
	Home > Myth 1: PCI is hard

Top 5 Myths:

LICENSING & REPRINTS

Myth 1: PCI is hard

13 Aug 2007 | SearchSecurityChannel.com

Digg This!

StumbleUpon Toolbar

StumbleUpon

Del.icio.us

By John Kindervag

The No. 1 myth I hear from clients is that PCI is hard. It's not uncommon to find IT staff wringing their hands over where to start. A more accurate description might be PCI is comprehensive. With 12 requirement areas, it can be a daunting task just to make sense of the documents. But in fact, PCI is just good, basic security. A diligent company should meet most of the requirements prior to even reviewing themselves for PCI compliance. Additionally, there are product and services that are ready to be deployed to meet almost any of the requirements. IT departments don't have to reinvent any wheels to meet PCI.

By their own admission, the creators of the PCI standards designed good baseline security that could be reasonably attainable. This is not cutting edge stuff. For the most part, the majority of the requirements should already be part of the information security strategy, policy and infrastructure of any client with even the least attentiveness to creating a secure network.

What many people really seem to mean when they say PCI is hard, is that it is not cheap. For years, IT security professionals within these organizations have known there are glaring gaps in the security posture of their companies. I have seen these people make tremendous efforts to plug their security holes, only to be shot down by finance because costs would be incurred.

You could, in fact, make a strong case that PCI is the direct result of poor corporate governance by organizations handling credit card data. Had those organizations made best-practice efforts to secure that data, credit card theft and fraud might have been negligible, thereby reducing the need for the credit card companies to create a set of minimum standards to help offset the risk of offering credit card services.

So PCI may be expensive, but it is certainly not hard.

Five myths of PCI compliance

Introduction to the myths of PCI compliance
Myth 1: PCI is hard
Myth 2: PCI will make us secure
Myth 3: Encryption is scary
Myth 4: "I don't take enough credit cards…"
Myth 5: Product X will make me compliant

About the author

John Kindervag is a 20-year veteran of the high-technology world. He is the senior security architect for Vigilar Inc., where he helps corporations design secure networks and manages Vigilar's Vulnerability Assessment and Compliance Practice. Kindervag holds a Bachelor of Arts degree in Communications from the University of Iowa.

Digg This!

StumbleUpon Toolbar

StumbleUpon

Del.icio.us

RELATED CONTENT

	Regulatory Compliance Services
	Channel Checklist: Top five PCI compliance mistakes and how to avoid them
	How to establish decommissioning policies and procedures
	Testing the firewall - Introduction
	Working with Firewall Builder
	Validated firewalls
	Creating your checklist and Summary
	Packet flow from all networks
	System administration
	PCI compliance: Web application firewall vs. code review
	How will the planned changes in PCI-DSS affect the channel?

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

About Us | Contact Us | For Advertisers | For Business Partners | Site Index | RSS

SEARCH

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2006 - 2008, TechTarget \| Read our Privacy Policy