It's imperative that IT professionals become well-versed in all of the PCI DSS regulations.
PCI DSS compliance requirements will continually evolve under the auspices of the PCI Security Standards Council throughout a newly defined 36-month lifecycle. This may mean that the security "tweaks" that IT implements today for PCI DSS 2.0 may be inadequate to handle the data security requirements of the next version of the standard.
However, by rethinking the use of underlying components that IT uses in its data transfer arsenal, forward-thinking IT shops are arming themselves to meet the changing requirements of PCI DSS and other compliance requirements. With better—as well as more—configurable, automated, and secure data transfer tools, these professionals are building new technology strategies to meet and/or exceed the compliance requirements for today and tomorrow.
PCI DSS Version 2.0 is here, and companies are challenged with the task of modifying their security systems to meet the requirements. But some IT groups are taking a new and creative path toward PCI DSS compliance. Instead of struggling to meet compliance requirements with legacy data transfer tools, they are implementing managed file transfer solutions that include DMZ gateways.
This unique and cost-effective strategy provides better, more configurable tools to help IT staffs achieve PCI DSS compliance more easily, while laying a good foundation for future security enhancements.
What Is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is the information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. It's defined by the Payment Card Industry Security Standards Council as a method to increase privacy controls over cardholder data and reduce credit card fraud due to accidental or deliberate exposure.
PCI DSS 2.0 was released in 2010 and required for adoption by all entities that process, store, or transmit credit/debit card data by January 2011.
Validation of compliance with PCI DSS must be performed annually, beginning January 1, 2012, by an external Qualified Security Assessor (QSA) at organizations that handle large volumes of transactions, or by a Self-Assessment Questionnaire (SAQ) at companies managing smaller volumes.
The Danger of Non-Compliance
If your organization experiences a security breach—without proof of compliance to PCI DSS 2.0 at the time of the breach—the lack of compliance will result in fines and penalties from the payment card brand (Visa, MasterCard, etc.). The fines are not trivial: $5,000 to $100,000 per month until your organization attains compliance, and could result in termination of your merchant account by the bank.
Therefore it's imperative that IT professionals become well-versed in all of the PCI DSS regulations to learn how to most efficiently implement its technical compliance requirements in their organization.