Payment card industry data security standards compliance can be costly and time-consuming.
When speaking at the ITWeb Security Summit, Vodacom SA's head of technology security and governance, Vernon Fryer, said to avoid the headaches of payment card industry (PCI) audits, businesses should invest in qualified security assessors (QSAs).
He gave an overview of how to achieve PCI data security standards compliance from start to “attestation of compliance”.
Fryer said businesses should start by picking QSAs who truly understand their needs and challenges to comply with PCI standards.
“The QSA should be involved at an early stage of the project since they are experts who have been trained and certified to perform detailed on-site audits.”
QSAs are there to interpret PCI standards, as applicable to a client's systems and environment, he said.
They also deliver quality validation and assessment services to merchants and service providers by adhering to validation requirements and maintaining consistent assessor procedures and reporting, he added.
In a bid to comply with PCI standards, the major challenge is building the right environment, Fryer pointed out. “In many instances, they [businesses] struggle with changing the business mindset as well as obtaining the budget.”
With QSAs, business is able to collaborate numerous initiatives undertaken by various personnel within the organisation, all working towards a common goal, he advised.
The right mix
The right selection of QSAs, solutions and vendors can ensure a business has a continuous enforcement of all its PCI security settings, configurations and access controls, Fryer pointed out.
He advised businesses to agree on the architecture before selecting product solutions, and create awareness at the start of the project as well as maintaining the evidence database from day one. “This saves money,” he says.
He warned organisations to be aware of the PCI “experts” and “we know all” vendors. “If the company chooses the wrong vendor, this can cost a company a lot of money and in the end it can fail the PCI audit.”
Most of these companies offer products that address specific, narrow security requirements such as firewalls, anti-virus solutions and encryption, he said.
“Many of these vendors use PCI as a way to market their products, he warned. These point solution vendors often try to give the impression that they solve all of the PCI requirements.
He pointed out that PCI requirements are so broad and cover so many different issues that they cannot be solved with any one solution, especially a purely technical product.
According to Fryer, to build up this bench of solutions requires a lot of security expertise. Having a QSA can help an organisation to navigate through the maze technical details, he pointed out.
He advised businesses to remember that the QSA is always right, because they are professionals trained in the field of data security compliance.
Share