Welcome!

Related Topics: SYS-CON MEDIA

SYS-CON MEDIA: Article

PCI SSC: Firms Must Perform Rigorous Risk Assessments

The head of the PCI SSC has highlighted the importance of adequate risk assessment in order to remain PCI compliant.

This is according to general manager of the PCI Security Standards Council (PCI SSC) Bob Russo, who told Bankinfosecurity.com that this is vital to spotting any weak links in the card data protection chain, which could undermine an entire system.

Performing annual risk assessments is one of the 12 central requirements firms must go through to be certified PCI compliant, but it may be the case that some companies do not devote adequate time and resources to this and assume their systems will still be secure.

Mr Russo explained: "The standard requires an annual risk assessment, because the DSS (data security standard) validation is only a snapshot of your compliance at a particular point in time." Therefore, it is possible that changes that have been made to a system since the previous evaluation could have undermined security protections or opened up new vulnerabilities.

He added the PCI SSC has received a large number of requests for clarity on how to best perform a risk assessment in order to identify gaps in their security procedures. This is why the body introduced new guidelines for the process earlier this month.

This document contains a number of recommendations for improving the procedure of evaluating a firm's data protection security solutions. These include implementing a formal methodology that takes into account the culture of an organisation and its unique requirements.

Guidance offered as part of the publication states: "Organisations will need to define and document their risk-assessment methodology, identify individuals who will need to be involved, assign roles and responsibilities and allocate resources."

It also suggested companies pursue a continuous risk assessment process rather than treating the requirements as a once-a-year occurrence. This makes it easier to uncover emerging threats and vulnerabilities as soon as they appear, allowing a company to take a more proactive approach to mitigate such risks.

Mr Russo observed that every organisation is different and the necessary precautions and measures will vary from firm to firm. However, there are a few constants that all enterprises need to consider.

"Size is just one of the many factors," he stated. "A smaller organisation, for instance, has fewer assets that they have to consider. But the core components of the risk assessment are really going to be the same."

The importance of PCI compliant systems has been highlighted in recent years by a series of high profile breaches, Bankinfosecurity.com stated. This included an attack on Heartland Payments Systems in 2009 that exposed the information of 130 million credit and debit cards in the US.

As a result of this, Heartland is now offering advice to ecommerce merchants using its payment processing solutions, as many of these firms lack knowledge and experience of security issues.

Chief security officer at the firm John South said: "Their speciality is not in securing networks and many have little or no experience in installing hardware or software to do that."

More Stories By Dominic Monkhouse

Dominic Monkhouse joined PEER 1 Hosting as managing director of the company's new UK operations in January, 2009, bringing more than 14 years of IT industry experience to the team. He is the key executive responsible for building and growing PEER 1 Hosting's expansion into Europe. In his role as managing director, Dominic is responsible for sales, marketing and service delivery across PEER 1 Hosting's UK business and ensuring overall customer satisfaction. His role is integral to the company's continued commitment to customer service.

Before joining PEER 1 Hosting, Dominic served as managing director of IT Lab, where he was able to quickly transform the company into the fastest growing IT service provider in the UK SME market. Prior to IT Lab, he was managing director of Rackspace, which grew from a staff of four to 150 under his guidance.

Dominic has a Bachelor of Science in Agricultural and Food Marketing from Newcastle University and a MBA from Sheffield Business School in the UK. He frequently participates in public speaking events on the topic of creating great places to work and achieving continuous client satisfaction. He also is involved as a judge of the Sunday Times Customer Experience Awards.

Latest Stories
SYS-CON Events announced today that Juniper Networks (NYSE: JNPR), an industry leader in automated, scalable and secure networks, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. The company co-innovates with customers and partners to deliver automated, scalable and secure network...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and 21st International Cloud Expo, which will take place in November in Silicon Valley, California.
Developers want to create better apps faster. Static clouds are giving way to scalable systems, with dynamic resource allocation and application monitoring. You won't hear that chant from users on any picket line, but helping developers to create better apps faster is the mission of Lee Atchison, principal cloud architect and advocate at New Relic Inc., based in San Francisco. His singular job is to understand and drive the industry in the areas of cloud architecture, microservices, scalability ...
Back in February of 2017, Andrew Clay Schafer of Pivotal tweeted the following: “seriously tho, the whole software industry is stuck on deployment when we desperately need architecture and telemetry.” Intrigue in a 140 characters. For me, I hear Andrew saying, “we’re jumping to step 5 before we’ve successfully completed steps 1-4.”
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain.
@DevOpsSummit has been named the ‘Top DevOps Influencer' by iTrend. iTred processes millions of conversations, tweets, interactions, news articles, press releases, blog posts - and extract meaning form them and analyzes mobile and desktop software platforms used to communicate, various metadata (such as geo location), and automation tools. In overall placement, @DevOpsSummit ranked as the number one ‘DevOps Influencer' followed by @CloudExpo at third, and @MicroservicesE at 24th.
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
In his keynote at @ThingsExpo, Chris Matthieu, Director of IoT Engineering at Citrix and co-founder and CTO of Octoblu, focused on building an IoT platform and company. He provided a behind-the-scenes look at Octoblu’s platform, business, and pivots along the way (including the Citrix acquisition of Octoblu).
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
Did you know that you can develop for mainframes in Java? Or that the testing and deployment can be automated across mobile to mainframe? In his session at @DevOpsSummit at 20th Cloud Expo, Vaughn Marshall, Sr. Principal Product Owner at CA Technologies, will discuss and demo how increasingly teams are developing with agile methodologies using modern development environments and automating testing and deployments, mobile to mainframe.
As pervasive as cloud technology is -- and as persuasive as the arguments are for using it -- the cloud has its limits. Some companies will always have security concerns about storing data in the cloud and certain high-transaction applications will always be better suited for on-premises storage. Those statements were among the bottom-line takeaways delivered at Cloud Expo this week, a three day, bi-annual event focused on cloud technologies, adoption and associated challenges.
Multiple data types are pouring into IoT deployments. Data is coming in small packages as well as enormous files and data streams of many sizes. Widespread use of mobile devices adds to the total. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists will look at the tools and environments that are being put to use in IoT deployments, as well as the team skills a modern enterprise IT shop needs to keep things running, get a handle on all this data, and deli...
Quickly find the root cause of complex database problems slowing down your applications. Up to 88% of all application performance issues are related to the database. DPA’s unique response time analysis shows you exactly what needs fixing - in four clicks or less. Optimize performance anywhere. Database Performance Analyzer monitors on-premises, on VMware®, and in the Cloud, including Amazon® AWS and Azure™ virtual machines.
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
20th Cloud Expo, taking place June 6-8, 2017, at the Javits Center in New York City, NY, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy.