Data standard compliance essential
The Payment Card Industry Data Security Standard has proven to be highly effective at protecting data, says Fortinet.
In today's online world, bank account details, credit card and PIN information sell for a premium on the black market.
Often, organisations do not realise the risk they are exposed to by the Internet, says Perry Hutton, regional director for Africa at Fortinet. "We are seeing an increase in local attacks. Today, anyone connected to the Internet is a possible target."
According to Hutton, the Payment Card Industry Data Security Standard (PCI-DSS) has proven to be highly effective at protecting data against possible breaches. Hutton notes that the standard, which was introduced almost 10 years ago, has become a 'must-have' certification.
The PCI-DSS was put in place to enforce how companies manage their information security, procedures, policies, network architecture, software design and other data protection measures. "The standard incorporates all aspects of IT infrastructure that support the security of credit card holder data," he said, adding that it also spans most IT disciplines and skills.
In the past, the diversity of the PCI-DSS meant implementing compliance involved complicated dealings with multiple vendors, which could be quite pricey, says Hutton, stressing that diversity often creates complexity. "Unfortunately for a large number of organisations, the cost burden remains too great compared to the risk," notes Hutton.
"Ensuring PCI-DSS compliance is a complicated business, not only to set up the project with the right technologies, but then to manage it as well," he says. Despite these complexities, Hutton believes consolidation and multi-vendor technology means PCI compliance can now be achieved faster and at a dramatically lower cost. He adds that compliance makes good business sense because it reduces risk and ensures continued end-user trust in card and online payments.
According to Hutton, version 2.0 of the PCI-DSS aims to move to a new risk-based information assurance posture, which could also be costly to implement. While early analysis of the proposed changes claim it's "not enough" to improve information assurance for card holder data, some of the subtle changes proposed should make a difference, he says.
Ultimately, companies need to understand how these standards affect their approaches to protecting sensitive information, Hutton concludes.