Payment Card Security & IT Controls Explained

On December 6th at 12 EST I will be co-presenting with Prat Moghe on PCI. We will focus primarily on PCI requirements 3 and 10. The teleconference is built on questions submitted by participants that will be addressed on the presentation. Listen live or check back for the future archived version.

http://www.tizor.com/News-And-Events/Hot-Topics/So-you-think-youre-compliant

“So you think you’re compliant?

So you think you’re compliant? Let’s talk PCI: An hour with the experts

Even as another PCI deadlines looms, questions are being raised about what it means to be PCI compliant. Not only is there confusion about what it takes to become compliant, there is also a lack of confidence that stored customer data will be safe from internal and external threats once PCI requirements are met.

The confusion on the subject of PCI is exacerbated by varying technologies that claim to be the silver bullet for compliance. Hoping to reverse that trend, Tizor Systems invites you to a teleconference event designed to provide straightforward answers to pressing questions about some of the grey areas of PCI compliance. Specific areas that we will be covering during the teleconference include:

• Data security and how it relates to cardholder data protection,
• PCI requirements 10 and 3, when and where to use encryption,
• Compensating controls for encryption,Today’s approach to database logging and why it doesn’t work for compliance or more importantly, for catching internal and external threats”

Best,

James DeLuccia

The other day I was reading a post by Alan Calder who referred to a presentation overview covering mergers and acquisitions entitled IT Governance and Mergers. This topic has interested me for sometime. It is a very complex situation for two organizations to merge information environments, and one that I feel must be strongly considered by all practitioners and executives alike. A few considerations about how we are defining M&A:

• The blending of two information systems can be two separate public companies that are merging through some financial arrangement
• In other cases, and much more common, the organization may be centralizing the technology environment after years of organic regional self governance
• A third case to consider is the re-development of the information environment (i.e. cancel the BPO and bring technology systems back in house)

The convergence of information environments covers all aspects of an organization, its controls, the processes, and people at once. In the article the author does an excellent job highlighting the results of a conference session he hosted on M&A. He breaks down some great points to consider and pitfalls to be wary of when technology centers merge together (the focus is on Law firms but wholly transferable to any organization). I would strongly recommend reading his full post, as he had access to numerous high level CIOs.
While a full breakdown of M&A best practices is a worthwhile topic, this post focuses on the PCI DSS and general compliance issues that arise, and highlights some points that must be understood:

• Merging organizations creates a single entity - this applies for everything from taxes to compliance requirements. An organization that once was excluded from specific disclosure laws may now be obligated.
• PCI DSS levels of attestation are determined based on each card association’s total accounts processed by a single entity. Two organizations that merge as Level 2 Merchants may soon become Level 1 Merchants. This leap greatly increases the operating technology budgets to ensure greater controls are in place, and initiates a need to develop a plan to achieve compliance.
• Polices and Procedures of each organization are different, and as these systems are merged together - which is considered best practice, there must be a full revamp of the document evidence.
• The merging of backbone infrastructure from an organization also introduces larger numbers of access points to sensitive data, and/or increases the scope and applicability of compliance safeguards. These may require a full evaluation of technology architecture and information flows through the system.

The effects of M&A in organizations is an exciting problem to solve, but it may only be addressed efficiently by achieving the basic following steps:

• Develop a consensus on the business direction after the merger through a management level session
• Identify all systems that manage the information environment and map BOTH environments to the controls, business requirements, contractual obligations, and regulatory mandates of the post merger business
• Prior to “flipping the switch”, consolidation and expunging of unnecessary systems should be achieved
• Finally institute performance monitoring thresholds throughout the environment to further improve the organization’s information systems.
• A decision should be considered prior to every merger - should this merger happen? A strong question that must be weighed where technology environments are competitive advantages.

Other experience on M&A? Please add comments and how they effected your PCI compliance efforts.

Best,

James DeLuccia IV