fpo
San Diego Regional Chamber of Commerce San Diego Regional Chamber of Commerce

Business Action Online

Spotlight On:
 

Get Involved. Get Results.

Comprehensive Pension Reform

Take Action in Support of Comprehensive Pension Reform ...more

  

DC Trip

ESET Tech Tip

August 11, 2011    |    Volume 5, Issue 8    |    www.sdchamber.org    |    Contact Us


You are PCI Compliant, but Are You Secure?


ESETPCI stands for Payment Card Industry and PCI DSS is Payment Card Industry Data Security Standard. If you accept credit or debit cards you are probably affected by compliance issue. The idea behind PCI DSS is to establish standards to help protect against fraud and keep card holder data confidential.

Some people mistakenly believe that if they are PCI DSS compliant it means that they are secure. This simply is not the case. The standards are a baseline that sets a minimal level of security, but they are not enough to ensure a high level of security.
A few of the standards include using a firewall, using antivirus software, and not using vendor supplied default passwords. According to information at Wikipedia.org, there are about 12 compliance standards, however there are about 220 sub-standards as well.

In recent years companies such as TJX, Heartland, and Hannaford Brothers have had serious data breaches, yet were found to be in compliance with PCI DSS standards. In reality they probably were not in compliance at the exact time of the breach, however Hannaford Brothers reportedly received compliance validation a day after learning of a two month long security breach.

There are many different firewall, antivirus, and other security products and they are not equal. A company choosing a mediocre antivirus product can be compliant. All things being equal a company using a superior antivirus product will be more secure. Changing a vendor’s default password is a great idea, but it doesn’t help a lot if it is changed to a weak password.

If you are PCI compliant it helps protect you against penalties should a breach occur, but simply meeting the standards is not enough. If you have a company that needs to be PCI compliant it would be a wise investment to hire a good security consultant to help bring your organization up to a truly secure environment.

Perhaps the biggest mistake companies make when it comes to PCI DSS compliance is mistakenly thinking that they are done when the checklist is complete. Completing the checklist is only the beginning. Security requires constant vigilance. Don’t be fooled into thinking that once you have achieved compliance the work is done!

If you have any questions about this or any other general security questions, feel free to email me at askeset@eset.com.



< back