The lowdown on PCI compliance

I'm really just tired of two things. First, all the marketing hype the vendors are putting out there about how their products are going to magically make you compliant with PCI DSS. Secondly, all the differing opinions about what it takes to be compliant with this regulation are getting old too. There are books, whitepapers, seminars, scanning services – you name it. If you need to comply with PCI DSS there's a self-proclaimed expert on every corner out there who wants to help.

Since you're reading this, PCI DSS probably affects you and your business in some way. As with many organizations, it's likely in the context of Web security. Well, if so, you're in luck. Here's the lowdown on what PCI DSS is all about. First off, there's this security scan requirement in PCI DSS that everything seems to be revolving around. In doing security scans myself I'm here to tell you that security scans aren't everything. I can't tell you how many businesses I come across that vouch they're secure or compliant just because they've had some PCI-certified scanning vendor to run a quick scan and tell them everything's OK. It's not that simple. I've used some of these very tools that the vendors are saying will find vulnerabilities in your applications and point out where you're out of compliance with PCI. I've seen them not find any flaws at all while, at the same time, another vendor's tool uncovers cross-site scripting, SQL injection, and so on. Do your homework before buying into companies that tout "Web scans for PCI compliance". If you show me a Web application out there that doesn't have any vulnerabilities I'll show you an application that hasn't been tested in the right ways.

Relying on scans alone is ...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software security testing and techniques Free Web proxy security tools software testers should get to know How to get management on board with Web 2.0 security issues Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Application Security Strategies Rich Internet applications security testing checklist Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Using the Firefox Web Developer extension to find security flaws Software Testing Free Web proxy security tools software testers should get to know Best practices for Scrum and when to apply them How to deal with iteration issues in Agile Five steps to fostering better software tester and QA results How to stop developer vs. tester, quality-killing blame game Easing software performance testing and usability modeling pressures How to apply modeling techniques to support software testing Calculating mean time to failure in performance testing 5 ways to answer executives' unfair software test, QA questions 10 steps to acing Web app security assessments

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

one thing. Hiring a PCI Qualified Security Assessor (QSA) is something else. You'd think they'd find everything that counts but it's not that simple. Information systems – especially Web applications – can be extremely complex and even the best QSAs out there may not uncover everything that matters. Just ask Heartland Payment Systems. This is especially true if the people doing the assessments are just out of grad school and don't have a good mix of skills to know what to look for.

Another thing is that you're probably not going to have PCI police knocking on your door. No one's going to jail over failing to comply with PCI DSS. After all it's an industry regulation – not a law. That said all it takes is one breach of your payment-related systems to get your business in a real bind. A business that loses credit card processing privileges in today's world is destined to take a big hit.

Finally, PCI DSS is nothing more than a set of solid information security practices bundled up in a neat little package that's being pushed as yet another separate component of compliance you have to deal with. Don't fall for this. You shouldn't focus on PCI DSS in a standalone fashion if your business falls under the scope of other regulations such as HIPAA, GLBA, SOX, and so on. Odds are it does. Work with your compliance officer, or if you're like many other IT professionals and you are the compliance officer, try to get a handle on what other regulations your business is up against and focus on "information security" as a whole. This will allow you touch all of the important areas (risk assessment, policies and controls, visibility, automation, and so on) so you can kill two, or three, or four birds with one stone rather than addressing each regulation on its own. This is all the same stuff folks.

Getting your compliance priorities in order is absolutely necessary. Just don't pour all your energy and money into security for the sake of compliance. Even though PCI DSS is a regulation with explicit requirements, you have to temper it with some good old-fashioned common sense – for that's the stuff smart security consists of.