RSS Alerts

Related Stories

  • QSA system is broken, says Heartland CEO
    In a session titled ‘Enhancing payment security in 2010’, Robert O. Carr, Chairman and CEO or Heartland Payment Systems - the subject of potentially the world’s biggest data security breach earlier this year - declared that the model used by quality security assessors (QSA) is “broken”.
  • Heartland takes US$12.6m hit for breach
    Heartland Payment Systems has revealed that it lost US$12.6m as a result of its 2008 data breach, in the same week that it finally regained official Payment Card Industry Data Security standard (PCI DSS) compliance.
  • The PCI Paradox - why PCI DSS isn't preventing data breaches
    PCI DSS has been criticized as being both too prescriptive and too vague. The standard’s effectiveness has come under scrutiny once again as PCI compliant organizations have suffered huge data breaches in recent times. Danny Bradbury looks at the standard to find the root of the problem
  • Cloud computing will improve security says survey
    Results from a survey just released makes the interesting assertion that cloud computing – far from causing IT security problems in businesses – will actually improve security for most organizations.
  • Comment: SaaS Offerings for Wireless PCI Compliance
    The first PCI DSS compliance deadline is approaching in September, and with that comes the ever-growing concerns over protecting payment card information transmitted over wireless connections. Ajay Kumar Gupta of AirTight Networks discusses the various SaaS offerings that allow small and medium-sized business to achieve compliance while improving WiFi security.
    Members' Content

News

RSA: PCI DSS survey shows that encryption is tops when it comes to end-to-end security

02 March 2010

According to a survey of qualified security assessors (QSA), the optimum methodology for end-to-end security protection is encryption.

This perhaps surprising analysis comes from a survey of Qualified Security Assessors (QSAs), which also reveals that, whilst only 2% of businesses outright fail compliance audits, 41% would fail if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements.

The report from Thales - and carried out by the Ponemon Institute - says that these alternative routes to compliance must meet QSA approval, but they may be just temporary fixes or be eliminated by future changes to PCI DSS.

Their prevalence, says Thales, appears to indicate businesses are still coming up to the speed with the security standard, which was first introduced back in 2006.

The study - entitled `PCI DSS Trends 2010 - QSA Insights' - says that 60% of QSAs believe that encryption is the most effective means to protect card data end-to-end - from the moment it is accepted at the point-of-sale to when the transaction is authorised.

And, says the study, new technologies like tokenisation are also gaining attention of QSAs, with 35% of QSAs preferring this method for protecting cardholder data end-to-end.

The research, which was announced at RSA Conference 2010 in San Franciso, found that 81% of QSAs recommend the use of a hardware security module for encryption and key management.

HSMs are specialised devices used to make protecting and managing keys easier. To this end, 63% of QSAs said they believe that using HSMs reduce the time and money spent on compliance.

Commending on the report, Larry Ponemon, the chairman of the Ponemon Institute, said that it is the first ever to analyse PCI DSS compliance trends from the QSA perspective and reveals some very interesting information about the way organisations approach compliance and how they protect sensitive information.

"PCI DSS compliance isn't easy and it's definitely not all about any one technology or process. This study indicates a significant concern among QSAs that many merchants are primarily focused on complying with PCI and less on what should be equally important - protecting sensitive information", he explained.

Over at Thales, Franck Greverie, the firm's managing director for IT security, said that protecting customer and business data is a top priority for every organisation, but demonstrating compliance does not inherently translate into data security.

"Hopefully the results of this survey will help merchants better understand how QSAs view PCI DSS requirements and what works best to achieve compliance. Ultimately this will save merchants time and money and, most importantly, protect their business bottom line", he said.

 

 

This article is featured in:
Compliance and Policy Encryption

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Copyright © 2010
Elsevier Ltd. All rights reserved.
Terms & Conditions | Privacy | Website Design Working with water