Michael Dahn has an article in the latest issue of (IN)SECURE Magazine titled “Payment Card Industry Demystified” (PDF) (local copy).

Over the years the landscape of information security has changed from the need to implement perimeter protection to the concept of defense-in-depth and edge-security. Both of the latter concepts are a result of the changing landscape of fraud. In an effort to prevent fraud and reduce risk across the board, different industries have implemented their own set of compliance requirements.

On the surface the PCI DSS looks very detailed, especially when compared with other standards such as HIPAA, GLBA, and SOX. Underneath the clearly outlined requirements and audit procedures is a lengthy list of compensating controls, third-party systems, outsourcing, small data caveats, and that doesn’t even break the surface of the individual requirements and their intent. As PCI begins to gain critical mass and more companies begin to comply there is a need for clarity of vision and understanding for each part of the standard.

This article begins to demystify the Payment Card Industry Data Security Standard; explains the industry, its players, and how they relate; and explain the long list of nuances and differences in these definitions. Through detailed explanation the reader should have a much stronger understanding of the history, current landscape, risks, and best ways to mitigate those risks for your company or the companies you work with. This paper will not make you an expert on the payment card industry but it will give you a great start in beginning to understand the compliance process.

Bookmark to:
          

This entry was posted Monday, September 4th, 2006 at 9:41 pm and is filed under PCI DSS. You can leave a response, or trackback from your own site.