Compliance is a common pain point for many organizations, particularly as regulations evolve. Payment Card Industry standards are policed by the major card brands, and each organization has slightly different requirements for following best practices.To help navigate the somewhat nebulous mandates used to protect credit card numbers and other sensitive consumer data, the PCI Council recently issued a guide detailing common vulnerabilities and effective risk management strategies.

Any organization that manages payment card data faces regulatory fines if its data security practices are not up to standard. As the council noted, many businesses fall into the trap of relying on weak data encryption or key management practices. For example, PCI compliance requires the use of SSL to protect information in transit as well as file encryption software to protect stored data. Implementing effective data-centric security solutions protects organizations from both external threats such as hackers as well as internal vulnerabilities such as network configuration errors.

Particularly as technology infrastructures become more complex, businesses should adopt a layered security approach. This means protecting the network perimeter as well as the information guarded by those digital walls. Although it may be difficult to identify which assets deserve the most protection, formulating a comprehensive risk management strategy can improve data security on an organization-wide basis.

For example, the PCI Council suggested that numerous departments should come together to identify the value of the company's data and which measures should be used to protect that information. It is also crucial to implement a risk management framework that incorporates evaluation to facilitate ongoing improvement.

"In addition, security incidents that may have occurred, within either the organization or industry, can be reviewed to help an organization identify potential threats," the PCI Council explained. "Threats are commonly measured in terms of the capability of the 'threat agent' (anything that has the potential to realize a threat), the intent of the threat agent, relevance to the organization, likelihood that a threat will occur, and the potential for adverse impacts."

Read Success Story:

ISER secures sensitive research data while achieving compliance and reducing complexity

Compliance in the cloud
As businesses migrate mission-critical assets to the cloud, there are some important questions decision makers must ask of their providers. Writing for Network World, Jose Albino of Hughes Cloud Services noted that the provider's data security measures should be thoroughly evaluated. It is crucial to conduct due diligence in researching potential technology partners, but companies should still practice caution in moving assets to the cloud. Using data encryption software, organizations no longer have to hand over the keys to their intellectual property, even as they outsource their IT operations.