Firms failing to treat card data security seriously

Whilst initial compliance to the Payment Card Industry (PCI) Data Security Standard (DSS) required organisations to demonstrate the existence of appropriate policies and procedures, now there is a clear need is for a detailed audit trail to provide evidence to PCI assessors that all policies and procedures have been diligently followed. It is typically during a second audit that companies can often get caught.

The fundamental problem is that IT system changes can very quickly take an organisation out of its compliant state and create security vulnerability. Therefore, without continuous monitoring and reporting, the compliance process becomes both resource intensive and potentially valueless. Why spend months achieving PCI DSS compliance only to slip out of compliance due to a system change within weeks?

In order to achieve a known and compliant state, organisations must put in place system infrastructure monitoring with change auditing to ensure compliance is sustained or what we call "achieved and maintained." Changes can then be assessed, and IT staff can be immediately alerted to any unauthorised changes that take place. This not only raises an alert if an organisation slips out of compliance but also ensures potential security weaknesses are flagged before a customer data compromise can occur.

Whilst the credit card associations are unwilling to provide information on non-compliance, behind closed doors, 2008 saw a record level of fines issued. Against this backdrop, continuous monitoring is key to sustaining compliance and minimising business risk.

Yours sincerely,

Andrew Heather
General Manager, EMEA
Tripwire
www.tripwire.com