As the PCI deadline looms, merchants should avoid quick fix measures
On Thursday 30 September 2010, the latest PCI DSS deadline kicks in, requiring all level one merchants (those processing more than six million transactions per year) to adhere to the original v1.2 guidelines or face the consequences of non-compliance.
The deadline also affects level two, three and four merchants. From here forward, any smaller company suffering a breach will be automatically moved up to level one status, resulting in additional policies, procedures and higher costs.
With this latest deadline looming – and the penalties for non-compliance more costly and onerous than ever – merchants are currently focused on achieving compliance. However, organizations shouldn’t use quick fix measures in order to meet the impending deadline.
“Many merchants are falling into the trap of viewing PCI DSS as a list of requirements that simply need to be ticked off a list within a specific timeframe,” said Ross Brewer, VP at LogRhythm. “However, compliance is not a one-time only requirement, instead organizations should approach it as an ongoing process that requires the automation and optimization of increasingly complex IT and data operations.”
Merchants are all too often treating PCI compliance as the responsibility of a single business division, without considering how the measures it prescribes can improve operational efficiency across all areas of the organization.
“Many merchants are taking a siloed approach to PCI DSS, thinking about how it impacts card transaction procedures, rather than viewing it as a set of best practices that can actually improve the performance of the entire business,” continued Brewer. “While such “kneejerk’ responses to PCI mandates may seem relatively cheap to implement, in reality they are a false economy. Instead, it makes sense to deploy monitoring solutions that can add value in as many areas as possible, after all, there is a significant difference between simply complying and actually doing something that benefits the business as a whole.”
Automated, centralized and fully integrated log management platforms, capable of providing deep insight into how IT systems are being utilized across the whole business and on an ongoing basis, should be the cornerstone of their compliance strategies.
This position is endorsed by the PCI Security Standards Council which has released a statement informing merchants that, “It is not enough to validate compliance annually and not adopt security into an organization’s ongoing business practices… Validation to the principles and practices mandated in the PCI DSS plays an integral part in an organization’s security posture, but basic monitoring and logging cannot be set aside after a security assessment is complete.”