Prior to the creation of joint compliance program PCI DDS, each of the major credit card companies had their own programs. JCB, Discover, Visa, MasterCard, and American Express had similar programs for data security. These security measures for stored, processed and transmitted cardholder data were an added level of security for merchants and their clients. The major card companies formed the Payment Card Industry Security Standards Council (PCI SSC) in 2004, and developed the Payment Card Industry Data Security Standard (PCI DSS).
The standards have been revised since their inception, as a result of the constantly changing credit card payment industry. The technology is constantly improving and those who can commit fraud with it are constantly improving their techniques and the card payment industry recognizes this. The PCI standard was updated in September 2006, to version 1.1 to provide and 1.2 is planned for release in October 2008 with revisions and clarifications of version 1.0. The standards derived from the PCI DSS include PABP and PA-DSS. The PCI SSC also has released supplemental pieces of information including Information Supplement: Requirement 11.3 Penetration Testing, Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified, and Navigating the PCI SSC - Understanding the Intent of the Requirements. These supplemental works clarify various requirements.
Top credit card processing companies offer assistance to their merchants in attaining and maintaining compliance. Periodically a merchant's compliance is audited by companies who are PCI DSS Qualified Security Assessors (QSAs). Both credit card processing companies and merchants validate their compliance periodically, and compliance is only determined by Qualified Security Assessors who are PCI council approved. Smaller merchants, once they have attained compliance, may perform a self-assessment questionnaire, if in fact, they transact fewer than 80,000 transactions per year.
The PCI compliance is achieved when all the security requirements are met. Those twelve requirements are organized into six groups. Those six groups called "control objectives" logically set out the required steps.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Two security guidelines provided by PCI DSS to prevent breaches coming in from wireless networks used in any environments containing credit card data as a result of the recognition that wireless LANS and public networks are exposed to security breaches are:
• Firewall segmentation between wireless networks and the point of sale networks or any network that comes in contact with credit card information.
• Use of wireless analyzers (a.k.a. Wireless Intrusion Detection System) to detect any unauthorized wireless devices and attacks
The Payment Card Industry Security Standards Council outlines the PCI DSS Best Practices as follows:
1. Develop an internal policy for the communication between internal and external systems. Use an automated solution to identify consistent configurations.
2. Implement a consistent strategy for end-to-end encryption of all of your ERP communication - including integrated 3rd party solutions.
3. Implement a continuous automated vulnerability management system for your ERP configuration.
4. Develop a strong authentication method to have access to cardholder information on a need-to-know basis. Strong authentication could be done through single sign-on
5. Create multi-factor authentication for management and access to cardholder information. For example, using a smartcard along with username and password.
6. Implement a control process so that auditing is always enabled.
7. Make sure you also have a formal testing process for your control process to management data risk and to lower IT audit costs.
PCI DSS compliance includes ALL merchants and service providers who accept or process credit cards. A single violation of any of the PCI DSS 12 major requirements can result in an overall non-compliant status. Non-compliant incidents can and most likely will result in fines, suspension, and loss of credit card processing privileges. To many small business owners, accepting credit cards is the difference between success and utter failure. To remain competitive in today's cashless society a merchant must accept credit cards.
Don't hesitate; find a top credit card processing company that will offer you in creating and maintaining low cost PCI compliance.
UPDATE
The next revision of the PCI Data Security Standard (DSS) likely will feature clarifications and guidance documents but no major changes, says PCI Security Standards Council (SSC) general manager Bob Russo.
No comments:
Post a Comment