Moneyweb.co.za at http://www.moneyweb.co.za/mw/view/mw/en/page201650?oid=225105&sn=Detail
15 September 2008
Best practices in the payment card industry (PCI) could save the industry over $55 billion and 300 million lost hours of work a year, says RSA, EMC's security division.
RSA security consultant Karel Rode says information security and information management are the main challenges in PCI compliance standards.
"An identity is stolen every 79 seconds. As this problem of data theft became more apparent, a sharper eye turned toward protecting a particularly valuable set of data: consumer credit card information."
The security solutions provider explains how any organisation that processes, stores or transmits credit card information needs to be PCI complaint. To do so, companies have to meet certain criteria in their information security, including protecting stored cardholder data and encrypting transmission of cardholder data across open and public networks.
Rode adds there are many challenges in meeting PCI compliance, such as establishing which users are only allowing those with a business need access to cardholder data and managing cardholder infrastructure as prescribed by PCI.
"An important thing to note is that there is no such thing as a one-stop shop for PCI. You will see lots of confusing vendor claims in the rush to claim a product is ‘PCI compliant'. There is no such thing. PCI is a very rigorous standard, spanning all aspects of information security, as well as processes and people," says Rode.
Earlier this month, industry experts attacked PCI standards and described them as ineffective and immature. Alan Calder, chief executive at consultancy firm IT Governance, argued that many firms are still flouting the standard and escaping fines despite the deadline for compliance passing years ago.
"On the one hand, it is an exciting global standard, but penalties for non-compliance are still not clear," he explained. "It is not clear that the acquiring banks will levy big fines on companies, because the customer may decide to go and bank somewhere else."