Follow Tweet This Facebook LinkedIn

Main menu

Skip to secondary content
Menu
  • CIO
  • Security
  • Cloud
  • AI
  • Research
  • Events
  • News
  • Videos
  • Podcasts
  • Blogs
  • More
    • Technicity 2019
    • Ingenious Awards 2019
    • Cyber Security Awareness Month
    • CIO Census
    • Last 48 Hours
    • Celebrating 25 Years of CIO Leadership
    • AI Directory
    • Digital Transformation
    • All Categories
    • Slideshows
    • 2019 IT Salary Calculator
    • Blogger Opportunities
    • CIO Security Perspectives
    • Gartner Corner
    • About Us
    • Privacy Policy
    • Digital Magazines
    • Contact Us
  • Subscribe

OUCH! Free Content gets hurt by enabled Ad Blockers

Please consider unblocking us or Subscribe in support of our great non-gated content.
Privacy & Security

9 tips for maintaining PCI compliance

Howard Solomon
Howard Solomon
@HowardITWC
Published: November 11th, 2014
  • Be prepared

    Version 3.0 of Payment Card Industry’s data security standard (PCI DSS) comes into effect Jan. 1, 2015. Most organizations should be prepared by now. But they also have to be ready to maintain compliance — and not just with a once-a-year assessment. We’ve borrowed from the PCI best practices guide to offer these tips on how to stay on top. For details read the guide. But remember, compliance alone won’t prevent intrusions. All images from Shutterstock.com

    Man on a starting line

  • Maintain perspective

    Too often organizations get wrapped up in the compliance process and fail to establish effective long-term processes for maintaining the security of cardholder information. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities — not simply attaining a favourable  Report on Compliance (ROC).

    Glasses making distant landscape sharp

  • Name a co-ordinator

    A qualified compliance manager should be assigned overall responsibility for co-ordination of resources and be given adequate funding and the proper authority to effectively organize and allocate such resources. Responsible getting management support and for engaging key personnel for security functions and collecting evidence to show ongoing PCI controls are effective.

    hands of a music conductor

  • Emphasize security and risk

    In some organizations PCI DSS compliance may not be enough to mitigate all risks. Focus on building a culture of security and protecting the organization’s information assets and IT infrastructure. Compliance is a consequence. Version 3.0 of the standard calls for organizations to “implement a risk assessment process that is performed at least annually and upon significant changes to the environment.”

    lock on blue background

  • Hone risk assessments

    A tool to help to prioritize security efforts, when conducted regularly they allow organizations to keep up-to-date with business changes and provide mechanisms to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies. They also provide valuable information to help organizations determine whether additional controls are needed.

    INSIDE SLIDE Risk assessment graphic SHUTTERSTOCK

  • Continuously monitor security controls

    Document the implementation, effectiveness, adequacy, and status of all of security controls. How often depends on things like how frequently a control is likely to change, whether it’s on a high impact system. Sampling may be necessary for data collection, but make sure the sample captures variations. Samples of system components should include every type and combination in use. Automated control monitoring tools can work.

    Hands on keyboard showing computing code

  • Act fast

    It is imperative that organizations have processes for quickly responding to security control failures. These processes should include restoration to normal operations as quickly as possible, then identifying causes of control failures. Failures in security controls can provide attackers opportunities to launch other attacks within the environment. Once control has been restored it may be necessary to increase monitoring frequency.

    Keyboard with 'take action' button

     

  • Develop metrics to measure success

    When metrics are analyzed properly, they may provide mechanisms for determining whether sufficient controls are in place and whether they are operating effectively. You want to measure implementation measures (ie: percentage of IT systems with proper password policies), effectiveness/efficiency measures ( percentage of known vulnerabilities that have been patched), and impact measures (return on security investments).

    Clipboard with grahics and metrics

  • Adjust the program to address changes

    As business objectives and technologies change – including mergers/acquisitions and loss of key IT security personnel — new attack vectors are introduced. So it’s increasingly important for organizations to have sound change-management practices to keep up with the changing threat landscape. Establish manual or automated triggers to alert key personnel to such changes so they can analyze any associated risks.

    Hand adjusting control on machine

  • Stay committed

    Maintaining a state of continuous compliance requires focused effort and co-ordination. Organizations that focus primarily on annual validation may find it difficult to build in the people, processes, and technology necessary to support sustained compliance. Executive sponsorship is critical if organizations want to be successful in implementing ongoing PCI DSS compliance programs.

    Close up of person's eye

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

 

 

 

Tweet This Facebook LinkedIn google+
Privacy & Security PCI Compliance, security strategies
big data analytics Canada CIOs
CIO Innovation Summit in pictures
danger sign, IT risks, security, malware, hackers
Top 9 security threats to prepare for in 2015

About Howard Solomon
Howard Solomon

Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomedia [@] gmail.com

Follow Follow @HowardITWC on Twitter Join Howard Solomon on LinkedIn Howard Solomon on Gooogle+
Cyber Security Awareness Month
We’re compiling all of our cybersecurity stories right here during the month of October for easy reading.
Read More

Related Content

Researchers say VPN bug affects Linux, Unix systems

University of Ottawa to open cybersecurity research hub

Phishing campaign continues to mimic Canada’s biggest banks online

Tech companies are beyond government control, Edward Snowden tells Ontario college administrators

Tweets by itworldca

Follow
Tweet This Facebook LinkedIn google+

Subscribe
Resources CanadianCIO Digital Security CMO Digital CDN Magazine IT Salary Calculator LightningPR Webinars and Events Tech Research Partner Content
IT World Canada Community About Us Contact Us Technology Videos IT News IT Blogs Mobility News Cloud Computing Technology Topics ITWC Talks
ITWC Websites ITWC.ca Channel Daily News.com IT World Canada.com IT Business.ca Direction Informatique.com
© 2019 IT World Canada