FFIEC News

New Book Offers Merchants A Practical Guide To PCI DSS Compliance

(Aprl 14, 2008)-- Achieving compliance with the Payment Card Industry Data Security Standard ('PCI DSS') is a priority issue for all merchants accepting credit and debit cards. To help project managers, executives and security officers tasked with delivering compliance, IT Governance has launched 'PCI DSS: A Practical Guide to Implementation', which offers focused advice on how to build and maintain a sustainable PCI DSS compliance programme.

The PCI DSS must be met by all merchants that accept credit and debit cards issued by the major credit card companies. It is a contractual obligation applied and enforced directly by the payment providers, and a failure by a merchant to comply can result in fines, restrictions and significant brand damage.

The Standard requires merchants and member service providers to adopt a number of specific measures to ensure data security. These include building and maintaining a secure IT network, protecting cardholder data, and maintaining a vulnerability management programme and information security policy. As described on the IT Governance website, the Standard's compliance requirements are ranked in four levels, and the level of compliance required of a merchant is based upon the volume of payment card transactions it processes annually.

'PCI DSS: A Practical Guide to Implementation' is intended as a complementary resource for those responsible for PCI DSS compliance, helping the reader to interpret and utilise other publicly available information about the Standard. Over 184 pages, it provides a helpful nine-step programme for creating a compliance regime and discusses the relationship of PCI DSS to ISO27001 (http://www.itgovernance.co.uk/iso27001.aspx), the international best practice standard for information security management. Topics addressed include project initiation, gap analysis, auditing, and maintaining and demonstrating compliance. Also provided in the appendices are a project checklist, project plan and details of recommended further reading.

PCI DSS: A Practical Guide to Implementation is written by Steve Wright, a consultant and lecturer with extensive experience in the design and implementation of security architecture and information security governance frameworks, including PCI DSS. Steve has successfully executed information security projects for several UK government agencies and has completed many consulting engagements for global corporations in sectors including business process outsourcing, manufacturing, telecoms, IT and healthcare. He currently manages a successful security management practice and is active as a lecturer and trainer on Information Risk Management and many British Computer Society ISEB courses.

Alan Calder, Chief Executive of IT Governance, comments, "Building a PCI DSS programme from scratch can be a daunting task. This new book helps those with direct responsibility to accelerate their learning and chart the most direct course to sustainable compliance."

Share or bookmarklet this web page at: