PCI Overview
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide data security
standard that applies to any organisations that store, process or transmits cardholder
data. The purpose of the PCI DSS is to provide guidelines for organisations on the
implementation of additional security so as to protect cardholder data residing
in IT Systems. By implementing PCI DSS recommendations, an organisation is able
to demonstrate sound business practice and good corporate citizenship in protecting
card holder data, both to its customers and compliance regulators.
PCI Brief History
PCI originally began as four different programs: Visa’s Card Information Security
Program, MasterCard’s Site Data Protection, American Express’s Data Security Operating
Policy, and Discover’s Information and Compliance. Each company’s intentions were
roughly similar: to create an additional level of protection for customers by ensuring
that merchants meet minimum levels of security when they store, process and transmit
cardholder data. On the 15th of December 2004, Visa, MasterCard, American Express
and Discover aligned their individual policies and created Payment Card Industry
Data Security Standard.
In September 2006, the card brands aligned again to create the Payment Card Industry
Security Standard Council. The council took the responsibility of fostering broad
adoption of the PCI DSS V1.1 standard. Payment Card Industry Security Standards
Council, is an independent organisation backed by all the major card issuers, including
American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa
International.
Why Should I comply with PCI DSS?
PCI DSS is set to significantly re-define the modern worldwide business environment.
Following rising levels of electronic crime, customers are increasingly wary of
conducting business with a company or a website that is not PCI compliant. Increasingly,
moreover, major corporations are refusing to conduct business with companies that
are not PCI compliant.
Failure to comply with PCI can result in heavy fines, restrictions, or even permanent
expulsion from card acceptance programs. Already, a significant number of companies
exist who have suffered financial trauma from fines, cost of replacement cards,
payments of fraudulent transactions, litigation cost, associated brand damage, reduced
reputation, loss of customers, and even closure of their business.
Complying with PCI provides a ‘seal of security’ for your business, which for some
companies has to lead to a stronger increase in their sales. Companies have found
that they can gain a competitive edge by contributing to the crack down of credit
card theft, identity fraud, and other types of electronic crime. Finally, your business
will be contributing the improvement of the general perception of consumers regarding
ecommerce – and that will benefit everyone.
Understanding PCI DSS V1.1
PCI DSS Version 1.1 can be summarised into twelve points. To comply, companies must:
-
Requirement 1: Install and maintain a firewall configuration to protect data
-
Requirement 2: Do not use vendor-supplied defaults for system passwords and other
security parameters
-
Requirement 3: Protect stored data
-
Requirement 4: Encrypt transmission of cardholder data and sensitive information
across public networks
-
Requirement 5: Use and regularly update anti-virus software
-
Requirement 6: Develop and maintain secure systems and applications
-
Requirement 7: Restrict access to data by business need-to-know
-
Requirement 8: Assign a unique ID to each person with computer access
-
Requirement 9: Restrict physical access to cardholder data
-
Requirement 10: Track and monitor all access to network resources and cardholder
data
-
Requirement 11: Regularly test security systems and processes
-
Requirement 12: Maintain a policy that addresses information security
Where Can I start to meet compliance?
When evaluating measures for ensuring PCI compliance, it is important to note that
the very need for the PCI standard was driven by the rising number data thefts and
fraud that had been occurring in the payment industry—not to mention the devastating
costs of those breaches, both on identity theft victims and on the financial services
sector as a whole. In reality, being compliant is not the end goal: ensuring data
breaches don’t happen is. It is important to view the PCI standard in relation to
the best possible security practices. Ultimately, in implementing the standard,
a company should be ensuring not only compliance but longer term data security,
especially as the security industry continues to grow and evolve.
While there are often a number of approaches that organisations can take to ensure
compliance in the near term, companies are well served by taking a “highest common
denominator” approach to compliance as a means to ultimately make the best use of
security investments and to best minimize the risks of security breaches.
What are Possible Technical Solutions?
Randtronics provides a range of products to meet
your technical requirements for PCI compliance. Often it can be difficult to find
solutions that meet your technical and financial needs. Randtronics provides a number
of different options that makes it easier for you to comply.
Where Can I Get Help?
Randtronics is able to provide initial training on the understanding of PCI DSS
1.1 standard. Our friendly consultants are able to assist in the implementation
of every aspect of the 12 point plan.
Please do not hesitate to Contact Us should you require
any further information or services.
Website Links
|
|
Contact Us |
|
For more information about this product feel free to Contact
Us for a free WebEx
|
|
PCI Product Solutions |
Randtronics
offers a full suite of leading edge cryptographic products to meet your compliance
for Requirement 3.
Click Here to view our product range.
|
|
PCI Consultants |
Randtronics
consultants work with your QSA to evaluate your environment and examine IT systems
that need to comply with PCI DSS.
Click Here for an overview of our services
|
|
Data Discovery Tool |
The Data
Discovery Tool from Ingrian is a free Java-based tool that searches your
database for columns that may contain sensitive information like credit card numbers,
social security numbers that are in clear text and is required to be encrypted for
PCI Compliance.
The DDT currently supports:
- Oracle 8i, 9i, 10g
- SQL Server 2000 and 2005.
Click Here to
obtain a free copy of the tool.
|
|