The Payment Card Industry Data Security Standard has changed, and so should you
Does your organization process credit or debit cards in a point–of–sale (POS) environment? Do you have an e–commerce site where you take credit–card numbers over the Internet? Do you know how the Payment Card Industry Data Security Standard (PCI DSS) has changed, whether you’re in compliance and what steps to take if you’re not? Do you even know about the PCI DSS?
In this environment of identity theft and credit–card fraud, these are critical questions. Headlines in the business section scream about security breaches that released thousands of credit–card numbers to unauthorized users. As a result, the companies are, and will continue to be, involved in lawsuits and will be fined huge amounts of money. Additionally, they lose the confidence of their customers, who will likely take their business elsewhere.
This article will identify PCI DSS, show the different PCI compliance levels and describe the new requirements. It’s a topic you may want to brush up on if you’re open to the risk of handling credit–card numbers.
PCI DSS Basic Requirements
The basic requirements for adherence to the PCI DSS are identified below. Six control categories encompass the 12 requirements.
1. Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor–supplied defaults for system passwords and other security parameters.
2. Protect cardholder data
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
3. Maintain a vulnerability management program
- Use and regularly update anti–virus software.
- Develop and maintain secure systems and applications.
4. Implement strong access control measures
- Restrict access to cardholder data by business need–to–know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
5. Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
6. Maintain an information security policy
- Maintain a policy that addresses information security.
Are these requirements difficult to attain? Some of them certainly are—each one can have dozens of sub– and sub– sub–requirements. Complying may require substantial changes to your application software and business practices. However, it’s important to continuously attempt to meet these requirements. This is the best method (short of not accepting payment cards) that an organization can use to reduce its exposure to credit–card and identity theft.
It’s important to understand PCI DSS and the new compliance changes, which should help you boost your data protection with more reasonable SAQs.
Search our new 2013 Buyer's Guide.
Technical Corner | The problematic nature of PCI-compliance application integration makes research, analysis and planning important. It can also greatly simplify and reduce the effort involved.
Trends | The Payment Card Industry Data Security Standard has changed, and so should you