Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

PCI's Post-Audit Pain Points

Passed your first PCI compliance audit? You've only just begun! Veterans say ongoing challenges with log management, database encryption and upper management buy-in mean the task is never finished
Page:

Those who thought their PCI security challenges would be over after the first passing compliance audit say they continue to be dogged by the same problems that caused pain in the beginning.

For Jennifer Atwell, point-of-sale and communication support manager at Apple Gold Group, log management continues to be a pesky nuisance.

"Log management, while necessary, has turned out to be the biggest issue for us," says Atwell, who is based in North Carolina. "Partnering with a good vendor helps, but when you're starting from scratch, it's a big project."

Legacy applications continue to challenge PCI security at Lifestyle Services Group, according to Jim Griffiths, the company's UK-based information security and compliance chief. And at the National Bank of Kuwait, Information Security Officer Imran Minhas continues to be challenged by the task of database encryption.

"Database encryption is turning out to be a huge project in itself," Minhas says. "A place where no cardholder data is encrypted at all, all of a sudden has to encrypt almost every one of its databases. It's a bit hard to get everyone to prioritize this project to everything else. Upper management is good with it, but it comes down to the people who are going to implement the solutions."

But for the vast majority of security pros surveyed by CSO online in recent weeks, the biggest problem is upper management.

The top brass may be fully supportive during that initial PCI security effort. But once that first audit is complete and the company gets a passing grade, the executives assume the task is done. Instead, security pros have found that the work is never done.

"Everyone, especially senior management, thinks that if we pass a PCI audit then we are safe for a year," says David Glosser, network security administrator for a company in New York City. "There's a perception that PCI-compliant shops are perfect."

The upper management problem

Others polled by CSOonline reported running into the same wall Glosser spoke of. Daniel Blander, a CISM, CISSP and president of Techtonica, says he has seen the problem up close.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: pci standard
Latest Blog Posts
Whitepapers
  • Keeping up With Ever-Expanding Enterprise Data - 2010 IOUG Database Growth Survey
    A majority of respondents report having performance and budget issues due to exponential data growth. Those companies with the highest rates of data growth, in fact, are eight times more likely than slow-growth sites to be seeing significant increases in their storage budgets. New processes and tools are needed to help organizations take control of the massive volumes of information now moving through their systems. The IOUG survey looked at approaches being taken by organizations to manage their growing data stores, and what still needs to be done.
    Learn more »
  • How will CIOs meet growing Security Threats?
    The growing complexity and prevalence of security threats, enabled by consumer IT and mobility, sets the stage for ever more sophisticated attacks. Security must be proactively front and center in all IT deliverables, but CIOs and CSOs must work in concert to succeed in these efforts. In this interactive white paper from CIO Magazine and EMC, learn how tightening the relationship between CIOs and CSOs will help create trust, the foundation of business relationships today. Embedded videos feature Art Coviello, Sanjay Mirchandani, and Dave Martin, and a quick survey provides benchmarking between CIO peers.
    Learn more »
  • The State of Data Security
    Recognize how your data can become vulnerable, including the latest issues stemming from unprotected data on mobile devices and social media sites. Understand the compliance issues involved, and identify data protection strategies you can use to keep your company’s information both safe and compliant.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.