The folks at processor.com have published an article with some helpful insights and suggestions for companies working on achieving or maintaining PCI compliance.
Among other things, the article points out that the majority of companies who think they are PCI compliant may end up being surprised. “Among companies that consider their operations PCI compliant, only 21% were found to be truly compliant, according to a Verizon study. Companies should go beyond compliance and consider network monitoring tools and endpoint security measures that keep your data center safe from attack.”
Version 2.0 of the PCI DSS, which was recently released and goes into effect January 1, 2011, reflects the recognition of this challenge, as it shows a move away from the traditional check-list approach and incorporate much more language encouraging a true risk-based approach to controlling security.
Halock QSA’s are available to assist organizations who want to be certain they are truly compliant with the intent of the PCI DSS. Our consultants have always embraced the risk-based approach now being called for by the PCI Council and the DSS. If providing good, strong security remains the primary focus, then checking the boxes for compliance will not be a problem.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services