Blogs

Payment card security has continuously evolved to provide more stringent protection for cardholder data. From its initial focus on large payment gateways and processors, the scope of cardholder data security has expanded to include all merchants, all sizes, and all systems.

Compliance with PCI 2.0 will entail more work than PCI 1.0 because of the new requirements for your CDE. [See PCI Version 2.0: New For YOU and Seek and Ye Shall (Probably) Find.] How much more is still an open question. My “A-ha!” moment came while preparing for our next TouchNet LIVE webcast with Western Illinois University. WIU centrally scans campus computers for unsecured credit card numbers and SSNs. They’ve discovered that each time they run a scan, about 40% of scanned machines require attention – whether it’s a first scan, a second, or a subsequent scan.

Lesson learned: Scanning for PCI data is no different than scanning for viruses; one and done doesn’t work. It’s an ongoing process. Payments happen all the time and people do stuff all the time. In fact, the challenge to comply with PCI standards brings to mind one of my favorite sayings:

“What gets focused on gets done, and
what doesn’t get focused on gets undone.”

Remember, compliance is more than an annual report. It is the continuing result of your efforts to comply with PCI standards. At any given time, you’re either in compliance or out. As you read this, ask yourself... “Is my institution PCI compliant right now?”

Thanks for reading.

PS: You can view Michael Rodriguez, Chief Information Security Officer for Western Illinois University, as he discusses his experiences in scanning for PCI data. Tune in Tuesday, April 12, at 1:00 p.m. (Central Time) during our TouchNet LIVE! video-cast.