Keeping up with PCI compliance
Maintaining compliance with Payment Card Industry standards can be a daunting task due to the number of different requirements a given organization must meet. In addition, there are roadblocks that can make it difficult to follow PCI guidelines. As SC Magazine columnist Dan Raywood recently noted, some of the mandates are subject to interpretation.
This means that compliance can serve as a guide, but assessments may vary depending on the auditor. Laurie Coffin, vice president of marketing at browser security company Quarri told the news source that the PCI standards have clear mandates when it comes to configuring firewalls and protecting customer data through the use of a secure SSL certificate. However, compliance also requires merchants to conduct vulnerability assessments. Because of ambiguity regarding what constitutes an adequate assessment, this is an area that many companies struggle with.
It is also important to remember that PCI mandates are evolving. Raywood used changes that came with PCI DSS 2.0 as an example of how compliance is a moving target. One of the main changes that came with version 2.0 is the requirement to perform more thorough code review for web applications. This placed a greater website security responsibility on developers.
"Also added is the requirement for tokenization, to include an extra layer of security," Raywood wrote, expanding on the changes that came with PCI DSS 2.0. "For merchants, this reduces the scope of the PCI DSS assessment, as it uses random numbers and letters instead of storing highly sensitive primary account numbers. Specifically, it minimizes risks and decreases PCI audit costs, as tokens are only stored on one secure external server, rather than having multiple parts within the payment chain."
PCI compliance mistakes
As Raywood alluded to, maintaining compliance can be costly, particularly due to confusion surrounding risk assessment practice. This has led many businesses to forgo conducting formal evaluations, but this pitfall may result in excessive costs. PCI Quality Security Assessor Charles Denyer recently outlined several common mistakes that can lead to compliance violations. The first item on his list is failure to conduct a comprehensive readiness assessment that matches policies and practices to formal guidelines. In addition, many businesses underestimate the resource and operational commitment necessary to address vulnerabilities.
If your website handles payment card data, protecting that information is an important step in becoming PCI compliance. Get your SSL certificate today to improve online security and meet regulatory demands.