Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Teleconferences
Join CIO Executive Council members and participate in the following live one-hour teleconferences:
* Transforming IT Teams
September 16
* Global CIOs: How to Lead on the World Stage
September 18
* Social Responsibility's Strategic Benefits
October 29
Apply today for a FREE subscription to CIO Magazine!
A Guide to Practical PCI Compliance
With all the doom and gloom about how difficult and costly PCI is supposed to be, the reality is that PCI compliance is attainable and sustainable, if you follow these tips.
November 12, 2007 — CIO —
Myriad merchants find themselves at the end of the PCI compliance barrel and are spending significant amounts of time, money and effort in achieving PCI compliance. Advice from companies that have been there can help smooth your path.
Organizational Maturity
One of the biggest mistakes organizations make is jumping into their PCI remediation effort without first understanding their company's gaps. It's crucial to realize that every organization has a different maturity level when it comes to technology and compliance. Without first knowing what level you are at, taking a "one size fits all" approach to fixing PCI will spell disaster.
A pre-compliance assessment is imperative and enables you to understand what your PCI compliance effort will entail. The output is a document identifying gaps between your current state and what the PCI DSS (Data Security Standard) requirements necessitate.
Some of the items covered in the pre-compliance assessment include:
- Review of IT infrastructure; PCI-relevant application architecture, policies, procedures and processes; overall network design
- Gap analysis
- Network vulnerability scanning
- Risk analysis
- Mapping business flows to technology flows
Determine your current state by completing the PCI Self-Assessment Questionnaire (SAQ) from the PCI Security Standards Council. The SAQ is divided into six sections focusing on a specific area of security. After completing the SAQ, you will have a good idea of which controls and tools are in are in place.
Cross-Organizational Interaction
PCI requires the whole organization to play nicely together; too many organizations have different IT groups that have developed their own fiefdoms and act in semi-autonomous states. PCI doesn't support such an approach—it requires different groups to collaborate whether they like it or not.
Success with PCI is dependant on how the numerous groups work together and maintain reasonable expectations. How well this is executed has a direct impact on compliance. The best way to ensure understanding is to set effective ground rules at the beginning of the compliance effort.
Vendor Remediation Support
Your organization has older software and hardware that isn't PCI-compliant. Similar to preparing for Y2K, getting vendors to ensure their products comply with PCI can be a significant issue. How much of an issue depends on your importance to the vendor and the importance of PCI to the vendor.
If you find that your vendor is not PCI compliant and you need an alternative solution, the PCI Security Vendor Alliance (SVA) is a good resource to check. The SVA assists the payment card industry by providing products and services that enable organizations to achieve compliance with the PCI DSS.
The Latest Advancements in SSL Technology
Getting in Compliance with Government Data Regulations by Leveraging Online Security Technology
How to Offer the Strongest SSL Encryption
The Hydra and the Onion: A Multi-Layered Security Model for Today's Dynamic IT Threat Environment
Data Loss Prevention Starts at the Endpoint: Seeking Safety from the Data Loss Pandemic
Solving Online Credit Fraud Using Device Reputation
Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response
Building Competitive Advantage with Next-Generation Wireless Infrastructure
Find out what Forrester says about mobile endpoint security and its management.
Get Forrester's take on simplifying mobility with the universal wireless client.
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
Solutions to the Toughest IT Challenges in Remote Offices
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Analysts: Google Spreading Itself Too Thin
At 10, Google Reiterates Commitment to CIOs
Nokia Adds Address, Calendar Sync to Ovi
Oracle Said to Be Making Progress on Fusion Apps
Libertarian Barr, EPIC Outline Privacy Agenda
As Google Turns 10, Enterprise Success in Question
Innovative Thinking Gets a Kick in the Pants
Disk Storage Drove Ahead in Q2
MySQL Cofounder May Resign
VMware Virtual Servers Get 5X Faster Shadow Copy With V2 of Vreeam Backup
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
