High-profile data losses are grabbing more and more headlines every week, threatening the reputation, customer base, and overall bottom line of organization whose systems have been exploited. In addition to this lurking threat, now organizations face potential fines for PCI non-compliance from VISA, beginning in September 2007. Ecora Software will provide you with the information you need to proactively address PCI compliance and, of equal importance, minimize your risk of a costly data breach.
WHITE PAPER
Securing Cardholder Data So You
Don't Make Headlines
Using the PCI Data Security Standard as a Catalyst for Improving Information Security
Alex BakmanChairman and Chief Technology OfficerEcora Software
M E M B E RBreaches in network security-particularly those that threaten customer credit card data-have impactedorganizations of all sizes and types, from some of the world's most recognized brands to small, regionalbusinesses, and these security breaches have made national, and international, headlines.An escalation in the number of security breaches did not come about because the companiesaffected didn't have solid network security controls in place; most of them did. The fact is thatsecurity, and what needs to be secured, is more complex than ever before. It is no longer effective tosecure just the enterprise perimeter. Today's organizations must secure the entire infrastructure, and The PCI "Digital Dozen"they must control the people and processes that interact with the infrastructure as well. Neglectingsecurity efforts in any one of these areas can leave an organization vulnerable to a security breach. Build and Maintain a SecureNetworkIn fact, in today's business environment, focusing on IT security alone isn't enough. Organizations Install and maintain must broaden their thinking to encompass overall information risk. Information risk management is a Requirement 1: a firewall configuration to protect data.business function and encompasses regulatory compliance as well as issues of intellectual propertyprotection, insider abuse, and privacy. With a focus on information risk management, an Requirement 2: Do not use vendor-organization will ensure a successful security program and a successful compliance program. supplied defaults for system passwords and other security parameters.Security and Compliance through PCI-DSS Protect Cardholder DataThe Payment Card Industry Data Security Standard or PCI-DSS ensures that cardholder data is Requirement 3: Protect stored data.protected in the event of a security breach by requiring merchants and service providers that store,process, or transmit cardholder data to meet specific security requirements. When organizations Requirement 4: Encrypt transmission ofwork toward and achieve PCI compliance, they will have also implemented a number of key cardholder data and sensitive informationinitiatives that improve overall information security. across public networks.According to Forrester Research, an audit for compliance with the PCI standard focuses on three Maintain a Vulnerabilityprimary areas reflecting the "processes," "technology infrastructure," and "people" that are critical to Management Programboth compliance and security. Requirement 5: Use and regularly1. Identification of sensitive data within your environment such as electronic protected health update anti-virus software.information, social security numbers, cardholder data, and other confidential data. Requirement 6: Develop and maintain2. Identification of areas where data may be transmitted or stored, including routers, switches, secure systems and applications.firewalls, IDS/IPS, and wireless; servers, PCs, mainframes, and PDAs; hard disks, printouts,backup tapes, audio recordings, vendors and third parties and their sub-servicers; load Implement Strong balancer(s), click tracker, middleware, SSL accelerators, TOE cards, web servers, application Access Control Measuresservers, and database servers; IVRs and call center "OB" capture systems; and temp files, Requirement 7: Restrict access C:\drives, flash drives, and file server with "everyone" access. to data by business need-to-know.3. Identification of all consumers of sensitive data, including local staff, remote staff, consultants,business partners, and regulators. Requirement 8: Assign a unique ID to each person with computer access.Developing an Automated PCI Compliance Process Requirement 9: Restrict physical The most common challenges to PCI compliance center on protecting and managing data, access to cardholder data.controlling change, and auditing and enforcing policies. These challenges also link directly to themost commonly cited PCI violations. According to Forrester, the five most common PCI DSS Regularly Monitor and Test Networksviolations include: Requirement 10: Track and monitor . Storage of prohibited data (e.g., full track, CVV2, PIN) all access to network resources and. Systems on which patch... [download for more]
