Interviews

PCI DSS: An Integrated Approach

by Mark Rowe

Jim Seaman has brought out a guide to the payment card data security standard PCI DSS.

For more than 30 years, he writes, I have been heavily involved in the security industry, from defending the airfield, aircraft and munitions stores with my 42-toothed furry Exocet (Jacob, my German Shepherd patrol dog) through to providing second line risk oversight (for all things Cyber/Information Security, Business Continuity or technology related issues) for a large financial organisation.

Along this journey, I spent 22 years managing and delivering innovative aviation security operations, both overseas (Sensitive Airlift missions) and at home (Royal Ascot, York), delivered security operations in high risk overseas environments (eg. security dog patrols, in Iraq, and counter intelligence field team (CIFT) support to the deployed force protection wing, in Afghanistan (Kandahar and Bastion), de-briefings and provided police and security support to RAF establishments, before embarking on a career in the corporate world.

Background

During my first 12 months transitioning into the corporate sector, I sought to transfer my skills and experiences gleaned through the protection of mission-critical military assets and self-studied for ISACA’s certified information security management (CISM) and certified in risk and information systems control (CRISC), and was appointed as a third party security assurance consultant for a large high street bank (soon after, being appointed as the baseline security controls manager).

Next, in 2013, after an intensive qualified security assessor (QSA) course, I entered the world of delivering payment card industry data security standard (PCI DSS) consultancy and assessment for businesses. Being new to the payment card industry, I set about becoming fully immersed into the finer detail of the PCI DSS to ensure that I was able to impart this knowledge onto my clients. This is when I delivered my first articles for the Professional Security magazine:

•PCI:DSS compliance approach.
•Cyber Reserve Unit.

Almost six years later, I have developed my skills, knowledge and experiences a great deal more and decided that I wanted to impart some of this for the benefit of others. Consequently, as my current contract was due to end, I thought this might be the perfect time to attempt to author my own guide on the PCI DSS integrated data security standard:

PCI DSS: An Integrated Data Security Standard Guide.

Contents:
•An evolving regulatory perspective.
•The Evolution of PCI DSS.
•Data Life Support System.
•An integrated Cyber/InfoSec Strategy.
•The Importance of Risk Management.
•Risk Management Versus Compliance – The Differentiator.
•PCI DSS Applicability.
•De-Pooping the Scoping Risk.
•An introduction to PCI DSS.
•Payment Channel Attack Vectors.
•Compliance – A Team Effort.
•PIE FARM: A Project Managed Approach.
•Proactive Defence: The 5 Pillars.
•People, People, People.
•The Ripple Effect.
•Cometh The Year/Month/Day/Hour.
•Quick Fire Round – five Commonly Asked Questions.

Don’t get me wrong, there are some very good books on PCI DSS out there to buy. However, I wanted to approach this topic from a different angle. I wanted to show the value that the PCI DSS provides businesses in helping to shore up their defences and protect their payment card operations and sought to apply my lessons learned from the past 30 years to the PCI DSS integrated controls framework.

Recommendation

Much like I saw through my military career, there is an ever-present threat to businesses that process payment cards. Opportunist attackers are constantly on the prowl seeking to exploit any poor practices that help them to compromise a vulnerable network or application. The PCI DSS integrated controls framework provides organisations with a baseline reference, upon which they can start to forge robust defences. However, these defences rely on an integration between business departments and needs to become an inherent part of daily life.

Consequently, I have developed this book to provide the reader with a comprehensive understanding of what good may look like and providing a wealth of useful hints and tips to help make the business processes more secure and, ultimately, make it more difficult for the attackers to make financial gains from breaks in the ‘circle of trust’ – between business, consumer, and third party supplier. The book has been developed, so as not to be a regurgitation of the PCI DSS controls but to provide the reader with some interesting and informative perspectives on this subject.

Conclusion

PCI DSS not need be something that should be avoided, but should be embraced and seen in the light of being a business investment, much the same as a business may see the return on investment (RoI) from increasing the use of digitalised data processing. Although not on the scale of the potential impact of a military defence failure, the inability to adequately safeguard payment card data presents considerable impacts on both the business and consumer. Consequently, the reader of this book should obtain a greater appreciation of the business benefits of applying PCI DSS and how to correctly apply this to help reduce the associated risks.

PCI DSS may be seen as being extremely expensive, complex and difficult to achieve, and maintain. However, the reality is that without it, this becomes only a matter of time before your organisation comes under the scrutiny of an opportunist attacker.

Related News

  • Interviews

    A happier workforce

    by Mark Rowe

    In a sector traditionally slow to change, Brexit and the pandemic have had a considerable impact on the security industry over a…

  • Interviews

    UK terror threat and malls

    by Mark Rowe

    Bruce McDonnell, Managing Director at Incentive FM, discusses the measures that are being taken to address the current terror threat in the…

  • Interviews

    Spam latest

    by Mark Rowe

    Cybercriminals involved in spam distribution tried to capitalise on public fears when the WannaCry ransomware epidemic struck in May, according to IT…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing