The PCI DSS Standards For Information Security
The Standards for information security in the modern, fast-paced business environment will continue to grow and evolve as the tactics and techniques that hackers and other criminals use also evolve. The PCI DSS (Payment Card Industry Data Security Standard) was created by the five major credit card companies to be a tool and a standard by which merchants can employ and maintain a secure business environment for their customers.
The PCI DSS is a set of 12 requirements that any merchant that processes, stores, or transmits sensitive credit card data must adhere to. These requirements are not all easy, nor are they necessarily cheap to implement. They are, however, very necessary.
So what, exactly, are the information security requirements of the PCI DSS? Some are more simple than others, some are (or should be) common sense, others are more complex and, because of their less-than obvious nature, are included specifically because they get overlooked by merchants and targeted by hackers.
We'll begin with the more obvious requirements. The first and second requirements are about building and maintaining a secure network. This includes installing a firewall and keeping it up-to-date, and changing any default vendor-supplied passwords that may have come with your system. Firewalls are important components on any system for information security as they give you control over the traffic that can get into or out of your system. And most vendor-supplied passwords have already made it into the hacker community and are unsafe to keep around.
The next two requirements of the PCI DSS involve taking the necessary steps to protect cardholder data. This begins with simple steps like keeping stored data to a bare minimum, and can also include making sure that you keep all your own passwords encrypted, and all physical access limited to specific people. It gets a little more complex when you start encrypting all transmissions of credit card data.
Again, some of these requirements seem obvious, but many merchants have been caught without implementing this step sufficiently. The recent decision in the famous TJX case, in fact, concluded that the company did not do everything they could have and/or should have done to protect cardholder data. This included storing and transmitting unencrypted data. What's the lesson here? Anyone can get caught not doing everything necessary for their customers' safety.
Requirements five and six of the PCI DSS deal with maintaining a vulnerability management program. This includes using and regularly updating anti-virus programs - because not all threats come from hackers. Any programs or applications you develop must also be secure. This means that you must use all patches and updates that are necessary to remain current with all the new technologies.
The next steps are about implementing strong access control measures. This includes limiting access to carholder data to business need-to-know, assigning unique Ids to everyone who has computer access and restricting physical access to cardholder data. This is important in information security for the simple reason that a lot of security can be added by knowing exactly who can see th info. And if there ever is a problem, tracing the source of the problem can be a much more efficient process.
The PCI DSS also requires that a merchant regularly tests and monitors their systems. Why? Because simple implementation isn't enough. Doing something once and expecting it to be self-sustaining isn't going to work. Regular testing is the only way to ensure that you will find any problems in the system before any criminals do.
The twelfth requirement of the PCI DSS states that you must maintain a policy on information security. What this means is that it is your responsibility to make sure each part of the company understands their own responsibility toward the PCI DSS.
It's about knowledge and information. And in the end, this knowledge can help you provide your customers with a safe environment in which to conduct electronic transactions.
Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about the PCI DSS visit http://www.braintreepaymentsolutions.com/pci-compliance/p/3/ or http://www.braintreepaymentsolutions.com/
Related Articles:
Rapid Intake's Latest Rapid eLearning Technology Wins the 2008 Software Innovation Award
Rapid Intake (rapidintake.com (www.rapidintake.com)) announced today that its Unison web-based software received the Software Innovation Award from the Computing Technology Industry Association (CompTIA). Unison is a web-based software solution that lets instructional designers and subject matter experts collaboratively work together to create interactive Flash-based courses without having to know Flash.
Headway Software Releases Structure101 for Java Version 3
Headway Software releases Structure101 for Java Version 3 - the world's first complete software architectural control solution.
Night Vision Security Camera - Do You Really Need One?
A night vision security camera may sound like something our law enforcement officials would only use, but it is more commonly used by home and business owners than you might think.
Klocwork Named Finalists in Info Security Products Guide Global Awards
Winners will be honored at Technosium 2008, Silicon Valley - California.
5 Ways To Backup Your Data...
The data on your hard drive is the most critical item inside your computer, and the only item which can not be replaced. It may be an unwanted hassle and expense to replace a defective memory module, monitor, or processor, but there is no replacing data once lost.
White Paper Examines Testing For Nano-technology Healthcare
A new white paper examines Neutron Activation Analysis (NAA) as a means for testing contaminant levels for healthcare solutions based on nano-technology. The white paper, posted on ElementalAnalysis.com (http://www.elementalanalysis.com/), discusses how NAA tests exhibit accuracies up to parts per quadrillion.
paybox and ViVOtech Partner to Deliver Industry-leading Technology for NFC-enabled Remote and Proximity Mobile Payments
Joint technology gives banks and mobile operators' customers a richer, more appealing and convenient mobile payments. The partnership combines industry leading proximity and remote payments into a single platform complete with over the air (OTA) provisioning infrastructure software and connects with contactless terminals, extending mobile payments from the point of sale to almost any location.
The Metropolitan Community Colleges - Business & Technology Campus
The MCC Business and Technology Campus situated in Midwest, is one of the biggest training institutes in US. It offers degree and diploma courses and other certified studies and undoubtedly one of the best US universities in the world for global students.? The MCC Business and Technology campus is set up on sprawling 56,500 sq foot area with exclusive exhibition hall. It is number one on the university search lists of many SEOs. Whatever the need- for improving performance of company workers, helping skilled workforce to excel in their respective field or obtaining a reputable degree- MCC-BTC is the ultimate solution.
AIU Enters $8 Million Agreement for RWAN: Expedient to Provide Internet and Hosting
As part of its development of an ultra high-speed Regional Wide Area Network (RWAN) for school districts, the Allegheny Intermediate Unit (AIU) has signed an $8 million master service agreement with two telecommunications companies for construction and Internet services. Expedient Communications, a leading provider of data center and managed data network services for local business customers in Cleveland, Pittsburgh and Boston, will provide Internet and hosting services from its Green Tree facility while Sunesys, a Warrington, Pa.-based telecommunications company, will build approximately 130 miles of the network's physical structure.
2007 Lexus GS 450h: Full Hybrid Technology Revs Up With Superior Toyota Aftermarket Parts
The 2007 Lexus GS 450h is the world's first hybrid luxury sedan and the first full hybrid vehicle with a front engine and rear wheel drive.'Once again, we've applied our formula of no compromise engineering - this time to a luxury sport sedan which proves to us that hybrid power trains can work superbly in virtually any application,' said Lexus Vice President of Marketing Mark Templin.