PCI Data Security Standards - The 12 Key Requirements 2176
-
Note - While the new PCI standards aren’t directly related to SOX requirements, they represent new electronic controls for financial transactions that will hopefully improve e-commerce security and the protection of sensitive customer information.
Mastercard and Visa have set the following compliancy target for the new PCI DSS requirements (Payment Card Industry - Data Security Standard). Companies that process more than 6 million credit card transactions a year were required to have this ready by September 30, 2007. While companies processing from 20,000 to 6 million transactions have until the end of 2007 to meet this new security standard.
While the requirements are challenging, they are also worthwhile in better protecting customers and ultimately the company itself. In quickly reviewing these, they appear to be less subject to interpretation than many industry standards. These controls will improve the corporate controls associated with credit card processing, so that customer information is better protected and e-commerce security is improved.
PCI Data Security Standards - The 12 Key Requirements
pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf
PCI Data Security Standards - The 12 Key Requirements
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Some additional resources:
Article - Advice on passing the 5 most difficult PCI requirements
searchsecurity.techtarget.com/tip/0,289483,sid14_gci1271917,00.html?bucket=ETA_and_topic=303586
Wikipedia - Excellent overview and links
en.wikipedia.org/wiki/PCI_DSS
PCI Answers Blog - Also an Excellent resource
pcianswers.com/
-
Little FYI
The good old PCI-DSS. I think we all can thanks TJX for this one. Basically what it does is shifts some responsibility/accountability from CCs to merchants.
I had the pleasure of implementing this standard across wide platform with very decentralized structure. By decentralized I mean across wide geographical location (international 50 entities) with most of them using different processes/ systems.
At first this standard may seem difficult to implement but I think anyone with SOX testing exposure and basic process mapping skills can tackle this with no problem.
So if the opportunity presents itself, give it a try…
P.S. This is assuming IT department is on the ball and willing to help out :))
Cheers.
-
I am IT SOX Auditor for a Retail Co with 100 stores and e-commerce Site.
Now I am getting into PCI Compliance for the first time.
a) Please suggest Project Organization Chart for PCI Compliance project
Level 1 : Executive Sponsor = CFO
Level 2 : Steering Committee = CFO, COO , Controller , CIO , Director Internal Audit
Level 3 : Project Manager
Level 4 : Who should be in SME / Core Advisory Team?
b) Any ideas for Project Plan ? e.g. what are the standard Tasks?
-
Below are some of the major resources that can be found related to the PCI DSS requirements that are now required for secure credit card processing by companies implementing e-commerce solutions.
Payment Card Industry Data Security Standard - Key Resources
DEFINITIONS
http-and-#58;//en.wikipedia.org/wiki/PCI_DSS-and-#93;http-and-#58;//en.wikipedia.org/wiki/PCI_DSS
http-and-#58;//en.wikipedia.org/wiki/Qualified_Security_Assessor
PCI DSS - Home Page Key resources
https-and-#58;//www.pcisecuritystandards.org/-and-#93;https-and-#58;//www.pcisecuritystandards.org/
https-and-#58;//www.pcisecuritystandards.org/security_standards/supporting_documents.shtml
https-and-#58;//www.pcisecuritystandards.org/security_standards/pci_dss.shtml
https-and-#58;//www.pcisecuritystandards.org/pdfs/instructions_guidelines_v1-1.pdf
https-and-#58;//www.pcisecuritystandards.org/pdfs/pci_dss_saq_faqs_v1-1.pdf
BLOG AND FORUM RESOURCES
http-and-#58;//pcianswers.com/-and-#93;http-and-#58;//pcianswers.com/
http-and-#58;//pcidss.wordpress.com/-and-#93;http-and-#58;//pcidss.wordpress.com/
http-and-#58;//pcidssfaq.org/forum/-and-#93;http-and-#58;//pcidssfaq.org/forum/
RELATED ARTICLES
http-and-#58;//www.windowsecurity.com/articles/PCI-DSS-Compliance.html
http-and-#58;//www.pcicomplianceguide.org/
http-and-#58;//www.pcicomplianceguide.org/pcidss/iso-acquirer.html
NEXT VERSION OF PCI DSS - SEPTEMBER 2008
http-and-#58;//searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309120,00.html
-
This free PCI/DSS training course was downloaded and installed. So far in a brief review, it offers great advice for developers in creating more compliant e-commerce applications .
Free Computer Based Traing class - PCI DSS for Developers (38MB download) https-and-#58;//www.foundstone.com/us/resources/downloads/pci_compliance_developers.zip
Foundstone Professional Services, a Division of McAfee, has recently released a free 2-hour computer based training entitled ‘PCI DSS v1.1 Compliance for Developers.’ This hype-free CBT focuses on the PCI DSS requirements and sub-requirements that are most relevant to software developers and offers developer-to-developer technical advice to help achieve compliance. Software security best practices are also stressed throughout the presentation. This is not an advertisement for McAfee products or Foundstone services, just solid information that will help your development teams create more secure software.
-
PCI/DSS v1.2 - Released and Now available
Please copy links to your browser to view:
Summary of changes-and-#58;
https-and-#58;//www.pcisecuritystandards.org/pdfs/pci_dss_summary_of_changes_v1-2.pdf
FULL PDF VERSION
https-and-#58;//www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdfFULL WORD VERSION
https-and-#58;//www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.doc