PCI DSS stands for the Payment Card Industry Data Security Standard, and is an organization founded in 2004 as a result of the combination of 5 different security programs in operation at the time by Visa, MasterCard, Discover, JCB and American Express. The intent of this standard is to protect cardholder data (CHD) through an approach that covers every aspect of a technology based solution from policies through infrastructure and everything in between.
PCI DSS compliance attainment is a process that can be extremely daunting – but a process that is sure to yield improvements to the security position of everyone that ventures through the process. Navigating the waters of PCI DSS is a task best undertaken with the appropriate personnel and partnerships to assist in the journey.
One of these critical roles is an individual or company to assist with guiding your organization through the requirements of PCI DSS that has been there before, and has the capability to make recommendations based on their past experience. This role is critical to making your way through PCI DSS, and frankly the difference between costing and saving your organization money. The cost to an organization varies dramatically based upon several factors, with the most significant being resolving the PCI DSS requirements while doing so in a cost effective manner as there are literally a myriad of choices in the marketplace today. Seaming these choices together into an integrated security solution while saving you money is the role that this individual or company performs.
Another critical role is an individual or company to assist with implementation of your secure production solution into an environment that meets or exceeds the standards for physical security of PCI DSS.
Online Tech delivers a managed hosting solution that provides your organization with such facilities, having already attained their SAS-70 certification, they have the staff on hand to assist your organization with establishing your secure production network in a facility that passes all elements of PCI certification. Online Tech can provide experience and expertise to your team with architecting the solution, hardware acquisition, configuration of the equipment and required documentation – all critical elements of the PCI DSS solution.
Due to the sheer breadth of scope of a PCI DSS compliance endeavor, ultimately everyone in your organization will in some way, shape or form, be impacted by these efforts. All of the compliance efforts by your team and partners culminate with the affirmation from a QSA (Qualified Security Assessor), whose job it is to assess organizations against the PCI DSS standards and are certified to do so via the PCI Security Standards Council.
Companies have their stance against the PCI DSS standard evaluated by the QSA, with open items remediated and reviewed, then can make their submission to the PCI Council for certification. It is at this point that your company shifts from attaining PCI DSS compliance to maintaining PCI DSS compliance.
For my part, my name is Adam Goslin, your virtual MC for this tour through PCI DSS compliance. Having consulted with several organizations on their trip through PCI DSS, and having been in the position of both having to obtain PCI DSS for an organization, and having been engaged as a consultant to other organizations looking to attain certification for themselves – it has been a unique experience that provides a keen level of insight into the difference between the art and science of PCI navigation. My personal mission is to assist companies in enhancing their security stance – focusing in this case on attaining and maintaining their compliance with PCI DSS as there are many good choices on the market when making selections for PCI and just as many bad ones.
Look for the next post in this series in March that will provide an overview of the PCI DSS Control Objectives before we get into a detailed review of each objective.
Adam Goslin, Co-Founder, High Bit Security, LLC
Adam has an IT career that spans more than 15 years, recently leading the IT and Infrastructure teams of Osiris Innovations Group as the Vice-President of IT, including leading the company through achieving PCI DSS Compliance. Adam went on to found the full service security firm, High Bit Security, LLC., specializing in assisting companies looking to achieve Payment Card Industry Data Security Standards compliance; and cost effective Penetration Testing.
For more information about PCI compliance, you can email Adam at agoslin at highbitsecurity.com
This article was very interesting IMHO in that Adam emphasized the security aspect of the PCI DSS. While it is not all that hard to get a checkmark in various areas, that often comes at the cost of real, ongoing security. If you take care of the security, especially in an automated 24×7 way, the compliance becomes just about free. If, however, you just want that checkmark, you may achieve PCI compliance on paper but you will not maintain it, as Adam suggests you should, or be safe from attack.
My company helps our customers meet and exceed the PCI requirements for wireless scanning by concentrating on security and I was glad to see Adam focusing that way as well. I liken the checkmark to putting an ADT sign in the front of your house and hoping that the burglars won’t find out that you don;t have a security system or that you leave the door unlocked most of the time.
[...] first blog in this series provided a historical overview and introduction to PCI compliance. This blog provides an overview of PCI DSS, which is aligned into 6 principles of PCI compliance [...]