An article in Ecommerce Times points out that achieving PCI Compliance does not mean you have achieved real data security. "For example, in the vulnerability scanning area of PCI, companies are allowed to request waivers for things that don't meet the standard but also can't be fixed. It's tempting to just document areas of noncompliance to pass an audit, but this misses the bigger security picture."
The article suggests three Best Practices to reduce the chances of a serious security breach:
- Control/Minimize the Scope of Your PCI Network by minimizing the number of places where credit card data is stored or handled.
- Increase Your PCI Scan Frequency, making routine system scans standard operating procedure on a daily or weekly basis
- Track Your Risk Trend: if risks are increasing, track down the source and deal with it to reduce your risk profile.
"It's tempting to just document areas of noncompliance to pass an audit, but this misses the bigger security picture. Instituting regular reviews of all PCI waivers with an eye toward minimizing security risk is an excellent security practice," the article concludes. It also suggests that implementing these suggestions will probably require some automated security tools; you should make sure candidate solutions can alert you to critical security control changes and don't require installation on every system on your network.
No comments:
Post a Comment