Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
[ best         p r a c t i c e s : D ata s e c u r i t y                          b y b rya n j o h n s o n a n d b e n r ...
[ best
Upcoming SlideShare
Loading in …5

Best Practices For PCI Compliance

Article from Biz Tech Magazine - Best Practices for PCI Compliance. Ben Rothke & Bryan Johnson.

PCI, like most information security fundamentals, is simply focused on attention to detail and risk management.

  • Login to see the comments

  • Be the first to like this

Best Practices For PCI Compliance

  1. 1. [ best p r a c t i c e s : D ata s e c u r i t y b y b rya n j o h n s o n a n d b e n r o t h k e Best Practices for PCI Compliance B PCI, like most information security fundamentals, is simply focused on attention to detail and risk management. By now, most IT managers are adequately theft is one of the largest reported customer different levels maintain the same PCI DSS familiar with the PCI Data Security Standard data breaches to date. technical requirements but vary on proof (PCI DSS) to know it is a requirement if The $12 million in losses was for costs of validation requirements: they want to process credit cards. What incurred to investigate and contain the intru- LeveL 1: More than 6 million transactions frightens many of these managers is they sion, improve computer security and systems, annually across all channels, including are wading into this unfamiliar territory and and communicate with customers, as well as e-commerce. are nervous about PCI likely consuming a technical, legal and other fees. TJX also re- ReqUIRement: Annual Onsite PCI Data significant amount of their staff’s time and ported that it would continue incurring these Security Assessment and Quarterly department’s budget. types of costs related to the intrusion. Network Scans. But even the most expensive PCI proj- With a comprehensive and formal secu- LeveL 2: 1 million to just shy of 6 million ect still pales in comparison to the costs rity program in place, which would sup- transactions annually. of even a single significant data breach. A port specific PCI requirements relevant to ReqUIRement: Annual Self-Assessment and single breach can cost millions of dollars to their business, chances are they would not Quarterly Network Scans. clean up and tens of millions of dollars in be in the situation they are in now: facing LeveL 3: 20,000 to 1 million e-commerce long-term costs. myriad lawsuits. TJX violated numerous transactions annually. TJX Companies, for example, is now basic security guidelines and various PCI ReqUIRement: Annual Self-Assessment and the poster child for how to do things wrong requirements, all of which had a direct fi- Quarterly Network Scans. YasuhiDe FuMoTo/GeTTYiMaGes when it comes to a breach. The company nancial impact on its earnings. LeveL 4: Fewer than 20,000 e-commerce announced earlier this year that it took a transactions annually, and all merchants $12 million loss, equal to 3 cents per share, Understanding PCI Compliance across channel up to 1 million Visa trans- because more than 40 million credit and Businesses that process credit cards will actions annually. debit card numbers were stolen from its fall into one of four PCI categories based ReqUIRement: Annual Self-Assessment and systems during an 18-month period. That on their annual processing volumes. The Annual Network Scans. • December 2007 53
  2. 2. [ best Improving the way you look at business. practices the following are the PCI falls into — enable organizations merchant knowing. Hackers find out 12 PCI DSS requirements: to demonstrate compliance. what POS systems are storing this in- 1) Install and maintain a fire- Adherence to a recognized formation and then target the retailers wall configuration to protect security framework can bolster who use that particular system. data. Note that there are no your case that you are in com- • Additionally, merchants have misunder- PCI-compliant firewalls. PCI pliance with sweeping and often stood what information they actually Requirement 1.1 is intended vaguely defined new laws and needed in order to process transactions. HP Flat Panel w19 to ensure that companies put regulations such as Sarbanes- • Most POS vendors with systems that 19" analog and digital, wide-screen LCD a firewall configuration policy Oxley. Of course, an effective capture and store that information in place and also develop a configura- framework makes PCI compliance signifi- have been scrambling to make sure tion test methodology. A merchant must cantly easy to gain. they and their customers are making Anti-glare coating, digital input (DVI) and true 16-million configure the firewall accordingly to the appropriate adjustments to be- color deliver uncompromised viewing performance. protect cardholder data. Most firewalls PCI Best Practices come PCI compliant. can be configured for that need. This article doesn’t detail all the myriad 6) UnSeCUReD wIReLeSS • Contrast ratio: 500:1 2) Do not use vendor-supplied defaults best practices for PCI compliance. But ex- • Merchants should not use unsecured • Panel brightness: 300 cd/m2 (nits) for system passwords and other ecuting the following steps will ensure your wireless networks to transmit data. • Response time: 8ms security parameters. PCI project runs much smoother. 