What is it, and why is it important?
The Payment Card Industry Data Security Standard was designed as a comprehensive list of best practice measures and processes for handling, processing, storing and transmitting payment card data.
The PCI DSS was formulated by the payment card companies such as Visa and MasterCard in response to the growing number of instances of theft and misuse of payment card details. The first version of the PCI DSS was released in December 2004 and mandates a wide range of measures required to ensure the protection of payment card data.
The measures are summarized in the 12 section PCI DSS but a high-level overview can be broken down into 3 main areas
• Active Technological Security Measures (firewalls, intrusion detection systems, anti-virus, file-integrity monitoring, data encryption)
• IT Security Best Practices (masking of card data within applications, configuration 'hardening', regular updates to password and security keys, regular vulnerability scans and penetration tests, review of all security and audit logs)
• General Security Best practices (such as physical building security measures and personnel awareness of IT Security measures)
Today, the PCI Security Standards Council has been established by the major payment card brands and is the body "responsible for the development, management, education, and awareness of the PCI Security Standards".
The 12 Point PCI DSS
The latest version of the PCI DSS is Version 2.0. It retains the same 12 Core requirements as previous versions of the standard, which in turn branch into iexplorer crack than 250 controls - the full standard can be accessed at pcisecuritystandards.org but the following is a summarized 'plain English' version
1. Use a firewall - typically the core 'Card Data Processing' systems are segregated from the Corporate Network using an internal firewall in addition to any external internet-facing firewall
2. Secure system access through configuration hardening - use non-default passwords, SSL/TLS and SSH for any system access, disable unnecessary services and protocols to minimize accessibility
3. Use masking and encryption of cardholder data to ensure that data is unreadable if stolen, but only ever store as little data as possible
4. Use encryption for any cardholder data when being transferred over public networks
5. Use anti-virus software, regularly updated
6. Increase the inherent security of all systems through configuration hardening i.e. remove known vulnerabilities through patching and configuration settings
7. Use Identity and Access Management controls to minimize access to cardholder data system on a strict 'need to know' basis
8. Assign a unique ID to each user and enforce strong authentication
9. Lock your doors - utilize physical security measures to restrict access to systems such as door locks, badge readers and video cameras
10. Track and monitor all access to all network resources and cardholder data - centrally backup event and audit log trails, especially for logons
11. Get a Vulnerability Scan and Penetration Test by an Approved Scanning Vendor performed every 3 months and after nay significant network change. Use file-integrity monitoring to protect critical system and configuration files
12. Adopt an Information Security Policy to ensure there is an appreciation of the PCI DSS objectives by all employees and contractors
So who exactly is subject to the PCI DSS?