Ensuring PCI DSS Compliance – Part 1

136 views

Published on

PCI DSS, which stands for Payment Card Industry Data Security Standard, is a proprietary information security standard for organizations, developed by the Payment Card Industry Security Standards Council.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ensuring PCI DSS Compliance – Part 1

  1. 1. Ensuring PCI DSS Compliance – Part 1This is a two-part article that looks at PCI DSS and the means of achieving compliance through an effective PCIcompliance management solution.PCI DSS, which stands for Payment Card Industry Data Security Standard, is a proprietary information securitystandard for organizations, developed by the Payment Card Industry Security Standards Council. In view of therampant rise in credit card frauds, this standard puts forward certain requirements, which the organizations thathandle cardholder information must comply with at any cost. PCI DSS compliance is necessary for major debit,credit, prepaid, e-purse, ATM, and POS cards.Given below are the 6 control objectives and the 12 PCI DSSrequirements.Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parametersProtect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networksMaintain a Vulnerability Management Program Use and regularly update anti-virus software on all systems commonly affected by malware Develop and maintain secure systems and applicationsImplement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder dataRegularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processesMaintain an Information Security Policy Maintain a policy that addresses information securityThe validation of PCI DSS compliance is done annually. In the case of organizations that handle large volumes oftransactions, an external Qualified Security Assessor (QSA)creates a Report on Compliance (ROC). On the otherhand, companies that handle smaller volumes have to complete the Self-Assessment Questionnaire (SAQ).However, in reality, though most of the companies are achieving PCI DSS compliance, many are showing laxitywhen it comes to PCI DSS compliance. Here is a look at some of the negligence on the part of the merchants andbusiness owners. Encryption is often inconsistent across a companys computer system. Credit card data may be protected in some instances, but not others. Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from travelling across less secure parts of the network. Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data. Some companies do not conduct regular scans for software vulnerabilities and abnormal activity.
  2. 2. Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA/HITECH compliance discovered their controls were not adequate to meet the PCI DSS.In the second and concluding part of this article, we will look at the best means of ensuring PCI DSS compliance.Read more on - Vendor Management, IT Compliance, Security Posture Management

×