McGeorge Bundy, the US National Security Advisor once said to Presidents John F. Kennedy and Lyndon B. Johnson: “If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.” 

procted payment cards
Protect your Card Holder Data.


Thinking about data security, what are your diamonds and how can you keep them safe with PCI Compliance?

It is obvious that, given limited resources, businesses tend to concentrate on the areas that have the greatest impact. Many organisations at the outset of a PCI DSS compliance programme find that only a small handful of systems and systems' components actually process and/or transmit payment cards; these assets are attached along with a large number of others to the corporate network.

Without adequate network segmentation it is not possible to treat those systems and components that handle credit cards separately from the other systems attached to the corporate network; everything attached to the network must be secured to the same consistent compliance standard.

Most organisations attempt to create separate logical network zones (VLANs - Virtual Local Area Networks) where the systems and components that handle payment cards are separated from the corporate network. This practice is commonly referred to as PCI Scope Reduction. With segmentation in place, the security controls can be applied to fewer systems and components.

To further minimise the number of in-scope systems and components, many organisations look to separate payment card data from other transaction and personal data, creating a separate dedicated payment card vault where they can focus all of their attention.

Are these the diamonds you are looking for?

If your diamonds are credit cards, then it is logical to concentrate all of the effort on securing them. The payment brands, acquiring banks and service providers, consistently enforce the message that organisations must keep their eyes on payment card data. The business driver pushing the compliance project often tends to be the fear of financial penalties from the acquiring bank.

However, perhaps it is time to stop and think, are these really the only diamonds you are looking for? Many organisations in their haste to secure credit card data increase the risks to other diamonds held by the organisation, such as their customers data.

This applies as well within Europe, where organisations and merchants have a legal responsibility to guard personal customers data (European Union Data Protection Directive).

 

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.