As The Latest PCI Deadline Looms, Merchants Should Avoid ‘Quick Fix’ Compliance Measures

On Thursday 30 September 2010, the latest PCI DSS deadline kicks in, requiring all level one merchants (those processing more than six million transactions per year) to adhere to the original v1.2 guidelines or face the consequences of non-compliance. The deadline also affects level two, three and four merchants. From here forward, any smaller company suffering a breach will be automatically moved up to level one status, resulting in additional policies, procedures and higher costs.

With this latest deadline looming – and the penalties for non-compliance more costly and onerous than ever – merchants are currently focused on achieving compliance. However, organisations should be warned against taking quick fix measures in order to meet the impending deadline.

Many merchants are falling into the trap of viewing PCI DSS as a list of requirements that simply need to be ticked off a list within a specific timeframe. However, compliance is not a one-time only requirement, instead organisations should approach it as an ongoing process that requires the automation and optimisation of increasingly complex IT and data operations.

Merchants are all too often treating PCI compliance as the responsibility of a single business division, without considering how the measures it prescribes can improve operational efficiency across all areas of the organisation.

Many merchants are taking a siloed approach to PCI DSS, thinking about how it impacts card transaction procedures, rather than viewing it as a set of best practices that can actually improve the performance of the entire business. While such ‘kneejerk’ responses to PCI mandates may seem relatively cheap to implement, in reality they are a false economy. Instead, it makes sense to deploy monitoring solutions that can add value in as many areas as possible, after all, there is a significant difference between simply complying and actually doing something that benefits the business as a whole.

Automated, centralised and fully integrated log management platforms capable of providing deep insight into how IT systems are being utilised across the whole business and on an ongoing basis, should be the cornerstone of compliance strategies. Indeed, the latest UK Security Breach Investigation Report indicates that, of all the merchants suffering a cardholder data breach in 2010, none were compliant with PCI DSS requirement number 10, which states that merchants must regularly monitor access to network resources as a way of proactively spotting unusual or suspicious behaviour.

This position is endorsed by the PCI Security Standards Council, which has released a statement informing merchants that “It is not enough to validate compliance annually and not adopt security into an organisation’s ongoing business practices… Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organisation’s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete.”

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Ross Brewer brings to over 22 years of sales and management experience in high tech and information security. Prior to joining LogRhythm, he was a senior executive at LogLogic where he served as vice president and managing director EMEA. Ross has held senior management and sales positions in Europe for systems and security management vendor NetIQ and security vendor PentaSafe (acquired by NetIQ). He was also responsible for launching Symantec’s New Zealand Operations.