Deep dive into PCI DSS requirements 5-9. Learn how to adhere to the PCI security standard by automating regulatory compliance and best practices reporting typically used to identify and validate IT configuration changes throughout operating systems, database management systems, applications and network devices.
WHITEPAPER
Using Automated, Detailed Configuration
and Change Reporting to Achieve and Maintain
PCI Compliance-Part 3
An in-depth look at Payment Card Industry Data SecurityStandard Requirements 5, 6, 7, 8, 9
Alex BakmanChairman and Chief Technology OfficerEcora SoftwareIntroductionIn 2004, all major bankcards-Visa, MasterCard, Discover, and A service provider or merchant may use a third-party provider toAmerican Express-adopted a single, unified program as the standard manage system components, but, because there may be an impact onfor data security. The new standard, called the Payment Card Industry the security of the cardholder data environment, the services of theData Security Standard or PCI, is intended to protect cardholder third-party provider must be evaluated either in 1) the PCI audits of thedata-wherever it resides or is transmitted-and requires that third-party provider's clients or 2) the third-party provider's own PCImerchants and service providers that store, process, or transmit audit. There is really no distinction between your environment and ancardholder data meet specific security requirements. outsourced environment.Ensuring compliance with the PCI standard is important to For merchants required to undergo an annual onsite review, the scopeorganizations for a number of reasons, particularly to protect brand of compliance validation is focused on any system or systemreputation and to avoid fines and additional regulatory scrutiny. components related to transaction authorization and settlement wherecardholder data is stored, processed, or transmitted. Service providersWho Must Be In Compliance? required to undergo an annual onsite review must perform complianceAt the most fundamental level, any company that comes into contact validation on all system components where cardholder data is stored,with credit card information must be in compliance with the PCI Data processed, or transmitted, unless otherwise specified. Security Standard. During a PCI audit, auditors will typically select a sample ofThere are varying levels of compliance proof or validation, however, firewalls, routers, wireless access points, databases,with specific requirements for merchants and specific requirements for applications, etc. that is large enough to validate findingsservice providers, as well as distinct compliance levels based on the representative of the entire environment. Importantly, the morenumber of transactions processed annually by the merchant or service standardized the environment-a single operating system, aprovider. single database vendor, etc.-and the more clearlyconfiguration standards are defined, the smaller the sampleFor more introductory information about the Payment Card Industry required. Standardization provides many valuable benefits,Data Security Standard, download the Ecora whitepaper: Using among them is reducing the scope of an audit.Automated, Detailed Configuration and Change Reporting to Achieveand Maintain Payment Card Industry Compliance. For a detailed look PCI Data Security Standard Requirementsat PCI requirements 1, 2, 3, and 4, download the Ecora whitepaper:Using Automated, Detailed Configuration and Change Reporting to Build and Maintain a Secure NetworkAchieve and Maintain Payment Card Industry Compliance: An in- Requirement 1: Install and maintain a firewall configuration todepth look at Payment Card Industry Data Security Standard protect data.Requirements 1, 2, 3, 4 . Requirement 2: Do not use vendor-supplied defaults for systempasswords and other security parameters.Meeting the PCI Data Security StandardRequirements Protect Cardholder DataThe Payment Card Industry Data Security Standard establishes twelve Requirement 3: Protect stored data.requirements that companies must follow to ensure the security of credit Requirement 4: Encrypt transmission of cardholder data andcard data. These requirements span every aspect of an organization's sensitive information across public networks.operation-from business processes to the configuration of the ITinfrastructure-and fall into six major control objectives: Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus software.. Build and maintain a secure network. Protect cardholder data Requirement 6: Develop and maintain secure systems andapplications.. Maintain a vulnerability management program. Implement strong access control measures Implement Strong Access... [download for more]
