Deep dive into the first 4 PCI DSS requirements. Learn how to adhere to the PCI security standard by automating regulatory compliance and best practices reporting typically used to identify and validate IT configuration changes throughout operating systems, database management systems, applications and network devices.
WHITEPAPER
Using Automated, Detailed Configuration and
Change Reporting to Achieve and Maintain PCI
Compliance Part 2
An in-depth look at Payment Card Industry Data SecurityStandard Requirements 1, 2, 3, 4
Alex BakmanChairman and Chief Technology OfficerEcora SoftwareIntroductionIn 2004, all major bankcards-Visa, MasterCard, Discover, and For merchants required to undergo an annual on-site review, theAmerican Express-adopted a single, unified program as the scope of compliance validation is focused on any system or systemstandard for data security. The new standard, called the Payment components related to authorization and settlement where cardholderCard Industry Data Security Standard or PCI, is intended to protect data is stored, processed, or transmitted. Service providers requiredcardholder data-wherever it resides or is transmitted-and requires to undergo an annual onsite review must perform compliancethat merchants and service providers that store, process, or transmit validation on all system components where cardholder data is stored,cardholder data meet specific security requirements. processed, or transmitted, unless otherwise specified. Ensuring compliance with the PCI standard is important to During a PCI audit, auditors will typically select a large enoughorganizations for a number of reasons, particularly to protect brand sample of firewalls, routers, wireless access points, databases, etc. toreputation and to avoid fines and additional regulatory scrutiny. validate findings representative of the entire environment. Importantly,the more standardized the environment and the more clearly definedWho Must Be In Compliance? the configuration standards, the smaller the sample.At the most fundamental level, any company that comes into contactwith credit card information must be in compliance with the PCI Data PCI Data Security Standard RequirementsSecurity Standard. Build and Maintain a Secure NetworkThere are varying levels of compliance standards, however, with Requirement 1: Install and maintain a firewall configuration specific requirements for merchants and specific requirements for to protect data.service providers, as well as distinct compliance levels based on the Requirement 2: Do not use vendor-supplied defaults number of transactions processed annually by the merchant or service for system passwords and other security parameters.provider. For more introductory information about the Payment Card Industry Protect Cardholder DataData Security Standard, download the Ecora whitepaper: Using Requirement 3: Protect stored data.Automated, Detailed Configuration and Change Reporting to Requirement 4: Encrypt transmission of cardholder data Achieve and Maintain Payment Card Industry Compliance. and sensitive information across public networks.Meeting the PCI Data Security Standard Requirements Maintain a Vulnerability Management ProgramThe Payment Card Industry Data Security Standard establishes twelve Requirement 5: Use and regularly update anti-virus software.requirements that companies must follow to ensure the security ofcredit card data. These requirements span every aspect of an Requirement 6: Develop and maintain secure systems organization's operation-from business processes to the and applications.configuration of the IT infrastructure-and fall into six major control Implement Strong Access Control Measuresobjectives: Requirement 7: Restrict access to data by business . Build and maintain a secure network need-to-know.. Protect cardholder data Requirement 8: Assign a unique ID to each person . Maintain a vulnerability management program with computer access.. Implement strong access control measures Requirement 9: Restrict physical access to cardholder data.. Regularly monitor and test networks. Maintain an information security policy Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to networkresources and cardholder data.Scope of Assessment for PCI ComplianceThe PCI Data Security Standard requirements apply to all "system Requirement 11: Regularly test security systems and processes.components" or any network component, server, or application that is Maintain an Information Security Policyincluded in or connected to the cardholder data environment. This Requirement 12: Maintain a policy that addresses means that even remote employees who have access to cardholder information security.data must be in compliance with PCI. While the... [download for more]
