Why was PCI DSS developed?
Privacy and security breaches involving credit card transactions pose a clear danger to credit card companies and financial institutions. The PCI DSS standard was developed at the urging of large credit card companies to help organizations that process credit card payments to prevent privacy and security breaches through hacking and other means. The standard became mandatory for all companies that process credit card payments in 2008.
Companies that are not PCI compliant can be subject to heavy fines enforced by the credit card companies. Fines may be as high as $500,000 per privacy and security breach if merchants are discovered to be non-compliant. For example, in 2006, Visa alone levied almost $5 million in fines. In 2007, Visa levied a $880,000 penalty against the bank involved with TJX’s privacy and security breach. In the worst case scenario, merchants could also risk losing the ability to process customers’ credit card transactions. PCI DSS helps facilitate the broad adoption of consistent data security measures around the world. The standard helps assure customers using credit cards that the steps are in place to protect their information and privacy, which is under threat from cyber criminals.
StealthAUDIT and our new Data and Access Governance Solutions help fulfill requirements and augment processes for organizations with a Microsoft-based infrastructure. It will also verify on a constant basis that many of the requirements are in place, configured properly, and operating as expected. PCI DSS has 6 main categories and 12 requirements.
6 PCI Categories:
- Build and maintain a secure network – Organizations must install and maintain a firewall configuration to protect cardholder data. As well, they should not use vendor-supplied defaults for system passwords and other security parameters.
- Protect cardholder data – Organizations are required to protect stored cardholder data and encrypt transmission of that data across open and public networks.
- Maintain a vulnerability management program – Organizations must use and regularly update anti-virus software. PCI rules mandate that organizations develop and maintain secure systems and applications that protect against known vulnerabilities that hackers can exploit.
- Implement strong access control measures – Access to cardholder data by business must only be restricted to those with a need-to-know basis. Every member of your organization with computer access should be given a unique ID. As well, steps must be taken to restrict physical access to cardholder data. For instance, physical locks and security personnel may be required to secure access to rooms with databases or servers containing credit card information.
- Regularly monitor and test networks – PCI-compliant organizations must track and monitor access to network assets and cardholder data. This will not only improve security, but also help identify the cause of a breach should it occur. Security systems and processes must be regularly tested to ensure their ongoing effectiveness.
- Maintain an information security policy – It is not enough to have technology tools like a firewall or network audit applications to protect private information. Improper handling of information by untrained staff is a huge security vulnerability. Security policies must be developed, implemented and regularly updated.
12 Requirements (italics where the SMP directly applies to fulfilling or verifying compliance):
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Learn more about how STEALTHbits addresses PCI compliance here!
References:
PCI Standards Council: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
PCI Compliance – Cheat Sheet: https://jamynigri.blogspot.com/2008/08/pci-compliance-cheat-sheet.html
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Leave a Reply