So my first post is up on the NetSPI blog …

Retail & Hospitality Information Security (including PCI)

So my first post is up on the NetSPI blog …

6 August 2009

So my first post for the official NetSPI PCI blog is up there and, true to form, it’s not of a technical nature - merely an observation on how far the impact of PCI reaches. One of the things that I talk about is how the retail and hospitality communities have gone through something very close to the grieving process in dealing with PCI - now organizations outside of retail and hospitality are starting this process - and it’s just as painful for them as it was for the retail community a few years ago.

One thing that I didn’t really talk about in that post has to do with another way that non-retail/hospitality companies are repeating history - particularly in their approach to compliance. Here’s a blurb that I left out of the NetSPI post…

There is another important note to make - one that again tends to mirror the history of PCI in retail/hospitality. A PCI audit is a point-in-time event, but PCI compliance is not a point-in-time situation. When PCI first came into being (and once retailers resigned themselves to it applicability) the race was to ‘become compliant’ - in other words, pass the audit.

Over the years, the focus has slowly changed - passing your audit is obviously extremely important, but operationalizing PCI within your organization has become the focus for most large retailers. Building a compliance program, driving down internal costs, and constantly identifying and addressing new vulnerabilities is now where leading retail and hospitality companies are focused. NetSPI is working with our clients outside of retail/hospitality on developing these important compliance approaches, but a lot companies outside of the ‘traditional’ PCI-focused industries, still in denial, are stuck in ‘pass the audit’ mode.

While we don’t really know what will happen with security standards in the future, we do know that, if you take card payments, the PCI-DSS applies to you. Now. Today. How your organization chooses to address PCI is entirely up to you, but any decision to not deal with PCI compliance needs to be looked at very closely with an eye to risk. While the ability to take credit and debit card payments may not mean quite as much to you as it would to a national fashion retailer or a hotel chain, there is a definite risk to your business - and a risk of wasting money by chasing the audit without an eye to sustainability or to operationalizing security and compliance.

Image by stefanweihs

Newsletter

Site Feeds

RSS Feed

Shared Articles

Disclaimer

Views and opinions expressed in this blog are mine and mine alone (unless I'm commenting on someone else's post or something). This blog is entirely independent from any corporate entity and does not, necessarily, reflect the views and opinions of any company that I work for or with. Thanks.

Connect

I'm all for connecting - here are the tools that I use online to connect to people and the community. This link presents a lot of connection options including LinkedIn and Facebook...

LinkedIn Directly

Visit Our Sponsors

Get Free Shipping on Orders of $69 or More.

Photo Attributions

The photos that I'm now using on the site are all from Flickr and the creators were kind enough to release them under CC. Some of them are attributed in the posts, but the thumbnails are not:

welome (the enter sign)
Uploaded on September 14, 2008
by Robert Couse-Baker

Security (the safe)
Uploaded on February 25, 2008
by Anonymous Account

Osco Drug, Salem NH (the outside of the store)
Uploaded on September 16, 2008
by NNECAPA

locked steel (the lock)
Uploaded on December 13, 2006
by Darwin Bell

Credit Card Theft (the hand)
Uploaded on October 16, 2007
by Don Hankins