The PCI Security Standards Council (SSC) announced it is entering phase three of its lifecycle process.  Throughout phase two, insights were gathered from global stakeholders including merchants, service providers, financial institutions, vendors, QSAs and ASVs and third party experts. Feedback from these stakeholders will be evaluated for the next iteration of the PCI DSS and PA-DSS to ensure the standards are as effective as they can be.

“Our structured, but flexible, lifecycle process allows us to respond effectively to new security challenges so that organizations and assessors have the right tools for their security programs.” – Bob Russo, General Manager of the PCI SSC.

Read the press release in its entirety.

When we have a business problem, we immediately think: “What can technology do for me?”  And we call up the IT guy, and say “Solve our problem!”  Interestingly enough we do the same when it comes to Information Security and Standards Compliance.  Being in the Information Technology industry for years, I can tell you that technology isn’t always the best approach. Actually, the vast majority of solutions call for management solutions in conjunction with technology. Even more so when we are initiating an InfoSec or Compliance initiative we need to be on the look-out for all management gaps.  A harmony of technology and management is the only solution for the truest security and compliance.

So what are “The Keys” to this harmony?  Policy and Education. 

Policy

An effective Information Security Policy is comprehensive and self-supporting; a good policy is a living document.  More than anything it should have executive management backing, and should be disseminated as the “gold standard” for information handling in the organization.  Having leadership expectation set for the organization is the single biggest positive effect on security. As policy addresses all areas of the organization, over and above other efforts, it makes immediate impact, and is the driver for life.  A true win-win! 

Education

Following up with a formal continuing education program is key to building and maintaining a culture for safe information.  These programs don’t need to be complex but should underscore the driving policy.  Keeping a program interactive and varied is the best for communicating, educating, and reminding individuals their role in keeping information secure.  Don’t shy from formal courses upon hire and throughout the year, but also leverage intranets, incentives, and posters to really create a security centric environment.

Ultimately, without the culture, we will only find ourselves buried in layers of technology providing volumes of information that must be parsed – and may even introduce more risk.  Focusing on a balance of people and technology is the best approach, and can provide the best compliance and security posture.  There is no replacement for a person’s good judgment! 

Point of Sale (POS) systems are often overlooked as a potential target of hackers, however research shows that the majority of food service industry compromises have involved POS systems.  Risk greatly increases as more and more merchants use integrated POS terminals connected to high speed Internet connections.  According to Gartner Group, four out of five data breaches occur at POS systems.                                             

Although dial-up swipe machines have significantly lower risk, any system transmitting and/or accepting cardholder data falls into the scope of PCI compliance.  Older POS systems should likely be replaced to ensure compliance.  The PCI SSC provides a listing of validated payment applications, which can be viewed at https://www.pcisecuritystandards.org/security_standards/vpa/.  Verifying your specific system’s validation with your POS vendor is strongly encouraged.  By July 2010, all merchants will be required to use a PA-DSS certified POS.

Proven validation of your payment application is only half the battle.  POS systems face some unique challenges when complying with the PCI DSS.  Performing data discovery can help streamline and manage the process.  PCI compliance vendors such as SecureConnect® will help identify where cardholder data exists and look at the flow of data within your restaurant environment.    In addition, maintaining and updating anti-virus protection is mandatory in today’s Internet environment and required for PCI compliance.  Viruses can disrupt your network and corrupt your data; therefore it is necessary to have a managed anti-virus subscription service. 

Proactively approaching the challenge of PCI compliance in regards to your POS system will help secure your credit card transactions and your business.  Responsibly managing risk includes solving all challenges involving the PCI DSS.  Securing your POS system is no exception.

The U.S. Senate Judiciary Committee has approved two bills that would require organizations that have suffered a data breach to report it to potential victims.  The committee voted to approve both the Personal Data Privacy and Security Act and the Data Breach Notification Act.

The Data Breach Notification Act would require U.S. agencies and businesses to report data breaches to victims whose personal information is acquired.  Data breaches of a large scale would be required to report to the U.S. Secret Service.

The Personal Data Privacy and Security Act would also require organizations that maintain data to give notice to potential victims and law-enforcement authorities when they have had a breach.  This Act would increase criminal penalties for electronic data theft.

Holding organizations accountable for a breach may finally push some to adhere to the Payment Card Industry Data Security Standard (PCI DSS).  The Implementation of PCI compliance significantly reduces an organization’s risk of a security breach.  By approving these data breach bills, the committee has implied the importance of security best practices and acknowledged the existence of companies that provide data security and PCI compliance solutions to help protect organizations and their cardholder data.

As organizations continue to struggle with PCI compliance standards, these bills will help considerably in preventing data breaches and informing merchants of PCI DSS importance.  BHI SecureConnect® praises the committee for taking a step forward in the fight against criminal credit card fraud.