Article from Biz Tech Magazine - Best Practices for PCI Compliance. Ben Rothke & Bryan Johnson. PCI, like most information security fundamentals, is simply focused on attention to detail and risk management.

1. [ best p r a c t i c e s : D ata s e c u r i t y b y b rya n j o h n s o n a n d b e n r o t h k e
Best Practices for
PCI Compliance
B
PCI, like most information security fundamentals,
is simply focused on attention to detail and risk management.
By now, most IT managers are adequately theft is one of the largest reported customer different levels maintain the same PCI DSS
familiar with the PCI Data Security Standard data breaches to date. technical requirements but vary on proof
(PCI DSS) to know it is a requirement if The $12 million in losses was for costs of validation requirements:
they want to process credit cards. What incurred to investigate and contain the intru- LeveL 1: More than 6 million transactions
frightens many of these managers is they sion, improve computer security and systems, annually across all channels, including
are wading into this unfamiliar territory and and communicate with customers, as well as e-commerce.
are nervous about PCI likely consuming a technical, legal and other fees. TJX also re- ReqUIRement: Annual Onsite PCI Data
significant amount of their staff’s time and ported that it would continue incurring these Security Assessment and Quarterly
department’s budget. types of costs related to the intrusion. Network Scans.
But even the most expensive PCI proj- With a comprehensive and formal secu- LeveL 2: 1 million to just shy of 6 million
ect still pales in comparison to the costs rity program in place, which would sup- transactions annually.
of even a single significant data breach. A port specific PCI requirements relevant to ReqUIRement: Annual Self-Assessment and
single breach can cost millions of dollars to their business, chances are they would not Quarterly Network Scans.
clean up and tens of millions of dollars in be in the situation they are in now: facing LeveL 3: 20,000 to 1 million e-commerce
long-term costs. myriad lawsuits. TJX violated numerous transactions annually.
TJX Companies, for example, is now basic security guidelines and various PCI ReqUIRement: Annual Self-Assessment and
the poster child for how to do things wrong requirements, all of which had a direct fi- Quarterly Network Scans.
YasuhiDe FuMoTo/GeTTYiMaGes
when it comes to a breach. The company nancial impact on its earnings. LeveL 4: Fewer than 20,000 e-commerce
announced earlier this year that it took a transactions annually, and all merchants
$12 million loss, equal to 3 cents per share, Understanding PCI Compliance across channel up to 1 million Visa trans-
because more than 40 million credit and Businesses that process credit cards will actions annually.
debit card numbers were stolen from its fall into one of four PCI categories based ReqUIRement: Annual Self-Assessment and
systems during an 18-month period. That on their annual processing volumes. The Annual Network Scans.
BizTechMagazine.com • December 2007 53

2. [ best
Improving the way you look at business.
practices
the following are the PCI falls into — enable organizations merchant knowing. Hackers find out
12 PCI DSS requirements: to demonstrate compliance. what POS systems are storing this in-
1) Install and maintain a fire- Adherence to a recognized formation and then target the retailers
wall configuration to protect security framework can bolster who use that particular system.
data. Note that there are no your case that you are in com- • Additionally, merchants have misunder-
PCI-compliant firewalls. PCI pliance with sweeping and often stood what information they actually
Requirement 1.1 is intended vaguely defined new laws and needed in order to process transactions. HP Flat Panel w19
to ensure that companies put regulations such as Sarbanes- • Most POS vendors with systems that
19" analog and digital, wide-screen LCD
a firewall configuration policy Oxley. Of course, an effective capture and store that information
in place and also develop a configura- framework makes PCI compliance signifi- have been scrambling to make sure
tion test methodology. A merchant must cantly easy to gain. they and their customers are making Anti-glare coating, digital input (DVI) and true 16-million
configure the firewall accordingly to the appropriate adjustments to be- color deliver uncompromised viewing performance.
protect cardholder data. Most firewalls PCI Best Practices come PCI compliant.
