Implementing The Payment Card Industry Data Security Standard

In order to protect the integrity of card-not-present transactions, such as online commerce, the five major credit card companies came together and created the Payment Card Industry Data Security Standard. As more and more stories about security breaches reach the public awareness, consumer confidence in electronic transactions is in danger of falling off significantly.

The Payment Card Industry Data Security Standard (or PCI DSS) was designed to offer guidance and incentives for implementing a standardized set of security measures.

So where do you start? There are twelve requirements in the Payment Card Industry Data Security Standard, so you might as well start at the beginning.

Requirement number one mandates that you install and maintain a firewall configuration to protect cardholder data. This allows you to control the traffic that has access to the sensitive areas of your site.

The second requirement states that you must not use vendor-supplied defaults for system passwords and other security parameters. These default passwords are often well known in the hacker community, and the first thing they try when attacking your system.

The third has a little more broad of a scope, in that it just requires you to protect cardholder data. That could mean anything, but in this case it includes the necessity of restricting physical as well as digital access to data. It also specifies exactly what information you cannot store at all.

Requirement four deals with encrypting transmission of cardholder data across open, public networks. Sometimes a hacker will bypass trying to break into systems and simply try to intercept sensitive information en route. It’s very important to make that information unreadable, so they can’t do anything with the information they might catch.

The fifth requirement deals with other, non-human threats. You are required to use and regularly update anti-virus software to guard your system against the various malicious programs that can infect your system. These programs can get into your system through any number of methods, and it’s important to guard yourself against them.

Developing and maintaining secure application is the sixth requirement. Your programs and applications need to be current and up-to-date with current security measures. As you use certain programs, security holes are often discovered, and you must fix them or patch them as necessary.

Number seven requires you to limit access to sensitive information to people who need to know for the purposes of their job. For some people it it absolutely necessary for them to have access to this information, but they are the only people who should ever see it.

Requirement eight says you should assign a unique ID to anyone with computer access. By doing so you can be sure that any actions taken on important systems are performed by, and can be traced to, authorized personnel.

The ninth requirement says that you have to restrict physical access to your systems. You don’t want the wrong people finding and stealing equipment, hardcopies, and encryption keys.

Number ten requires you to track and monitor all access to network resources and carholder data. This is absolutely essential if something goes wrong on your system. Logging software will help track and analyze what happened.

The eleventh requirement states that you must regularly test security systems and processes. No matter how perfect you think your security measures are, there’s always a chance someone will find a previously unknown vulnerability. Regular testing is the best way to find those vulnerabilities first.

The final requirement is to maintain a policy that addressees information security for employees. It makes sense. All the procedures in the world don’t mean a thing if your people don’t know about them. You have to keep everyone informed.

The Payment Card Industry Data Security Standard can be a complex and time consuming thing to implement. For that reason many companies have opted to outsource their PCI compliance. But whatever you choose, just remember that the sooner you adopt the Payment Card Industry Data Security Standard, the sooner you will experience the benefits.