Hot on the heels of last month’s PCI compliance deadline for level one merchants, the standard is set to make the news again this week as version 2.0 is confirmed. The revised standard will reflect accumulated feedback that the PCI Security Standards Council (PCI SSC) has received from merchants and stakeholders regarding the need for increased clarity and improved flexibility. The anticipated effective date is Saturday 1 January 2011.
I’m welcoming the clarified guidelines which should aid the many organisations that have still not met the PCI SSC’s previous recommendations. In March 2010, a survey by Redshift Research revealed that just eleven percent of UK organisations were PCI DSS compliant.
Some of the anticipated changes by the PCI SSC can’t come too soon. Reports show high rates of non-compliance, a fact often viewed as a reflection of the lack of clarity which has negatively affected the standard in the past. Guidance on virtualisation and the alignment between PCI DSS and the Payment Application Data Security Standard will also be welcome, while the evolving requirement for centralised logging of payment transactions is a definite plus.
Complaints about the clarity of PCI DSS are not new and are part of a bigger compliance headache that many companies must now deal with. Because compliance with multiple standards is now so commonly required, taking a siloed approach to each is both inefficient and ineffective.
Too many organisations view compliance as a one-time only requirement, instead of an ongoing process that can actually aid wider business operations. For example, companies that heed the PCI SSC’s recommendation to continuously log and monitor their networks will also find that they are able to gain deep insight into their IT systems, particularly how data is stored, accessed and used.
By capturing a complete picture of all the activity occurring across their entire infrastructures, organisations can detect any unauthorised event, regardless of whether it is related to credit card security, and can also pinpoint inefficiencies in their IT operations.
I believe that all organisations should be look towards automated, centralised and fully integrated log management solutions to provide a unified view of business-wide IT activity. When combined with technologies like Security Information and Event Management (SIEM) and File Integrity Monitoring (FIM), an integrated log management platform provides the core functionality needed to effectively read and use the mass of data that all organisations now produce.