can be configured for that need. This article doesn’t detail all the myriad 6) UnSeCUReD wIReLeSS • Contrast ratio: 500:1
2) Do not use vendor-supplied defaults best practices for PCI compliance. But ex- • Merchants should not use unsecured • Panel brightness: 300 cd/m2 (nits)
for system passwords and other ecuting the following steps will ensure your wireless networks to transmit data. • Response time: 8ms
security parameters. PCI project runs much smoother. 7) tRaInInG • Multiple innovative ergonomic and space-saving features
3) Protect stored data. • PCI training is a must. Not every staff ensure a clutter-free desk
4) Encrypt transmission of cardholder 1) GaP anaLySIS member needs to be a PCI qualified • Three-year limited parts, labor and backlight warranty
data and sensitive information across • Gap analysis is a natural starting point security assessor (QSA). But they do
public networks. for any PCI endeavor. need a formal training program on
5) Use and regularly update antivirus
software.
• Determine whether each requirement
is adequately addressed for every in-
what they have to do to ensure they are
handling credit card data in a manner $214.99 CDW 1234684
6) Develop and maintain secure systems scope system. that supports the PCI requirements.
and applications. • The PCI Self-Assessment Questionnaire 8) PoS moDIFICatIon
7) Restrict access to data by business from the PCI Security Standards Council • POS systems can be the Achilles heel
need to know. should be completed. The SAQ is di- of a PCI effort.
8) Assign a unique ID to each person vided into six sections, each focusing • Ensure that POS devices are not stor-
with computer access. on a specific area of security, based on ing full card data, especially Card
9) Restrict physical access to cardholder the DSS requirements. After completing Validation Value/Code.
data. the SAQ, you should have a fairly good • The full 16-digit credit card num- HP Flat Panel Monitor L2045w
10) Track and monitor all access to net- idea of which controls and tools are in ber should never appear on any hard
20" analog and digital, wide-screen LCD
work resources and cardholder data. place and which are not. copy output.
11) Regularly test security systems and 2) PoLICIeS/PRoCeDUReS 9) PhySICaL SeCURIty
processes. • Establish policies and procedures to • Ensure appropriate physical security Toggle seamlessly between legacy and developing graphics
12) Maintain a policy that addresses infor- limit the storage and retention time of systems and associated peripherals. technology through VGA and DVI-D connections.
mation security. of PCI data. Verify no unauthorized physical access.
A quick review of these 12 requirements 3) Data DISCoveRy 10) LoGGInG • Contrast ratio: 600:1
shows nothing close to being revolution- • Know exactly where all your relevant • Regularly review system security and • Response time: 5ms
ary. In fact, the PCI DSS is simply basic PCI data is. audit logs. • Sharp resolution up to 1680 x 1050
computer security. • Identify all payment acceptance chan- PCI, like the fundamentals of informa- • Built-in USB hub provides quick peripheral connectivity
nels, data flows and locations where tion security, is simply focusing on attention • Three-year limited parts, labor and backlight warranty
Security Frameworks PCI data is stored. to detail and risk management. By attending
The best way to ensure PCI compliance is 4) CReate PRoCeSS FoR Data enCRyPtIon to those core elements, combined with best
to have a security framework in place. A
security framework (such as ISO 17799
• Far too many merchants send unen-
crypted credit card data via e-mail.
practices, you will significantly increase your
ability to obtain PCI compliance. [Bt] $264.99 CDW 1070837
or Information Technology Infrastructure Create a program for encrypting data.
Library) encompasses the assumptions, 5) Don’t StoRe tRaCk Data Bryan Johnson (bryan.johnson@getbraintree.
concepts, risk values and security practices • Merchants are prohibited from storing com) is the founder and CEO of Braintree
underlying an organization’s information track data. Track data is the informa- Payment Solutions, an end-to-end provider
security infrastructure. Frameworks are tion encoded within the magnetic strip of payment processing solutions. Ben Rothke
invaluable because today’s enterprise se- on the back of a credit card, which is (ben.rothke@bt.com), CISSP, QSA, is a
curity projects are likely to be more com- read by a point-of-sales (POS) system. security consultant with BT INS and author
plex than those of years past. In addition, • Some POS systems have been col- of Computer Security: 20 Things Every
standards and regulations — the category lecting this information without the Employee Should Know.
CDW.com/hp • 888.419.7480
54 BizTechMagazine.com • December 2007 ©2007 CDW Corp. Offer subject to CDW’s standard terms and conditions of product sales, available at CDW.com.