Achieve and Maintain Compliance with PCI Data Security Standard – Part 4. Deep dive into PCI DSS requirements 10-12. Learn how to adhere to the PCI security standard by automating regulatory compliance and best practices reporting typically used to identify and validate IT configuration changes throughout operating systems, database management systems, applications and network devices.
WHITEPAPER
Using Automated, Detailed Configuration
and Change Reporting to Achieve and Maintain
PCI Compliance-Part 4
An in-depth look at Payment Card Industry Data SecurityStandard Requirements 10, 11, 12
Alex BakmanChairman and Chief Technology OfficerEcora SoftwareIntroduction Scope of Assessment for PCI ComplianceIn 2004, all major bankcards-Visa, MasterCard, Discover, and The PCI Data Security Standard requirements apply to all "systemAmerican Express-adopted a single, unified program as the components" or any network component, server, or application that isstandard for data security. The new standard, called the Payment included in or connected to the cardholder data environment. ThisCard Industry Data Security Standard or PCI, is intended to protect means that even remote employees who have access to cardholdercardholder data-wherever it resides or is transmitted-and requires data must be in compliance with PCI. that merchants and service providers that store, process, or transmit A service provider or merchant may use a third-party provider tocardholder data meet specific security requirements. manage system components, but because there may be an impactEnsuring compliance with the PCI standard is important to on the security of the cardholder data environment, the services oforganizations for a number of reasons, particularly to protect brand the third-party provider must be evaluated either in 1) the PCI auditsreputation and to avoid fines and additional regulatory scrutiny. In of the third-party provider's clients or 2) the third-party provider's ownfact, the October 1, 2006 issue of the Wall Street Journal PCI audit. There is really no distinction between your environmenthighlighted new efforts at Visa to step up PCI compliance and an outsourced environment.enforcement and discussed heavy fines that have been levied on For merchants required to undergo an annual on-site review, thesome of the nation's largest retailers. scope of compliance validation is focused on any system or systemcomponents related to authorization and settlement whereWho Must Be In Compliance? cardholder data is stored, processed, or transmitted. ServiceAt the most fundamental level, any company that comes into contact providers required to undergo an annual on-site review mustwith credit card information must be in compliance with the PCI Data perform compliance validation on all system componentsSecurity Standard. where cardholder data is stored, processed, or transmitted,There are varying levels of compliance proof or validation, however, unless otherwise specified. with specific requirements for merchants and specific requirements for During a PCI audit, auditors will typically select a sample ofservice providers, as well as distinct compliance levels based on the firewalls, routers, wireless access points, databases,number of transactions processed annually by the merchant or service applications, etc. that is large enough to validate findingsprovider. representative of the entire environment. Importantly, the moreFor more introductory information about the Payment Card Industry standardized the environment-a single operating system, aData Security Standard, download the Ecora whitepaper: Using single database vendor, etc.-and the more clearlyAutomated, Detailed Configuration and Change Reporting to configuration standards are defined, the smaller the sampleAchieve and Maintain Payment Card Industry Compliance. For a required. Standardization provides valuable benefits, amongdetailed look at PCI requirements 1, 2, 3, and 4, download the them is reducing the scope of an audit.Ecora whitepaper: Using Automated, Detailed Configuration andChange Reporting to Achieve and Maintain Payment Card Industry PCI Data Security StandardCompliance: An in-depth look at Payment Card Industry Data RequirementsSecurity Standard Requirements 1, 2, 3, 4. For a detailed look at Build and Maintain a Secure NetworkPCI requirements 5, 6, 7, 8, and 9, download the Ecora Requirement 1:whitepaper: Using Automated, Detailed Configuration and Change Install and maintain a firewall configuration toReporting to Achieve and Maintain Payment Card Industry protect data.Compliance: An in-depth look at Payment Card Industry Data Requirement 2: Do not use vendor-supplied defaults for systemSecurity Standard Requirements 5, 6, 7, 8, 9. passwords and other security parameters.Protect Cardholder DataMeeting the PCI Data Security... [download for more]
