PCI: Organization size DOESN'T matter

According to the most recent Verizon Data Breach Investigations Report PCI - 6, hackers are apparently spending a lot more time discovering the latest hip, trendy restaurants. But they are not spending money on artisanal cheeses, free-range chicken, or chickpea and orzo salad with Piquillo pepper vinaigrette. Nope. They are haunting quick-serve restaurants, local diners, franchises, pubs and taco stands—as well as high end eating establishments—looking for credit card information to steal. Visa reports that restaurants now account for 73% of the data breaches in the United States, up from 29% just 3 years ago.


PCI Requirements


The current version of the standard is version 2.0, released on 26 October 2010. PCI DSS version 2.0 must be adopted by all organizations with payment card data by 1 January 2011, and from 1 January 2012 all assessments must be against version 2.0 of the standard.[3] PCI DSS version 2.0 has two new or evolving requirements out of 132 changes. The remaining changes and enhancements fall under the categories of clarification or additional guidance.[4] The table below summarizes the differing points from version 1.2 of 1 October 2008[5] and specifies the 12 requirements for compliance, organized into six logically related groups, which are called “control objectives”.


PCI Vulnerability Management Programs

While program definitions vary in the industry, Gartner, a prominent IT Analyst company, defines Six steps for vulnerability management programs.PCI - 5

Define Policy - Organizations must start out by determining what the desired security state for their environment is. This includes determining desired device and service configurations and access control rules for users accessing resources.

Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.

Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing). These vulnerabilities are then prioritized using risk and effort-based criteria.

Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.

Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.

Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event.

Latest News

Contact Us

Learn more about what Icon Networks can do for your business.


Call us today    (224) 241-2410

904 S. Roselle Rd
Suite #176
Schaumburg, IL 60193