|
The PCI DSS
is a security framework for organisations handling
payment card details. It has been developed over
the past few years by the leading payment card
brands such as AMEX, Diners, JCB, Mastercard and
Visa.
The aims of
the standard include:
|
|
Reducing online credit card fraud.
|
|
|
Ensuring that organisations accepting online
payments are more aware (and accountable)
for the security of their operations.
|
|
|
Reducing losses for card issuers arising
from fraud.
|
|
|
Protecting the privacy of consumers submitting
card details online.
|
Merchants and
Service Providers processing online payments must
store card account data securely in accordance
with the PCI DSS. By demonstrating secure processing
of card data, they comply to the standard.
The DSS offers
a pragmatic and comprehensive approach to protecting
card data. It can initially be a daunting task
to correctly adhere to all sections of the standard.
However, by performing the required compliance
tasks, businesses (and customers using credit
cards) genuinely benefit from improvements made
to the security of ecommerce networks.
As time progresses
and the PCI standard is more widely accepted,
failure to demonstate compliance becomes a serious
issue. Recently, there have been published deadline
dates that have passed with little or no consequences
for non-compliance. However, the deadline date
of June 30th 2007 now appears to be a significant
date to achieve compliance, with plans to impose
monthly fines for businesses ignoring their obligations
to PCI.
Below is a summary
of the various sections of the PCI DSS. The full
standard is available from the PCI Security Standards
Council - here.
|
Build and Maintain a Secure Network
|
|
|
Requirement 1: Install and maintain a firewall
configuration to protect cardholder data.
|
|
|
Requirement 2: Do not use vendor-supplied
defaults for system passwords and other
security parameters.
|
|
Protect Cardholder Data
|
|
|
Requirement 3: Protect stored cardholder
data.
|
|
|
Requirement 4: Encrypt transmission of
cardholder data across open, public networks.
|
|
Maintain a Vulnerability Management Program
|
|
|
Requirement 5: Use
and regularly update anti-virus software.
|
|
|
Requirement 6: Develop
and maintain secure systems and applications.
|
|
Implement Strong Access Control Measures
|
|
|
Requirement 7: Restrict access to cardholder
data by business need-to-know.
|
|
|
Requirement 8: Assign a unique ID to each
person with computer access.
|
|
|
Requirement 9: Restrict physical access
to cardholder data.
|
|
Regularly Monitor and Test Networks
|
|
|
Requirement 10: Track and monitor all access
to network resources and cardholder data.
|
|
|
Requirement 11: Regularly test security
systems and processes.
|
|
Maintain an Information Security Policy
|
|
|
Requirement 12: Maintain a policy that
addresses information security.
|
|
