First, the basics: The objective of PCI is to implement a worldwide information security standard so that all merchants that accept credit cards would be required to protect cardholder data by complying with a set of universal security standards. The Payment Card Industry Security Standards Council (PCI SSC) was formed in 2004 to ensure that consistent security measures are taken worldwide to protect cardholder data with comprehensive regulations reaching the market with force in 2006.
The PCI DSS requirements cover six basic control objectives covering many areas of company networks and practices:
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
PCI regulations are designed to be comprehensive and iterative with many companies currently entrenched in the early stages of the two-year Lifecycle Process for changes to PCI DSS. Unfortunately, many companies have also recently incurred steep fines for not complying with PCI, and if PCI hasn't caught them, their customers have. Despite some debate around whether PCI whether PCI goes too far or not far enough in securing networks and protecting cardholders, it does not appear to be going away and instead seems to be gaining in momentum, emphasized by Ellen Messmer of Network World in 'New laws complicate security efforts in 2010'.
In the times we live in, network and information security are absolutely necessary--as is regulatory oversight to ensure this security when outside interests are at risk. So, how far has your company come on its road to PCI compliance? What road blocks have you encountered? What combination of security tools are you using or researching?