PCI DSS is not design to be attained like your Girl or Boy Scout Badge

Apr 20, 2009

I am currently working on writing a security chapter contribution, mostly around the Payment Card Industry Data Security Standards, for Ted Hart's new Nonprofit book due out in 2010. A very smart gentleman I know from Visa asked me to assure that people reading it knew that gaining and maintaining PCI DSS for their organization wasn't viewed as a Girl or Boy Scout Badge. So I intend to do just that. To drive home the point to corporate management so they understand that to avoid being compromised security is a daily process, 24/7, especially after you attain your PCI DSS or PA-DSS compliance certification!
The RBS and Heartland breach is fascinating as someone had to be asleep at the switch over there for criminals to load up malware into their systems to steal cardholder data. Hello, who was monitoring their systems and couldn't see what was going on. Daily log reviews are essential to finding the in's and out's of the Bad boys and girls and there are methodologies to see any wireless intrusions from within and without.
The toughest part of the PCI DSS compliance is your first compliance assessment. (I still find it interesting that in 2009, security 101 is still not being followed by so many organizations)! That is where you are going to spend the most amount of money on upgrades and education. After you become compliant you with your QSA would have put a strategic risk management plan in place to assure that you are monitoring your systems and applications 24/7 to assure that the criminals that are continually pounding away at you, can't gain access. The PCI DSS (Badge) of compliance is great when you attain it, but you have to make sure that security and privacy becomes a part of your corporate culture and daily monitoring to assure that your (Badge) stays current.

Payment applications and web-sites not coded to security standards, home computers, along with employees, bring some of the greates risks to our security today. I am amazed at just how many merchants are still not PCI DSS compliant when this program goes a long way to reducing criminal activity in both the physcial and online industries. It is obvious that more education or government intervention on security and privacy is required before we get buy in from business owners and nonprofit boards on PCI DSS.
Government's, Card Association's, merchants, and industry professionals must all work together if we want to get our industry locked down to minimize criminal activity.

Sep 30.08 | Second Annual Payment Card Industry Community Meeting - Oh What a Difference A Year Makes!

read more

Aug 25.08 | TOP 10 List of Ways to Create a “Security Culture” Within an Organization

Al Decker and Rebecca Whitener, two security experts from Texas technology services company EDS, have compiled a top 10 list of ways to create a "security culture" within an organization. The two say that with security breaches and identity theft on the rise, protecting information is the responsibility of everyone in an organization. read more

Jul 25.08 | Ted Hart launches Green Nonprofits organization

"For years I've heard from nonprofits around the world of their interest to support and protect the environment. Because they did not perceive themselves to be experts, it was unclear what they could do to make a difference and still run a successful nonprofit/NGO. Today, GreenNonprofits, Inc. provides that answer; provides that path for every nonprofit around the world to make significant changes that when combined together will create a powerful force for the greening of this industry." - Ted Hart, CEO

GreenNonprofits was founded to be an accessible source of information about greening your nonprofit workplace, and to be a desktop tool for any nonprofit to become green[er].

As people and corporations around the world become more "green" they in turn expect the nonprofits they support to also take proactive steps to protect the environment. GreenNonprofits will lead the way in helping Nonprofits/NGOs around the world meet this challenge. "Ted Hart, CEO" read more

Jan 14.08 | Convio Security Breach and (PCI DSS) Payment Card Industry Data Security Standards

I find it interesting that I see no mention in any of Convio's follow up information of the required and mandatory Payment Card Industry Data Security Standard's compliance certificate for service providers in our industry. read more

Sep 20.07 | What a Difference a Week Makes!

PCI DSS First Global Community Meeting! read more

Sep 10.07 | PCI DSS! Is The Payment Industry Serious About Getting and Keeping Itself Secure?

The PCI DSS program has been in place in its original incarnation as AIS/CISP since 2001! Why is it then that so few organizations world wide are not compliant? Why is it then that so many service providers are still doing business "flying under the radar screen"??? read more

Nov 17.06 | I’ll Take a Ticket on You Kid!

About 6 pm, Wednesday evening October 25, Jimmy, my dearest friend and mentor, transitioned into heaven to begin the next phase of his life! A time for great sorrow and great celebration! read more

May 26.06 | Big Money, Bigger Lifestyle, Biggest Lies!

You know my two sons consistently tell me that I am too honest to be in business. My consistent reply back to them is nonsense. There is no such thing as being too honest in business. I take great pride in always standing in my truth and knowing that my word can be trusted. read more

May 08.06 | What is Happening with My Opinion?

What is My Opinion? read more