STE Is the Most Cost Effective Measure for Comply with Payment Card Industry (PCI) Data Security Standard

摘要

In September of 2006, the five leading payment brands formed an independent council to manage the Payment Card Industry (PCI) Data Security Standard (DSS). American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International saw the need to secure payment account data in a globally consistent manner. As such, the financial institutions which store, process and transact the credit card must comply with the PCI/DSS. The Noncompliance fines can reach up to USD500,000 per incident including the public disclosure of breaches. Financial Institution can implement very broad security controls to comply with the PCI/DSS standard. The cost can be prohibitive. This poster argues that the most cost effective security measure is to conduct a Security Testing and Evaluation (ST&E) project before the expensive auditing performed by a PCI DSS Qualified Security Assessor (QSA) Company. We have proposed 5 distinct phases of ST&E, and what it means to the CIO/CTO of the financial institutions. The five phases of ST&E are 1) Planning, 2) Develop Evaluation Methods and Tool Selection, 3) Test Execution and Reporting, 4) Corrective Measures Recommendation and 5) Re-Testing.