PCI Compliance Questions? You're Hardly Alone.

The more companies breached, the likelier we are to hear more clamor for for tighter, stricter, tougher compliance standards for companies handling customer credit card information. But some feel it will take a lot more breaches before standards get a lot tighter.The effects of the massive Heartland payment processing breach as well as other high-profile data breaches involving customer credit card and other confidential information, continue to be felt, and not just by customers whose data got compromised or, for that matter, the companies that allowed their data to be hacked.

The buzz-o-sphere, in fact, is, well, buzzing with chatter, speculation and rumors about the steps needed to tighten the Payment Cards Industry (PCI) standards intended to keep (or help keep) data from being compromised in the first place.

A lot of the speculation wonders if it will take even more breaches before the payment processing industry enacts heavier duty standards, such as end-to-end encryption practices.

Over at InformationWeek, Andrew Conry-Murray asks whether or not we need credit card compliance standards at all.

That these sorts of questions are being raised just weeks after the latest iteration of the PCI standards went into effect is a good indication of how tricky the task of creating effective standards is.

A precis of the current PCI standards is here.

As standards go. these go a ways, as intended, toward establishing the minimum requirements businesses that handle customer account information must meet, but some attention should be paid to that "minimum" modifier.

To pick an example not quite at random, the opening requirement -- Build and Maintain a Secure Network, includes the requirement that companies "Install and maintain a firewall" to protect cardholder data on the secured network.

So far so good. But the devil's in the details, and the details are what the hackers get in through or around). Once that firewall is installed, the maintenance part of the standards gets pretty lax, requiring that firewall and router rule sets be reviewed "at least every six months."

Twice a year? At least is exactly right, though one suspects that irony wasn't what the standards council had in mind.

That said, the standards are at least a good beginning place, and if your business handles customer credit card data, you're well-advised to be familiar with them, and to make sure that your network meets them.

Just check your firewalls more than a couple of times a year, will you?

The PCI Security Standards Council is here.

A good PCI resource, the PCI Knowledge Base is here.