Gary Palgon
Vice President, Product Management
nuBridges
April Fool’s? Not!
It’s kind of funny when you think about it. The U.S. House of Representatives held a hearing on April Fool’s Day to debate the merits of the Payment Card Industry’s Payment Security Standard (PCI DSS), noting that it has failed to keep consumer credit card information safe. (Source: Computer World)
Recognizing that the PCI DSS is a standard generated in the private sector by payment card vendors such as Visa, MasterCard and American Express, the public officials must have felt that they’ve had such great success with their own regulatory requirements such as SOX and HIPAA, that they can lend a hand to the payment card industry. HIPAA was ratified in August 1996 and it was eleven years later, in June 2007 before their first audit was conducted. Source: Computer World) Not necessarily the best representation of a quick path to ensuring patient’s sensitive information -- given we’re still not there!
While I agree that compliance with the PCI DSS does not ensure your environment is secure, it is still the best technical standard available. It should be used in conjunction with a security framework such as ISO 27002 to make sure that best practices for people, process and technology are developed and maintained on a regular basis.
At the same time, members of the PCI Security Standards Council (PCI SSC), of which nuBridges is a member, know there are a few shortcomings. Three examples include security of virtualized environments; the lack of a requirement to encrypt internal information in-transit (only requires that external information in-transit be secure); and deferred charging of purchases on credit cards. The standard will continue to evolve, but there is no debating that it is helping to make companies become more secure as part of their compliance efforts.
Until next time,
Gary
