News
PCI's Post-Audit Pain Points
Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished
By Bill Brenner, Senior Editor
November 05, 2008 — CSO —
Those who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.
For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.
"Log management, while necessary, has turned out to be the biggest issue for us," says Atwell, who is based in the Raleigh-Durham, North Carolina area. "Partnering with a good vendor helps, but when you're starting from scratch, it's a big project."
Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company's UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.
"Database encryption is turning out to be a huge project in itself," Minhas says. "A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It's a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions."
But for the vast majority of security pros surveyed by CSOonline in recent weeks, the biggest problem is upper management.
The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.
"Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year," says one network security administrator for a company in New York City, who asked that his name not be used because he was not authorized by his company to speak on the issue. "There's a perception that PCI-compliant shops are perfect."
The upper management problem
Others polled by CSOonline reported running into the same wall he spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica Inc. in Los Angeles, says he has seen the problem up close.
"Having worked on two PCI projects, the biggest challenge is typically management's view, 'Well, were compliant, so we're done.'" He says. "Some parts of management understand the 'why' of PCI, but don't understand overall risk management. Maintaining attention after the fact is the biggest challenge."
PCI
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Sustaining SOX Compliance: Best Practices to Mitigate Risk, Automate Compliance, and Reduce Costs
- Beyond PCI Checklists: Securing Cardholder Data with Enhanced File Integrity Monitoring
- Credit Issuers: Stop Application Fraud at the Source with Device Reputation
- CSO's Guide to Security and Compliance
- Understanding Data Location is Imperative for Data Loss Prevention
- FISMA and FDCC Compliance: Millennium Challenge Corporation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
