By James Kelly
Over the last year, it’s been very interesting to watch as retailers transition from approval of their first PCI Audit to maintaining their overall PCI compliance. Everyone was aware that PCI was a continual process, and that you are never really “finished” with PCI. But most appear to have underestimated the amount of work required to maintain compliance year after year.
While there are a lot of requirements around ongoing compliance, three areas in particular are creating unique challenges for the c-store environment, and should be carefully planned for.
· Monitoring of Audit Logs
· Penetration Testing
· Vulnerability Scanning
Combine the fact that PCI has very specific requirements around each of these items with the variety of configurations and complexity of a c-store IT environment; and you end up with a very challenging problem. Often, it involves large amounts of time and potentially specific hardware and software to address.
Many retailers are attempting to manage their own compliance by standardizing their network configurations across their locations and adding or refocusing IT staff toward compliance. Others are contracting out to one of the many PCI approved Service Providers that offer products to handle each of the items mentioned above. Not surprisingly many retailers I have spoken with have already drastically altered their ongoing maintenance plans from what was originally submitted as part of their PCI audit, and continue to look for the right solution to fit their needs.
So, if you are one of those retailers that is just moving into that “maintenance mode” and find yourself throwing out your original plans, take comfort in the fact that you are not alone; and the right solution is out there, just waiting for you to find it.
No comments:
Post a Comment