Meet the Bloggers

Vaune Carr, Principal Consultant, BT Global Services

Rob Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

Jill Knesek, Chief Security Officer, BT Global Services

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

Ben Rothke, Senior Security Consultant, BT Global Services

Pete Russo, Senior Marketing Manager, BT Global Services

Bruce Schneier, Chief Security Technology Officer, BT Global Services

Ray Stanton, Global Head of BT’s Business Continuity, Security & Governance Customer Capability Unit

Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

Twitter Blogroll About BT

SecureThinking > Tags

Posts tagged Bob Russo

Monday, March 29, 2010

Missing elements in PCI DSS

By Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

It is interesting to note that chip and pin was missing from the study initially done by the PCI council in 2009 on emerging technologies and yet is mentioned specifically by Bob Russo during a panel discussion at RSA.  Key Management Insights recently posted this to their blog:

Bob Russo, General Manager of PCI Security Standard Council, boiled it down to: “There needs to be a mind shift from just compliance to security [since] compliance is a byproduct of good security.”  And when it comes to PCI DSS, Russo added, “PCI DSS is the baseline.”  Russo hinted at some of the clarifications coming in the PCI DSS update in October 2010.  He identified three of the technologies which are likely to receive clarification as:

  • Chip & PIN technology
  • End-to-end encryption
  • Tokenization

The focus on new technology, though not a panacea, is an acknowledgement that our current methodology for securing payment data is difficult to secure.  Retail sectors, which operate on tight profits, are struggling to have the in-house expertise to put the right controls in place to protect the data they house.  

Given that Payment card data was stolen in 84 percent of the 285 million security breaches recorded in 2008, according to the most recent Verizon Business Data Breach Report, the payment card industry realizes that something needs to be done.  Security breaches are ever increasing and if the industry does not take action, then it is likely that the federal government will impose additional regulations. 

The focus on continuous control monitoring is key to understanding what your security posture is. While it is impossible to have impenetrable security, it is critical to be monitoring your network so when a breach does occur, the correct action can be taken.

Undoubtedly, the stakes of not complying with PCI-DSS are rising.  Companies that don’t take PCI-DSS seriously are exposing their customers and themselves to an unacceptable business risk, and their cost of doing business will surely rise to cover the net impact of breaches.  The real question is whether the costs will rise in a controlled fashion as companies put in place best practices, such as outsourcing, to enable their security to be in the hands of seasoned experts — or if businesses will allow costs to spiral as they pay for fines, compensation, and remedial activities in response to data breaches.

Posted at 2:30 PM in SecureCompliance | No Comments »
Tags: , , , , , ,

Bookmark and Share

subscribe - log in