, he says."Go to the PCI Council website, (https://www.pcisecuritystandards.org/) and download the auditing checklist. Go through the checklist first to see if you're secure. This is the chance to do a self audit of your network and information security program," he adds.

Save the expense of spending money on an outside auditor on the initial assessment, and perform it yourself. He recommends this approach for even the larger entities. "In your first self audit, you take care to recognize and plug the gaping holes. So when the external auditor comes in, you'll make them earn their pay and search for the hidden or hard-to-spot ones," Bradley says. PCI compliance doesn't have to be all about the money and hardware/software that your institution has in place. In approaching the PCI-DSS, before you pull out the checkbook, step back and take a look at what areas can be improved without spending a dollar," he says. "It doesn't have to be about money -- many security problems stem from people and processes."

Bradley says institutions (and other businesses that need to be PCI-DSS compliant) should try to understand the requirements and figure out a smart way that doesn't get in the way of doing business and doesn't cost a fortune either. "First you have to have the right policies and procedures in place to be compliant. You have to be intelligent about looking at securing your networks, and looking at the resources you have to secure them. Know where your risks are and don't hunt a mouse with an elephant gun."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.