Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
Opportunity knocks.
Each iteration of the Payment Card Industry Data Security Standard (PCI-DSS) brings requirements that are more specific about the controls needed to satisfy the safeguarding of critical data and infrastructure assets. Sometimes these changes mean the selection and adoption of new technology, and oftentimes it means adapting a current PCI-DSS standard to be more effective.
Sometimes these changes are subtle; sometimes they are profound. The upcoming changes in PCI-DSS are a little of both, but rather than focus on them specifically, let's look at PCI-DSS compliance in general.
At this point it should be clear to everyone with a pulse that the delicate balance needed in shifting the requirements from "should" to "shall" are driven by the ever-increasing pace of data breaches and the legislation governing their disclosure and remedy.
What PCI-DSS represents is the minimal standard required by the industry to indicate that a certain level of due care and diligence has been performed. It doesn't, however, certify that an entity that is "PCI compliant" is "secure." It also doesn't mean that risk is appropriately managed and mitigated to an acceptable level. It simply means that certain steps have been taken to become compliant with the requirements defined within the standards.
If you need an example, look no further than the recent case of Hannaford Brothers groceries, a company that was certified as being compliant with PCI-DSS and managed to suffer an egregious security breach.
Why is this unfortunate example an opportunity for the channel? The answer comes in two parts:
First, it's clear that compliance does not equal security. Despite the need for compliance, really digging down deep with a customer to partner with them to manage risk -- for which compliance is a by-product -- provides a true service that is a win-win for both you and your customer.
Second, refuse to offer "compliance made easy" as a solution to your customers. This will earn you respect. As revisions to compliance regulations arise, you will be the trusted advisor who will provide assessments of readiness against those requirements. If you can leverage a well-stocked solutions portfolio to address any warranted technical requirements needed to satisfy certain evolving elements of compliance when combined with strategic risk-focused consulting approach, you will gain the trust of your customers.
This was first published in May 2008