Wednesday, April 28, 2010

Making it harder to steal your data - but will the auditors trust it?

Customers want their data to be secure, firms don't want to be liable for the financial and brand damage due to lost client data, and governments are pushing in new regulations to tighten privacy and security policies in businesses. For once, the standards bodies seem to be keeping up, more or less, with the needs of the industry, helping to clarify once and for all the use of more advanced security technologies and their legal aspects. For example, if a firm encrypts data making it hard to get at by unauthorized people, how are the auditors, who are used to unrestricted access to everything going to respond?

The new set of standards from the Payment Card Industry Data Security Standards (PCI DSS) is expected to be released in October 2010 by the PCI Security Standards Council. A Thales press release discusses some related research on the impact of the changes, in a survey sponsored by them.
The Ponemon Institute, an information-management think tank, designed the survey to focus on identifying trends, recommendations and preferences of QSAs involved in PCI DSS compliance. Specifically, the survey questions focused on the background, experience, client observations, expected changes in PCI DSS, preferences on how to achieve compliance, and typical client recommendations. The results are available in this newly released report, sponsored by Thales entitled: PCI DSS Tends 2010: QSA Business Report. The report can be downloaded at
"Our research continues to validate that 60 percent of QSAs believe encryption to be the most effective means to protect card data end-to-end, and 41 percent of QSAs said that controlling access to encryption keys is the most difficult key management task faced by clients using encryption. It remains clear that QSAs consider encryption to be one the best techniques merchants can use to keep information safe and comply with PCI requirements. The current version of the standard, however, is ambiguous about how exactly encrypted data should be treated in audits, so QSAs seem to be confident that the October 2010 update to PCI DSS will provide clarity," says Dr. Larry Ponemon, chairman and founder of The Ponemon Institute.
Encryption and electronic signatures are technologies that are well within the reach of companies handling client data, payment transactions, sensitive information and the need to prove non-repudiation of agreements and contracts. The approaches to implement the technology still need a little wiring to get them to work, though we are seeing solutions from companies like Thales, and the vendors we expect to see at Finovate on May 11th, that are making this easier.

Now it just needs clear, unambiguous judgments on the use of these technologies at the level of compliance, audit and legal to say once and for all that a well implemented system of a certain design, with appropriate management, will satisfy the courts and the regulators the way paper, a signature and a locked safe once would. The new PCI standards help, but there is still a long way to go.

A post from the Improving It blog

No comments: