ISO 27001 Brings it all Together for Retailers
PCI DSS is an important challenge not only for U.S. Retailers, but also for any organization that holds, processes or passes cardholder data from any of the participating branded cards, including Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB International. For instance in Canada, to achieve compliance with the Visa Account Information Security (AIS) Program, merchants and service providers must also adhere to PCI DSS.
Retailers that fail Payment Card Industry Data Security Standard (PCI DSS) assessments can be fined up to $500,000.
Additional penalties can range from increased assessment requirements to retraction of credit card processing privileges. Generally, retailers that process over 20,000 credit card transactions per year must fill out an annual self-assessment and conduct quarterly network scans by an approved vendor. Retailers that process over 6 million credit card transactions per year are also subject to annual on-site assessments. While on the surface the PCI standard seems straight forward, upon deeper inspection in preparation for an on-site assessment, compliance can become more complicated.
A few strategic security investments at the network and application layer security can significantly simplify PCI DSS compliance, while maintaining cost-efficiency. This paper highlights top reasons for assessment failure or security breach, and outlines a better way to secure your payment card infrastructure. It will discuss leveraging a Unified Threat Management (UTM) approach with an integrated Vulnerability Management (VM) strategy within an ISO/IEC 27001/2 Information Security Management System (ISMS) framework that supports critical PCI compliance criteria.
The PCI DSS addresses much of the granular detail around how payment card related controls should actually be implemented, and ISO/IEC 27001/2 offers guidance on the prerequisites required for an overall security management framework. This guidance includes issues like scope definition, management commitment/sponsorship and ongoing improvement plans. Fortinet provides an established practice around ISO/IEC 27001/2 that aligns with an assessment ready PCI DSS solution.
Internationally recognized as a de-facto security standard and crafted to apply to a wide range of industries, ISO/IEC 27001/2 describes two different set of standards: (1) ISO 27001 specifying a standard for an Information Security Management System (ISMS), and (2) ISO/IEC 27002 detailing over a hundred security codes of practice for information security management, from business continuity planning and system access control to asset classification and security policies.
Major issues faced by retailers:
- Insufficient Protection of Stored Data
- Inadequate Testing of Security Systems and Processes
- Insufficient Access Controls
- Isolation of Wireless Networks
- Misconfigured Firewall/VPN
While PCI DSS tells you what needs to be done, ISO 27001 provides the Information Security Management System (ISMS) to manage implementation and compliance.
