IT DRILLDOWN
Virtualization
 
NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 Advice and Opinion

 CIO Consumer IT

 CIO Leader

 CIO Enterprise

 CIO Insider

More Newsletters | Edit Profile
 

RSS Feeds »

 
 
LEADERSHIP
 

CIO Executive Programs

The Leader in Face-to-Face Education for Senior Executives

Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »

 

CIO Executive Council

Public Teleconferences

Join CIO Executive Council members and participate in the following live teleconferences:

* Planning for Succession:
Models for IT Leadership Development, June 23
 * Youth in IT: How CIOs Can Engage the Next Generation
 June 10
 * Change Leadership at General Growth Properties: A
Pathways Leadership Development Seminar, June 25

More / Register »

Learn more about the CIO Executive Council »



 
 
RESOURCE CENTER
 

buy a link »

Ads by TechWords
 
 
SUBSCRIBE TO CIO
 

Are you involved in setting the direction for your company's IT budget or strategy?


Apply today for a FREE subscription to CIO Magazine!

Subscription Services »

Reprints »

 
 

Feature

 

A Guide to Practical PCI Compliance

With all the doom and gloom about how difficult and costly PCI is supposed to be, the reality is that PCI compliance is attainable and sustainable, if you follow these tips.
 

By Ben Rothke CISSP, QSA, and David Mundhenk CISSP, QSA

November 12, 2007CIO — Myriad merchants find themselves at the end of the PCI compliance barrel and are spending significant amounts of time, money and effort in achieving PCI compliance. Advice from companies that have been there can help smooth your path.

More on Compliance
Your Guide To Good-Enough Compliance
Tear Down that Silo: Compliance in the Executive Suite

Organizational Maturity

One of the biggest mistakes organizations make is jumping into their PCI remediation effort without first understanding their company's gaps. It's crucial to realize that every organization has a different maturity level when it comes to technology and compliance. Without first knowing what level you are at, taking a "one size fits all" approach to fixing PCI will spell disaster.

A pre-compliance assessment is imperative and enables you to understand what your PCI compliance effort will entail. The output is a document identifying gaps between your current state and what the PCI DSS (Data Security Standard) requirements necessitate.

Some of the items covered in the pre-compliance assessment include:

  • Review of IT infrastructure; PCI-relevant application architecture, policies, procedures and processes; overall network design
  • Gap analysis
  • Network vulnerability scanning
  • Risk analysis
  • Mapping business flows to technology flows

Determine your current state by completing the PCI Self-Assessment Questionnaire (SAQ) from the PCI Security Standards Council. The SAQ is divided into six sections focusing on a specific area of security. After completing the SAQ, you will have a good idea of which controls and tools are in are in place.

Cross-Organizational Interaction

PCI requires the whole organization to play nicely together; too many organizations have different IT groups that have developed their own fiefdoms and act in semi-autonomous states. PCI doesn't support such an approach—it requires different groups to collaborate whether they like it or not.

Success with PCI is dependant on how the numerous groups work together and maintain reasonable expectations. How well this is executed has a direct impact on compliance. The best way to ensure understanding is to set effective ground rules at the beginning of the compliance effort.

Vendor Remediation Support

Your organization has older software and hardware that isn't PCI-compliant. Similar to preparing for Y2K, getting vendors to ensure their products comply with PCI can be a significant issue. How much of an issue depends on your importance to the vendor and the importance of PCI to the vendor.

If you find that your vendor is not PCI compliant and you need an alternative solution, the PCI Security Vendor Alliance (SVA) is a good resource to check. The SVA assists the payment card industry by providing products and services that enable organizations to achieve compliance with the PCI DSS.

 
 
 
 
 
 
Loading...
 
 
ABCs
 

How To Do Nearly Anything

Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.

Over 25 tutorials on everything from business intelligence to virtualization.

 
 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

Evolve your data center on proven technology. The Brocade DCX.

Secure your virtual and physical environments with the same software.

How to Manage the Mobile Work Environment

How to simplify mobility and reduce the cost of supporting mobile workers

Getting the Most from your Data Protection Solution

Mitigating Risk with Security Assessments

Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response

Business Value of Performance IDC Whitepaper

Foxwoods Resort & Casino dramatically reduced both backup and recovery times

Top 10 Questions to Ask when Choosing a Secure File Transfer Solution

Webcast: The Keys to Enhancing and Securing your Enterprise Network

An Executive Guide to Understanding Hosted and Managed Messaging

Configuration Audit and Control for Virtualized Environments

Enterprise Business Security: Protect Data, Accelerate Growth

The Case and Criteria for Combining Application Acceleration and Security

Q4 2007 Email Threats Trend Report from Proofpoint and Commtouch

Do the math-calculate the impact of mobile device deployment on your bottom line

Improve device management - Microsoft® System Center Mobile Device Manager

Heinz Uses a Wireless, Automated, Auditing process on BlackBerry® devices

Webcast: Solutions to the Toughest IT Challenges in Remote Offices

Webcast: Research insight into how organizations are using virtualization

3 Reasons to Invest in Integration Technology Now

A CIO's View of Server Virtualization

Let's Get Virtual: A Look at Today's Server Virtualization Architectures

Increase conversions on your site with the help of EV SSL.

Eliminate network threats and downtime with Juniper Networks. View demo.

Choose a mobile device platform with familiar programs and simplified management

Get Control of Mobile Data (and More)

The Business Value of Symantec Data Center Foundation Solutions

How Plug-in Integration with Global Suppliers Quickly Multiplies the Value of SAP Investments

Gene Kim's Practical Steps to Mitigate Virtualization Security Risks

Riverbed RiOS 4.0: Raising the Bar in Wide Area Data Services

Case Study: Auto insurer accelerates backup and recovery

Case Study: Bay State Health reduced the timeframe for recovering critical patient data

Webcast: Build secure, scalable enterprise networks.

2008 Annual Google Communications Intelligence Report

Comparing Google and Other Leading Messaging Security Solutions

Webcast: Best practices in application security: How do you stack up?

IT productivity challenges: Google surveyed IT professionals

Regulations Shift Focus on Outbound Email Security

Key challenges facing todays IT service and support

Read Forrester's advice for deploying an enterprise mobile solution

Sheriff's Office Uses PocketCop to Access Police Databases from BlackBerry® Smartphones

The BlackBerry Solution Adds Significant Benefit to Toshiba

Global Crossing is the most viable alternative for voice, video and data.

The New Foundation of Storage: Xiotech's Intelligent Storage Element

3M saved $3M on printing. Learn how HP can help your business

Survival of the Fittest: Disaster Recovery Design for the Data Center

Windows Server 2008: To Upgrade or Not to Upgrade?

Data Loss Prevention Starts at the Endpoint