No. 1 Story

HP job cuts loom for Australian employees

A number of Australian employees of Hewlett-Packard are facing the loss of their jobs as the global computer giant looks to slash its worldwide workforce by up to 30,000.

read more

Related Articles

PCI, compliance, Waypoint, process

More From

Popular Threads

PCI compliance. Waypoint or process?

David Heath
Thursday, 14 January 2010 16:05

Business IT - Security

View Comments
A recent survey of IT and security professionals clearly showed that companies are "far from confident in their organisation's ability to claim full PCI compliance at any point in time."

The UK's SearchSecurity website conducts a regular series of surveys to assess the current state of play in a variety of fields of IT security.  The most recent study collated the views of 193 North American and European IT and security professions in the area of PCI compliance.

PCI promulgates a set of standards, normally referred to as Payment Card Industry Data Security Standard; compliance with which permits organisations to process credit card payments.

The primary survey outcomes are that most organisations have significant obstacles to overcome in order to pass their next PCI audit; that they don't believe PCI compliance makes them truly more secure against breaches and that there is some concern over the ability to control IT configurations and changes.

According to the survey (registration required), "Nearly one half of the respondents ... readily admit that they have little or no confidence that their organisation is fully PCI-compliant at any moment in time.  In fact fewer than 10 percent … say they are highly confident that they are in full compliance at the time they responded to the survey."

According to Daniel Blander, president of risk management consultants Techtonica Inc, "What they get when an internal audit team or a QSA (Qualified Security Assessor) goes through the audit is a snapshot of a single point in time only.  Everyone rushes to get into compliance for that day, and 24 hours later I guarantee you they will no longer be in compliance.  The reason is simple: In almost every case, what they've done for the audit is an extraordinary effort, not something that is part of their ongoing security culture."

One of the big issues is that the PCI standard, introduced in 2006, has been revised many times since; meaning that not only must organisations plan to maintain compliance with current rules, they must also set aside resources to understand and implement changes as they are introduced.

According to the report, "Respondents say that, on the plus side, they are more familiar with the compliance requirements for purposes of the annual audit.  However, on the flip side, they point to the constantly changing requirements as the biggest reason why they are likely to struggle to achieve and maintain PCI compliance going forward."

One final sobering thought, with which the report closes.  "Passing the PCI compliance audit - and getting that nice check-mark on your IT security plan - might make you feel warm and fuzzy in the near term.  But without a comprehensive plan for security that includes configuration change control as a part of the overall solution, you'll wonder what went wrong when your customer database is hacked and your security breach is highlighted on the evening news."

iTWire recommends readers acquire the survey report and seriously consider its contents.

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases