PCI DSS 2.0 released - What does it mean for you?

The new version of the PCI DSS requirements were released last Fall. If you were thinking that the new version would bring you enough work to occupy your every moment for the next several months, fear not. The changes from version 1.2 to version 2.0 are relatively minor, primarily clarifications to a number of existing requirements to give clearer explanations as to the true intent of the requirement. You can download the new requirements here.

The true cost of non-compliance

Cardholder data represents a large risk to any company that holds, processes, or transfers it. Fines levied by card issuers such as Visa and Mastercard can be extremely costly, not to mention the costs of notifying cardholders of a breach, legal action, and loss of your valuable reputation. While large enterprises typically take steps to ensure their PCI compliance, many small to mid sized firms fail to do so, believing that compliance is too difficult or costly.

The good news is that achieving compliance is often less difficult than imagined, and many requirements of PCI-DSS represent good information security practices you should already have in place. Deployment of other specialized tools such as integrity and compliance monitoring should be implemented to allow you greater insight into your PCI environment and automate checking of system settings for compliance. While achieving and maintaining PCI compliance is not without cost, costs should be weighed against the risk to your enterprise should a breach occur.

International Monetary Fund, Citibank Suffer Security Breaches

This past week, it was widely reported that both the IMF and Citibank’s IT infrastructure was breached. With a breach at Sony Online Entertainment and Sony Pictures occurring slightly more than a month ago, it appears that hackers are finding more holes in the IT defenses of organizations. In an eWeek article last week, Mark Hatton, president and CEO of Core Security, noted that deploying defensive technologies and hoping they keep the bad guys out is “clearly not working.” You can read the entire eWeek article on the Citibank breach here. For more information on the IMF breach, read the SC Magazine article.

Given that hackers seem to be readily gaining access inside networks, bypassing traditional “perimeter” defenses, what are companies to do? Certainly, perimeter defenses have their place, but now is the time to investigate other technologies that give multiple layers of security. In other words, ensuring a defense-in-depth strategy. Newer, advanced IT system integrity monitoring technologies such as CimTrak function as a last line of defense in IT networks, monitoring not only critical files, but also configurations on perimeter protection devices such as firewalls. Knowing when changes occur, such as a file being added or a port being opened, can mean the difference between timely detection of malicious activity and a breach.  Visit www.cimtrak.com to learn more.