Tuesday, January 26, 2010

PCI Compliance is a 24/7/365 Responsibility

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa. Here is the lead to a very insightful article he wrote for the current StoreFrontBackTalk:

It may sound like heresy coming from a QSA, but I see some merchants over-emphasizing their PCI annual assessment. The main event for them is a clean Report on Compliance (ROC) for Level 1 (and soon Level 2) merchants or a Self-Assessment Questionnaire (SAQ) for everybody else. They believe that once the ROC is signed, they can relax until the next year.

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.

Click HERE to read the rest of this important article.

No comments:

Web Analytics