PCI Compliance for
Retailers from the Cloud Perspective
One of the key drivers to IT
security investment is compliance. Several industries are bound by various
mandates that require certain transparencies and security features. They are
designed to mitigate aspects of risk including maintaining the sacrosanctity of
customer information, financial data and other proprietary information.
One such affected vertical
is retail. No matter if you’re Wal-Mart or Nana’s Knitted Kittens, if you store
customer information; if you process payments using customer’s credit cards,
you are required by law to comply with a variety of security standards.
Although there are several auditing agencies and mandating bodies, today we
will concentrate on the one compliance agency that is typically applicable to
every retailer-PCI.
PCI (Payment Card Industry)
enforces Data Security Standards that looks to ensure that ALL companies that
process, store or transmit credit card information maintain a secure
environment. Now of course, not all merchants are created equal. Nana obviously
doesn’t process the volume or the dollar amount of a national or even a high
traffic regional retailer. However, this doesn’t let Nana off the hook. Her
online shopping cart still needs to be Payment Application DSS validated (PCI
compliant). She still is required to pass security audits of her network…just
not as often.
But for the sake of this
example, let’s assume you are a retailer who processes more than 20,000
transactions a year and the administrative burden of PCI is a real concern. In
fact, it is a business necessity to maintain merchant accounts with VISA,
American Express and MasterCard. And it is hugely important to keep the
confidence of your customers. Fines for non-compliance aside, a breach of your
network could cost millions of dollars. And that doesn’t begin to calculate the
cost of customer defection through loss of trust.
Most, if not all, retailers
have some sort of PCI monitoring in place. However, they are often cumbersome,
expensive and resource heavy. Additionally, too many retail organizations don’t
employ a compliance officer, much less a dedicated security person. This
doesn’t mean these functions aren’t part of someone’s job description.
Typically, they are yet another line item in a plethora of competing priorities
and mission critical initiatives. In that security can be considered a cost
center, the move to simply do the bare minimum to meet compliance is often an
attractive alternative. Until now. Until
the cloud. More specifically, a holistic enterprise security initiative
deployed and managed from the cloud.
So how does cloud-based
security/security-as-a-service meet the requirements of PCI while driving down
costs, freeing up personnel resources and providing an easy-yet-comprehensive
suite of capabilities and functions? The easiest way to illustrate the
potential is to look at the individual PCI requirements and how they are
addressed from the cloud:
1.
Protect Data: A cloud-based SIEM offering can
accomplish the most important feature of this requirement: the ability to
instantly recognize any change, intrusion or activity to your firewall IN REAL
TIME. That’s the key. There isn’t the lag of looking at all the logs a week
later when the damage has been done, or not being able to tell a suspicious
action from a white noise false positive. Whereas many SIEM products can do
just this, ones from the cloud provide the additional benefit of 7/24/365
monitoring across the entire enterprise. And, you get a scope of visibility of
Fortune 500 class protection for literally pennies on the dollar.
No comments:
Post a Comment