|
This is a two-part article that looks at PCI DSS and the means of achieving compliance through an effective PCI compliance management solution. PCI DSS, which stands for Payment Card Industry Data Security Standard, is a proprietary information security standard for organizations, developed by the Payment Card Industry Security Standards Council. In view of the rampant rise in credit card frauds, this standard puts forward certain requirements, which the organizations that handle cardholder information must comply with at any cost. PCI DSS compliance is necessary for major debit, credit, prepaid, e-purse, ATM, and POS cards.Given below are the 6 control objectives and the 12 PCI DSS requirements. Build and Maintain a Secure Network * Install and maintain a firewall configuration to protect cardholder data * Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data * Protect stored cardholder data * Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program * Use and regularly update anti-virus software on all systems commonly affected by malware * Develop and maintain secure systems and applications Implement Strong Access Control Measures * Restrict access to cardholder data by business need-to-know * Assign a unique ID to each person with computer access * Restrict physical access to cardholder data Regularly Monitor and Test Networks * Track and monitor all access to network resources and cardholder data * Regularly test security systems and processes Maintain an Information Security Policy * Maintain a policy that addresses information security The validation of PCI DSS compliance is done annually. In the case of organizations that handle large volumes of transactions, an external Qualified Security Assessor (QSA)creates a Report on Compliance (ROC). On the other hand, companies that handle smaller volumes have to complete the Self-Assessment Questionnaire (SAQ). However, in reality, though most of the companies are achieving PCI DSS compliance, many are showing laxity when it comes to PCI DSS compliance. Here is a look at some of the negligence on the part of the merchants and business owners. * Encryption is often inconsistent across a company's computer system. Credit card data may be protected in some instances, but not others. * Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data from travelling across less secure parts of the network. * Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where malicious hackers or anyone without authorization are trying to access credit card data. * Some companies do not conduct regular scans for software vulnerabilities and abnormal activity. * Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act and HIPAA/HITECH compliance discovered their controls were not adequate to meet the PCI DSS. In the second and concluding part of this article, we will look at the best means of ensuring PCI DSS compliance. Read more about- Vendor Management, IT Compliance
Related Articles -
PCI compliance management, PCI DSS compliance, HIPAA/HITECH compliance, Vendor Management, IT Compliance,
| 