7) tRaInInG • Multiple innovative ergonomic and space-saving features 3) Protect stored data. • PCI training is a must. Not every staff ensure a clutter-free desk 4) Encrypt transmission of cardholder 1) GaP anaLySIS member needs to be a PCI qualified • Three-year limited parts, labor and backlight warranty data and sensitive information across • Gap analysis is a natural starting point security assessor (QSA). But they do public networks. for any PCI endeavor. need a formal training program on 5) Use and regularly update antivirus software. • Determine whether each requirement is adequately addressed for every in- what they have to do to ensure they are handling credit card data in a manner $214.99 CDW 1234684 6) Develop and maintain secure systems scope system. that supports the PCI requirements. and applications. • The PCI Self-Assessment Questionnaire 8) PoS moDIFICatIon 7) Restrict access to data by business from the PCI Security Standards Council • POS systems can be the Achilles heel need to know. should be completed. The SAQ is di- of a PCI effort. 8) Assign a unique ID to each person vided into six sections, each focusing • Ensure that POS devices are not stor- with computer access. on a specific area of security, based on ing full card data, especially Card 9) Restrict physical access to cardholder the DSS requirements. After completing Validation Value/Code. data. the SAQ, you should have a fairly good • The full 16-digit credit card num- HP Flat Panel Monitor L2045w 10) Track and monitor all access to net- idea of which controls and tools are in ber should never appear on any hard 20" analog and digital, wide-screen LCD work resources and cardholder data. place and which are not. copy output. 11) Regularly test security systems and 2) PoLICIeS/PRoCeDUReS 9) PhySICaL SeCURIty processes. • Establish policies and procedures to • Ensure appropriate physical security Toggle seamlessly between legacy and developing graphics 12) Maintain a policy that addresses infor- limit the storage and retention time of systems and associated peripherals. technology through VGA and DVI-D connections. mation security. of PCI data. Verify no unauthorized physical access. A quick review of these 12 requirements 3) Data DISCoveRy 10) LoGGInG • Contrast ratio: 600:1 shows nothing close to being revolution- • Know exactly where all your relevant • Regularly review system security and • Response time: 5ms ary. In fact, the PCI DSS is simply basic PCI data is. audit logs. • Sharp resolution up to 1680 x 1050 computer security. • Identify all payment acceptance chan- PCI, like the fundamentals of informa- • Built-in USB hub provides quick peripheral connectivity nels, data flows and locations where tion security, is simply focusing on attention • Three-year limited parts, labor and backlight warranty Security Frameworks PCI data is stored. to detail and risk management. By attending The best way to ensure PCI compliance is 4) CReate PRoCeSS FoR Data enCRyPtIon to those core elements, combined with best to have a security framework in place. A security framework (such as ISO 17799 • Far too many merchants send unen- crypted credit card data via e-mail. practices, you will significantly increase your ability to obtain PCI compliance. [Bt] $264.99 CDW 1070837 or Information Technology Infrastructure Create a program for encrypting data. Library) encompasses the assumptions, 5) Don’t StoRe tRaCk Data Bryan Johnson (bryan.johnson@getbraintree. concepts, risk values and security practices • Merchants are prohibited from storing com) is the founder and CEO of Braintree underlying an organization’s information track data. Track data is the informa- Payment Solutions, an end-to-end provider security infrastructure. Frameworks are tion encoded within the magnetic strip of payment processing solutions. Ben Rothke invaluable because today’s enterprise se- on the back of a credit card, which is (, CISSP, QSA, is a curity projects are likely to be more com- read by a point-of-sales (POS) system. security consultant with BT INS and author plex than those of years past. In addition, • Some POS systems have been col- of Computer Security: 20 Things Every standards and regulations — the category lecting this information without the Employee Should Know. • 888.419.7480 54 • December 2007 ©2007 CDW Corp. Offer subject to CDW’s standard terms and conditions of product sales, available at