Industry View: Sharing the PCI Load
Kip Miles of Rackspace identifies two key PCI considerations for hosted services
By Kip Miles, Rackspace
November 13, 2008 — CSO — Every Saturday morning the aisles of Home Depot are filled with "do it yourselfers"—confident men and women with plans to lay new floors or retile their bathrooms by themselves. But first, the check lists: wet tile saw, tile, grout, tile cutter, a free weekend... and while they're completing their lists, somewhere in the back of their minds they're thinking. "What if I mess this up and how much would it cost for someone else to do this for me?"
Achieving and maintaining PCI compliance for a data center isn't really all that different. This time-consuming, expensive, nightmarish project is on the minds of every online retail outlet and CSO facing this year's holiday shopping season.
Even with a slowed economy, consumers are expected once again to flock to the Internet to do their shopping. Last year online retailers recorded more than $29 billion in online sales, up nearly 20 percent over last year. Mingled among those shoppers were the online thieves who can cost the average business owner more than $350,000.
To help combat online fraud, online retailers endeavor to maintain compliance with the security standards set by the PCI Security Standard Council. This draws on limited and expensive resources to reallocate data centers to match the PCI physical requirements, train and certify IT staff, report compliance and respond 24/7 to security breaches. At some point, some CSOs question, "What would it take for someone to do this for me?"
Levering hosted resources for a responsibility like PCI compliance isn't for everyone. If you can afford the resources, you can argue for the benefits of being the master of your domain. But with that, you take on the full scope of measures to prevent data breaches that may result in loss of revenue, exposure to litigation and damage to your brand and reputation in the process.
With a hosted solution partner you allow someone else to take much of the heat and carry the load for you. Online retailers gain the flexibility and freedom to manage the business of selling product and providing customer service while others manage the server infrastructure and overall hosted environment, and at the same time providing solutions and answers for PCI compliance.
When evaluating a hosted solution partner to support PCI compliance, CSOs should look for two key requirements—infrastructure and experience. This includes the ability to maintain the physical security and maintenance from servers up to the Web application layer itself. It also requires a complete list of employees who are certified and focused exclusively on PCI compliance and data center security.
How to efficiently manage security compliance with PCI DSS and other laws and regulations
PCI's application security requirements
PCI post-audit pain points
PCI shrugged: Debunking the criticisms
The art of the compensating control
SAS 70 myths
SSAE - replacement for SAS 70 coming
A directory of security-related regs, laws, and guidelines
- Step right up and listen to the security barker
I've gotten some interesting feedback to yesterday's post about the security evangelist title, especially from a guy who gave himself the perfect title in an industry that often feels like a circus. Sean Jackson (@shunkydave on Twitter) sent me the following tweet: "Re: Evangelist, I'm now calling myself the Security Barker to my family and friends." - Is the title 'security evangelist' really that bad?
- Teenage hackers could be our last, best hope
More Salted Hash with Bill Brenner
