A credit card, the biggest beneficiary of the ...

A credit card, the biggest beneficiary of the Marquette Bank decision (Photo credit: Wikipedia)

Council Issues Guidelines to Address Security Shortcomings

In its just-released guidelines for ongoing risk assessments, the Payment Card Industry Security Standards Council notes three specific areas for improvement.

The guidelines, which are intended for any organization that handles credit or debit card data, offer specific recommendations for risk assessments, such as how to create an internal risk-assessment team and address risk reporting.

But Bob Russo, general manager of the PCI Council, points out that card data is only as secure as the weakest link in the payments chain. Compliance with PCI-DSS is the responsibility of all organizations and businesses that handle card data, he stresses. They must ensure that all links in the payments chain keep card-data protections up-to-date.

“The standard requires an annual risk assessment, because the DSS validation is only a snapshot of your compliance at a particular point in time,” Russo says.

Requirement 12.1.2 of the PCI-DSS states that any organization that processes or handles payment cards must perform a risk assessment at least annually. The PCI Council’s new recommendations include the need for:

  • A formalized risk assessment methodology that fits the culture of the organization;
  • A continuous risk assessment process that addresses emerging threats and vulnerabilities;
  • An approach that uses risk assessments to complement, not replace, ongoing PCI Data Security Standard compliance.

While the PCI Council does not enforce compliance, merchants, processors and others found to be out of PCI compliance after a breach or some other event will likely face steep fines from the card networks.

“Performing a risk assessment at least annually will help you identify the security gaps and address them,” Russo says. “The council received a lot of requests for clarity here. We hope the guidelines help them in their efforts to establish an annual process.”

To find out how to identify and address common threats in a risk assessment by Tracy Kitten …