Payment Card Industry Date For Compliance Standards
As the compliance date set for June 30, 2007 has passed, thousands of companies have yet to show that they are in compliance with the Payment Card Industry Data Security Standards (PCI-DSS). The Payment Card Industry set that date for all organizations that store, process or transmit credit card payments were to be required to demonstrate compliance with PCI-DSS. Industry studies indicate that less than half of all affected businesses have met that deadline.
For those institutions and others who are compliant, "Don't automatically assume if you're compliant with PCI that the institution you are in charge of is safe. If you're compliant with PCI that does not automatically get you past the monsters of data leakage," said David Taylor, president and CEO of the Payment Card Industry Security Vendor Alliance (PCI SVA).
Here are some things to keep in mind when working toward PCI DSS compliance. Keep the data in the data center --Virtualization is great for data centers, and security is a side benefit of the cost savings. By keeping application execution and private data inside, your institution's reputation won't get wet.
Your eyes on the inside -- You are reminded to what what's going on inside your network, not just what's pounding on the outside door. Scanning all outgoing email and network packets is a good thing, and regularly reviewing the logs for unusual activity is a must do. Don't just look at what's happening during normal business hours, remote access from laptops or home PCs also need to be scrutinized to spot abnormal actions.
Go ahead, keep the data longer -- PCI requirements require data retention for one year, so what's the point of keeping it longer? However long you keep it, make plans to encrypt it. When thinking of data retention -- longer is better. Why? To know how big of a breach you're dealing with, you'll want to extend that retention for a longer time, 3 to 5 years, the same length as a minimum jail sentence for criminals.
Keep work data at work -- While much focus is on servers and network security, maintain control of the endpoints. The best way to secure data is to not allow anyone to remove it or copy it. The use of applications, removable storage devices and those handy little USBs can spell B-R-E-A-C-H when mixed with sensitive data. Institutions may want to use software to block or track copies made to removable storage devices. Some of the software that blocks copying will also prevent the downloading of unapproved applications.
Have your employees know your Acceptable Use Policy --When new employees join your institution, make sure they are aware of what's expected of them. If you don't have an acceptable use policy, get busy writing one! Staff who have been with the institution for a longer time also need an awareness wake up. Make sure to remind them that protecting the institution and its assets is part of their job, and the assets include the personal and company data that the institution holds. Increased awareness of the need to protect data means your employees know what's expected of them when they're handling the data, or see it being distributed inappropriately.