| Volume 1 Issue: 3 |
August 2007 |
Welcome to The Aegis, a monthly newsletter published by The Aegenis Group. In each issue we hope to bring you information and insight on issues of security and compliance. In "Aegnis Tips and Tricks" we offer answers on some of the most commonly asked questions about PCI-DSS compliance. Each month we also feature an article that provides a view into the some of the most pressing security issues. This month, we feature tips on reducing the cost of a PCI-DSS assessment, as well as a feature article on compensating controls.
The Aegenis Group encourages you to forward this newsletter to anyone that might be interested in the information that it contains. |
Aegenis Tips & Tricks
Five Ways to Reduce the Cost of Compliance
Many people want to reduce costs and increase profits, but how does one best reduce the cost of compliance? The key to answering this question is to realize that PCI compliance is only required where credit card data is "stored, processed, or transmitted" and, here are the key words, "or connected systems". If one can only segregate the systems that handle credit card data and reduce the number of connected systems that is a good recipe for cost effective compliance.
1. Segment the network. Using tools to separate the network, individuals, and third parties can greatly reduce the scope of compliance and thus the cost of securing the retained data.
2. Evaluate remote access systems. Many times employees, vendors and other third parties will want remote access into the network. By restricting this access or securing their connection you may be able to remove them from the PCI scope.
3. Mask credit card data. If an individual can only view masked data (meaning the first 5 and last 4 digits of a card number) they may not be in scope for PCI.
4. Sample similar systems. You need not verify the configuration of every system especially if you know them to be similar. Many companies will sample their systems especially similar retail stores, groups of servers and the like.
5. (Accept but) Do not store the data! Other options include tokenization, masking or truncating, and data scrubbing. |
|
|
The Use of Compensating Controls
When and how should compensating controls be implemented?
Compensating controls are an integral part of PCI DSS compliance. It provides a method by which companies can flex the requirements of cardholder data security to match their unique business processes and security controls. Rarely does a company meet every requirement in the exact way it is stated in the Security Audit Procedures (SAP). Instead many leverage unique controls that both "meet the intent and rigor" and go "above and beyond" the requirement not directly met.
There are several steps that should be followed by companies seeking to implement compensating controls. The first step is to identify whether compensating controls are needed. Compensating controls should only be leveraged when necessary (in the face of legitimate technical or business constraints), with the primary goal being to meet the actual requirements as outlined in the PCI DSS.
Secondly, the organization mustunderstand the intent behind each requirement and use that to enumerate controls to address that intent. The compensating control must be designed to mitigate the same risk, and to the same degree, that the specified control would do.
The next step in using a compensating control is to document the control. Use the compensating control appendices in the SAP to define the following elements - the constraint which precludes the use of the required control, the objective, the identified risk, and the compensating controls leveraged.
Lastly, the compensating controls that are going to be used should be reviewed and approved. Before implementing any control its best to have it reviewed by a qualified third-party and then accepted by ones acquirer.
These steps should be repeated on an annual basis regardless of whether or not the original requirement will eventually be met. |
|
|
| Aegenis' Heather Mark Receives Industry Recognition Dr. Mark named "Mover and Shaker" by Transaction World |
Dr. Heather Mark, Vice President of Operations for The Aegenis Group, was named a 2007 Mover and Shaker by Transaction World Magazine. The awards were announced in the August issue of the magazine. To see the complete story click here. |
| Industry Events and Happenings
|
|
Western Payment Alliance - September 9-11, 2007 in Las Vegas, NV
Electronic Transaction Association (ETA) Strategic Networking and Leadership Forum - September 18-20 in Palm Beach, FL
Western States Acquirers Association (WSAA) - October 17-18 in Anahiem, CA | |
|
About The Aegenis Group
The Aegenis Group is dedicated to helping companies navigate the choppy waters of data security, information risk, and privacy regulation. The Aegenis Group believes that the ability to understand not just the regulatory mandates themselves, but their total impact on the business environment can act as a compelling tool for business enablement. From understanding the ways in which your products and services can protect sensitive data to making the right compliance decisions for your business environment, The Aegenis Group can assist your company in facing the risks associated with an increasingly complex landscape of the business world.
Sincerely,
The Aegenis Group
|
|
|
| The Aegenis Group is Moving |
|
As of September 1, 2007, The Aegenis Group will be headquartered at 6410 N Business Park Loop Rd, Suite E Park City, UT 84098 |
| Upcoming Aegenis Events |
|
Shift4 Real Security Summit Sept 26-27 Las Vegas, NV
| |
|
|
