PCI Compliance Forms the Basis for Total Cyber Security
Ensuring PCI DSS (Payment Card Industry Data Security Standard) compliance should not be a break-fix move. Every organisation that has to ensure PCI compliance must have processes in place to ensure continuous compliance. In reality, it has been found otherwise. Organisations seem to be setting up the measures only for the purpose of the audit. There are many reasons - including the high cost of maintaining the needed best practices. However, organisations must wake up and understand the value and benefits of continuous PCI compliance.
Some organisations start abiding by the compliance rules only after they suffer a breach or compromise of data that leads to significant data loss, financial damages, and litigation suits. These litigation have led to loss and closure of organisations. Audits conducted after the compromise revealed that organisations that had earlier passed the audit were also not PCI compliant at the time of the breach.
Even if organisations maintain compliance measures, it may not be enough due to new, evolving and emerging threats. Organisations must develop a proactive and protective attitude and try to ensure "better than compliance" security measures. While trying to prevent any sort of cyber security incidents should be the intention, in reality, it may not be possible. Hence, the organization must also define specific plans and measures in the case of any cyber security breaches, and the ways to resume normal operations as early as possible.
According to information security policies, organisations focus on CIA - confidentiality, integrity and availability. Confidentiality is allowing only authorised users to access specific information. Integrity is defined as ensuring the accuracy and integrity of the information. Availability is defined as ensuring that authorised users are always able to access the information they want to.
Every organisation or entity that needs to accept card payments must comply with PDI DSS. The principles of the PCI DSS go towards ensuring the confidentiality and security of the card data and cardholder data.
Organisations can consider these compliance measures as baseline requirements and build on it to ensure the other two factors of CIA – integrity, and availability. Loss of integrity of information could occur due to archaic or inappropriate protocols. Sensitive information – such as login credentials, passwords, personal information, etc..., that travels over the internet must be secured from eavesdropping, corruption, modification and theft of information. Older protocols, SHA-1 certificates, etc.., are still used by certain organisations. Support for these older protocols is steadily being discouraged and has become unsupported in many places, as they have been found to allow malware. PCI DSS also recommends performing penetration testing and malware scans to stay protected.
The specifications of PCI DSS are focused on card holder data, which should serve as a foundation for best practices in ensuring complete security of cyber security operations.
Some organisations start abiding by the compliance rules only after they suffer a breach or compromise of data that leads to significant data loss, financial damages, and litigation suits. These litigation have led to loss and closure of organisations. Audits conducted after the compromise revealed that organisations that had earlier passed the audit were also not PCI compliant at the time of the breach.
 |
| Courtesy: Net |
Even if organisations maintain compliance measures, it may not be enough due to new, evolving and emerging threats. Organisations must develop a proactive and protective attitude and try to ensure "better than compliance" security measures. While trying to prevent any sort of cyber security incidents should be the intention, in reality, it may not be possible. Hence, the organization must also define specific plans and measures in the case of any cyber security breaches, and the ways to resume normal operations as early as possible.
According to information security policies, organisations focus on CIA - confidentiality, integrity and availability. Confidentiality is allowing only authorised users to access specific information. Integrity is defined as ensuring the accuracy and integrity of the information. Availability is defined as ensuring that authorised users are always able to access the information they want to.
Every organisation or entity that needs to accept card payments must comply with PDI DSS. The principles of the PCI DSS go towards ensuring the confidentiality and security of the card data and cardholder data.
Organisations can consider these compliance measures as baseline requirements and build on it to ensure the other two factors of CIA – integrity, and availability. Loss of integrity of information could occur due to archaic or inappropriate protocols. Sensitive information – such as login credentials, passwords, personal information, etc..., that travels over the internet must be secured from eavesdropping, corruption, modification and theft of information. Older protocols, SHA-1 certificates, etc.., are still used by certain organisations. Support for these older protocols is steadily being discouraged and has become unsupported in many places, as they have been found to allow malware. PCI DSS also recommends performing penetration testing and malware scans to stay protected.
The specifications of PCI DSS are focused on card holder data, which should serve as a foundation for best practices in ensuring complete security of cyber security operations.
Comments
Post a Comment