Articles
Managing Multiple Card Brand Requirements For PCI DSS Compliance
December 29, 2009
•Article: Managing Multiple Card Brand Requirements For PCI DSS Compliance
By Gary Blume, Sr. VP of Corporate Strategy and Business Development for Lightwave Security
Meeting all requirements in the Payment Card Industry Data Security Standard (PCI DSS) can be a daunting task that involves implementation of security management practices, policies, secure software design and other measures of protection. While the Standard is developed and maintained by the PCI Security Standards Council (SSC), each of the five major credit card brands — American Express, Discover, JCB, MasterCard and VISA — have established their own compliance requirements, meaning that certain validation requirements, deadlines, fines and reporting standards may differ. What's more, PCI DSS and card brand requirements change periodically. For example, in response to pressure by the NRF, MasterCard reversed a requirement in December 2009 that it set six months earlier that would have forced retailers to use a Qualified Security Assessor (QSA) instead of an internal audit team to achieve PCI compliance. Keeping up with multiple, changing requirements further complicates the compliance management process, especially for small to medium size businesses (SMBs) with limited resources for such activities.
In addition to challenges in managing the different validation requirements, many SMBs are now finding that the yearly On-Site PCI Data Security Assessment once required only for Level 1 merchants is now required at Level 2 and will, one day, be required at Level 3 and even Level 4 by some card brands. In the future, SMBs will continue to see additional security regulations outlined in their contractual agreements with major credit card brands as they are administered through either the acquiring bank or the transaction processor.
Fortunately, automated IT Governance, Risk and Compliance (IT GRC) solutions can help merchants manage the compliance process by "rationalizing" the various PCI DSS compliance requirements so that effort is not excessive or duplicated. This article presents best practices for SMBs in the implementation of PCI DSS compliance technology and programs to reduce the costs of compliance on a year-over-year basis.
Click Here To Download:•Article: Managing Multiple Card Brand Requirements For PCI DSS Compliance
