Introduction to PCI Compliance:
The Payment Card Industry (PCI) Data Security Standard (referred to hereafter as "PCI") represents a collaboration between the leading credit card institutions, including, among others, Visa, MasterCard, American Express and Discover. This standard was jointly created in order to ensure consistency of security standards for these card issuers, and to assure cardholders that their account information was secure, regardless of where the card was used for payment. As part of this effort, the Cardholder Information Security Program (CISP) was created in order to monitor compliance to this standard.
The standard was formally adopted in December 2004, with initial compliance required by June 2005. Although there are financial penalties that can be levied against any vendor or service provider who does not comply with these regulations, the most important penalty is the denial of the ability of the merchant to accept or process credit card transactions. Such a penalty could easily destroy their business.
Summary of the PCI Requirements
The PCI standard does not mandate specific technology or products. Rather, it defines industry best practices for how credit card information should be handled, communicated and stored in order to reduce the probability of unauthorized access to that information. Many of the requirements of PCI relate to strengthening the security perimeter ? ensuring that the "bad guys" don't get access to any internal systems or data that contain cardholder information. However, a number of recent events, such as the CardSystems scandal, illustrate that it is often the insider who is the cause of a major security breach. Therefore, the PCI standard includes a number of requirements whose sole purpose is to limit the access of employees of the vendor or services organization to full customer credit card information. The number of employees who are permitted to see the full credit card number, for example, is strictly limited only to those individuals who clearly "need to know" this information.
There are six major categories of PCI compliance requirements in the standard, each of which has a small number of major requirements. These requirements are further delineated into a large set of specific statements defining what is required for compliance with each major requirement.
This paper will describe ways in which CA security solutions can be used to help ensure compliance with these relevant major categories.
The CA Security Solution: An Introduction
Security is a significant component of today's IT infrastructures. In a dynamic computing environment with a variety of assets that need protection, as well as a large and diverse user population, it is critical to ensure:
- Protection of critical assets from malicious code, such as viruses, worms, keyloggers and rootkits, as well as malware such as spyware and spam
- Proactive risk mitigation by reducing system vulnerabilities
- Centralized enforcement of access policies for protection of hosts, applications and data
- Automated provisioning and maintenance of digital identities
- Integrated solutions with centralized control of the extended security infrastructure
- Centralized auditing and reporting to enable effective regulatory compliance
CA leads the industry by providing an integrated set of security management solutions:
- Identity and Access Management (IAM) to effectively manage your users and their access
- Security Information Management to improve and automate the process of security event analysis
- Integrated Threat Management to combat the complexity of today's threat attacks
This integrated platform helps you determine and control who has access to your critical corporate resources, determine what is happening in your environment, and combat major categories of online threats. In this way, it can help you achieve operational efficiencies and regulatory compliance, as well as contain costs, mitigate risk and ensure continuous business operations.
The following graphic illustrates the three areas of CA security solutions, and a list of the functional capabilities provided by these solutions:
Achieving PCI Compliance
PCI compliance involves a variety of requirements, all of which are focused on different areas of establishing a secure environment for the communication and handling of private cardholder information. Some of these requirements are purely process-related, but most can be either achieved or aided through the use of technology in addition to improved security processes.
