Security Vendors Form PCI Alliance
February 13, 2007 Alex Woodie
Compared to the mysterious and daunting nature of Sarbanes-Oxley, the technical steps that companies must take to comply with the Payment Card Industry (PCI) data security standard are crystal clear. Just the same, questions on PCI remain. As of last month, thanks to the creation of the PCI Security Vendor Alliance, there’s an organization dedicated to providing answers.
In 2005, the card payment industry started implementing minimum security guidelines that companies must follow to ensure the safety of sensitive data included in credit, debit, gift, and point of sale (POS) transactions. A vendor that failed to adopt the guidelines–first implemented by Visa with its Cardholder Information Security Program (CISP) and later adopted industry-wide via PCI–would face fines ranging into the hundreds of thousands of dollars, and eventually banishment from the electronic payment network for continued negligence.
Luckily for systems administrators, the PCI group outlined relatively clear technical goals for achieving compliance, including having basic network security such as a firewall and antivirus software, encrypting data in transit, implementing tight user-access controls, and tracking and monitoring mechanisms.
However, there’s still a lack of awareness of PCI, says Jon Oltsik, a senior analyst with the Enterprise Strategy Group, an IT analyst group focused on storage issues. “Even with all the press on data security breaches and the corporate and personal costs that accrue from them, there is still only limited awareness of the PCI data security standards,” Oltsik says.
That’s where the PCI SVA comes in. The group was founded by eight security software companies last month to educate technology users about PCI, and to spread the PCI gospel to technology and solution providers as well.
The eight co-founders–including ConfigureSoft, Cyber-Ark, Modulo Security, Proginet, Protegrity, Reflex Security, SafeNet, and Verisign–say they plan to create a series of case studies, seminars, return-on-investment analyses, and white papers showing how organizations may achieve compliance with the PCI DSS requirements efficiently and on-budget.
Two things that the PCI SVA will not do is certify security products or services, or certify companies PCI remediation activities. Any product certification for the PCI’s Data Security Standard (DSS) is handled by the PCI Security Standards Council itself, whereas the final determination of compliance is made by the individual credit card brands or by certified auditors.
For more information about the PCI SVA, including an application form for vendors wishing to join the group, go to www.pcialliance.org.