A Detailed Look at PCI Compliance

Personal information is a very valuable commodity in our ever-changing, fast paced business environment. Consumers are becoming more savvy when it comes to protecting themselves, whether online or simply doing face-to-face business with credit cards.

PCI compliance is meant to help merchants achieve a level of security in which consumers can feel confident about doing business. By adhering to the PCI DSS a merchant can focus on creating an environment that is hostile to hackers and friendly to users.

There are 12 requirements which can be broken down into more than 200 individual security controls that a merchant must adhere to for PCI compliance. They are as follows.

The first group of PCI DSS requirements is about building and maintaining a secure network. The first requirement mandates that you install and maintain a firewall configuration to protect cardholder data. Firewalls allow you to control the traffic into or out of your system. It should always be set to deny everyone who is unauthorized to be there.

Requirement two says: do not use vendor-supplied defaults for system passwords and other security parameters. Basically, these passwords are fairly well known in the hacker community and the first things they will try when they attack your system.

The next two PCI compliance requirements are about protecting cardholder data. Number three, in fact, states: protect stored cardholder data. This involves strong encryption techniques and making sure that you always remove old information and not storing any information that is not absolutely necessary.

The fourth requirement says you must also encrypt transmission of cardholder data across open, public networks. Criminals can try to intercept data in transit and can change or modify it. If it's encrypted, though, then all they'll find is a lot of unreadable data.

Maintaining a vulnerability management program is the next step. This includes requirements five, using and regularly updating anti-virus software, and six, developing and maintaining secure systems and applications.

Not all threats are from criminals. Viruses can cause significant damage, and vulnerabilities in software can lead to an open door for unscrupulous employees or hackers to gain access.

Next you must implement strong access control measures. This means (7) restricting access to cardholder data to business need-to-know, (8) assigning a unique ID to each person with computer access, and (9) restricting physical access to cardholder data.

In other words, even though your first order is to not store anything you do not absolutely need, you should follow it up by restricting access to the data that is there to the people who absolutely have to have it. These people should have their own unique authenticators in order to reach critical components of the system. And these measures apply to physical access as well.

Of course, because hackers continue to try new tactics, you must keep up. That's why PCI compliance requires you to monitor and test networks. Requirement ten says you must track and monitor all access to network resources and cardholder data. When you know exactly what has happened on your network you can more easily discover what went wrong. And requirement eleven mandates regular testing of security systems and processes. This way you can discover any vulnerabilities before the criminals do.

Finally, requirement twelve says you must maintain a policy that addresses information security. In simpler terms, it does not matter what policies you have without everyone in the company knows about them.

PCI compliance is a requirement, but it is also good business sense. By following the steps in the PCI DSS you will be able to offer the kind of business environment your customers are looking for.


Source by Andy Eliason