Click here to receive your FREE subscription to Campus Technology
News
Payment Card Security Toughens with DSS 1.2 Release
10/3/2008
The Payment Card Industry Council released an updated version of its PCI data security standard Oct. 1, which is designed to help protect transmitted charge and debit card information.
Opinions are mixed on what the standard, called Payment Card Industry (PCI) DSS 1.2, will mean for security pros going forward. However, the mandate is clear: protect data.
The standard calls for enterprises to build and maintain secure networks, protect stored cardholder data, and encrypt its transmission. In addition, PCI DSS 1.2 spells out a comprehensive vulnerability management program. Steps under the program include access control testing, system monitoring and the implementation of documented enterprise-wide security policies.
The new standards arrive as the IT compliance community contemplates several high-profile data theft cases. In reaction, a two-front enterprise information security strategy has been proposed. Such a strategy involves shoring up IT access controls and locking down data from the inside, as well as strengthening defensive measures so that hackers can't get into the network.
Experts say that a beefed-up security and monitoring program can be folded into audit programs to meet both PCI compliance requirements and Sarbanes-Oxley Section 404 guidelines for general computer controls and application security.
"The intent of PCI DSS 1.2 is to clarify and streamline the existing requirements and provide some flexibility in terms of interpretation of the standards," said Sumedh Thakar, PCI solutions manager at Qualys Inc. "PCI DSS 1.2 does affect some merchants more than others due to the changes involving Wi-Fi, the increased level of documentation requirements and having employees interacting with cardholder data re-accept the policy annually."
Thakar added that the release of the updated standard allows for some streamlining in the compliance process. For instance, some relief is provided to merchants in terms of easing the review requirements around firewall rule audits and risk-based patching of applications.
High Threat Level
Recent thefts at TJX, Hannaford Bros., Countrywide and Citibank come at a time when sentiment toward improving such data loss and prevention programs is at a high.
According to a report released in August by the Information Systems Audit and Control Association (ISACA), securing critical data, specifically personally identifiable information of clients and customers (PII), is "a top concern" facing business and technology executives this year. ISACA, known for overseeing CobIT (Control Objectives for IT framework), has surveyed more than 3,173 IT pros in some 95 countries.
"The cost of losing or compromising the integrity of mission-critical data and in particular personally identifiable is also leading to a renewed focus on information security," said Greg Grocholski, chair of ISACA's Assurance Committee and senior finance director at Dow Chemical. "The survey shows that 81 percent of the 1,600 respondents who named information security management as a number 3 concern said that security risks are not fully known or are only partially assessed using technology."
Recommended Reading
- Moodle Gets SCORM Improvements, Security Fixes
New versions of Moodle have been released, bringing the most recent stable build to 1.9.3. The latest round of updates includes a number of bug fixes and security enhancements, as well as improvements to the SCORM module.
- Free 'Morro' Antivirus To Replace Microsoft OneCare
Microsoft is rolling out a free antivirus software program for consumers that will compete with products made by Symantec and McAfee. Code-named "Morro," the AV app is expected to be available by the end of 2009.
- Microsoft Demos New SQL Server Features at PASS
Microsoft Wednesday previewed the ability to centrally manage applications and resources in the planned upgrade of SQL Server, code-named "Kilimanjaro."
- Microsoft Unveils Exchange and SharePoint as Services
Microsoft exec Stephen Elop on Monday announced two hosted solutions from Microsoft--Exchange Online and SharePoint Online--which are now available to organizations of all sizes in the United States. The software, paid for by annual subscriptions, is hosted on Microsoft's servers and supported by Microsoft's channel partners.
- 6 Ways Not To Become Rote Using Instructional Technology
There are, in my experience, six strategies to consider with any use of technology that will guard against rote use of technology and facilitate critical analysis of teaching and learning effectiveness. In this article, I'll share with you the checklist I work with and encourage others to work with in learning about and using new technology.
- Bringing Student Web "Stuff" to Campus Enterprise Systems
How can an institution incorporate Web 2.0 learning opportunities for students, and evidence of learning from those opportunities, into existing campus technologies and processes? PlugJam is providing part of the answer.
