Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Public Teleconferences
Join CIO Executive Council members and participate in the following live one-hour teleconferences:
* Transforming IT Teams
September 16
* Global CIOs: How to Lead on the World Stage
September 18
* Social Responsibility's Strategic Benefits
October 29
Apply today for a FREE subscription to CIO Magazine!
PCI Standards Body Moves Ahead on Payment-Application Certification
PCI Security Standards Council releases list of certified payment applications under Payment Application Data Security Standard.
April 17, 2008 — CIO — The PCI Security Standards Council, which establishes requirements for the payment-card industry, yesterday formally launched its payment-application security program.
The Council announced the Payment Application Data Security Standard (PA-DSS) as an effort distinct from its older Data Security Standard 1.1 (DSS 1.1).
DSS 1.1 comprises a list of 12 broad-based security requirements that the payment-card associations and banks, which enforce compliance mandates, ask any business handling credit or debit cards to follow or face consequences, which could include fines or higher fees.
In contrast, the PA-DSS program is intended to cover testing and certification requirements for payment applications sold, distributed or licensed to third parties and installed off-the-shelf without much customization. The Council has published a frequently-asked questions document emphasizing that payment applications developed in-house by merchants or service providers are not subject to the PA-DSS requirements.
PA-DSS entails the Council assuming responsibility for Visa's Payment Application Best Practices program, with the Council's payment-brand membership, American Express, Discover Financial Services, JCB International and MasterCard, backing what had been only a Visa requirement for vendor-developed payment applications.
But more is on tap from the PCI Security Standards Council, says Bob Russo, its general manager. "Later this year we'll be rolling out a new version of the DSS," says Russo, noting this is expected to be in the September timeframe, with a possible 2.0 version.
Russo points out that the revised DSS will basically seek to clarify the 12-point DSS guidelines to answer questions that have come up, which are impacting decisions that businesses are making to comply with DSS 1.1
And there are many.
One security manager for a large U.S.-based bank, who asked he not be named, says it's not clear whether a requirement for "segmentation" of the network for purposes of protecting card data means you have to use a LAN.
In another instance, the DSS 1.1 requirement for firewalls is subject to question. The Jericho Forum, an international organization of about 60 large multi-national companies dedicated to finding innovative e-commerce security methods, believes network firewalls may not be the best approach in all situations involving online collaboration.
Russo says he would be happy to open a dialog on the question of firewalls in order to hear about what could be viable alternatives. He said the Council is receiving input now to grasp the major questions about DSS.
Another change already envisioned for DSS entails making the so-called "6.6 requirement" for application security, now a voluntary process that calls for either buying a Web application gateway or performing a code review, mandatory this June.
Email, blogging and mobile devices are important business tools, but they expose enterprises to legal, financial and regulatory risks.
Outbound email is essential to running any business today — allowing us to share information, work with partners and even interact with customers.
When it comes to technology investments, virtualization demonstrates drop-dead-obvious ROI.
Growing regulations are pressuring enterprises to find effective, affordable and easy email encryption solutions.
Today, there are many ways to approach email security — the question is: what deployment model is right for you?
Riverbed Raises the Ante Again in WDS with RiOS 5.0
Stop mobility from jeopardizing PCI compliance with these best practices.
Find out how the universal client can cut complexity and cost from your mobility environment.
Learn best practices for maximizing your mobile workforce infrastructure.
File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
Encryption Made Easy: The Advantages of Identity Based Encryption
Rethinking the Corporate Help Desk: Learn how to deliver anywhere, anytime incident response
Building Competitive Advantage with Next-Generation Wireless Infrastructure
The Great Email Security Debate: Appliances, SaaS, or Virtual?
Find out what Forrester says about mobile endpoint security and its management.
Get Forrester's take on simplifying mobility with the universal wireless client.
Advanced DNS and Traffic Management Solutions: The Keys to Enhancing and Securing your Enterprise Network
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Wall Street Beat: Spending Slows, Dell Does Too
Comcast Sets Monthly Bandwidth Limit for Customers
Dell Profit Falls As Revenue Grows
Google Extends Apps Premier Credit for Gmail Outages
Dell Profit Falls As Revenue Grows
Author Beware: 'Net Publisher's IT Pitfalls
Google Introduces Android Apps Store
Malware Infects International Space Station (ISS) Laptops
Google Extends Apps Premier Credit for Gmail Outages
Fujitsu Siemens Shows Its First Netbook
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
