|
Visa, MasterCard, American Express, Diner's Club, Discover, and JCB collaborated to create a new set of standards based on CISP (Cardholder Information Security Policy), and known as the Payment Card Industry Data Security Standard (PCI). All merchants and service providers that handle, transmit, store or process information concerning any of these cards, or related card data, are required to be compliant with PCI or face contract penalties or even termination by the credit card issuers.
The primary purpose of this standard is to protect credit card data by reducing fraud and theft. The PCI standard seeks to accomplish this through a "defense-in-depth" strategy. There are six primary areas covered by PCI, divided into 12 requirements:
Build and maintain a secure network
1. Install and maintain firewall configurations
2. Do not use vendor-supplied or default passwords
Protect cardholder data
3. Protect stored data
4. Encrypt transmissions of cardholder data across public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to "need-to-know"
8. Assign unique IDs to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Monitor and track all access to network
resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
Who is impacted?
Most industry standards are specified only for a group of companies or individuals. PCI expands the impact to include a wide variety of computer systems as well. The types of companies who are impacted include all members, merchants, and service providers that store, process, or transmit cardholder data.
Additionally, these security requirements apply to all "system components" (i.e., any network component, server, or application included in, or connected to, the cardholder data environment):
- Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances
- Servers include, but are not limited to, Web, database, authentication, DNS, mail, proxy, and NTP
- Applications include all purchased and custom applications, including internal and external (Web) applications
Secure Computing for basic PCI compliance
Secure Computing's extensive portfolio provides strong solutions for the following requirements:
Requirement 1: Install and maintain firewall configurations ? Secure Computing's award-winning firewalls are delivered, out-of-the-box with the strongest configuration settings available.
Requirement 4: Encrypt transmissions of cardholder across public networks ? Secure Computing's Messaging Encryption and Web encryption capabilities ensure that cardholder data is always protected over email, IM, FTP, P2P, HTTP, and HTTPS protocols.
Requirement 5: Use and regularly update anti-virus software ? Anti-virus software is built into all Secure Computing's Gateway products and is automatically updated for the user.
Requirement 6: Develop and maintain secure systems and applications ? Secure Computing's hardened operating systems are impervious to attacks and provide the strongest protection available for every file, directory and application.
Requirement 7: Restrict access to "need-to-know"?Secure Computing's Identity and Access solutions provide integrated access controls that can be deployed within hours.
Requirement 8: Assign unique IDs to each person with computer access ? Secure Computing provides strong two-factor authentication in a token that doesn't expire and never needs to be reissued.
Requirement 10: Monitor and track all access to network resources and cardholder data ? Secure Computing provides extensive reporting and forensic tracking tools.
Requirement 11: Regularly test security systems and processes ? Secure Computing's network intrusion diction and prevention systems ensure that hackers are kept in the dark.
Requirement 12: Maintain a policy that addresses information security ? Secure Computing provides out-of-the-box policy templates that can jumpstart an enterprises' policy development.
Conclusion
PCI is probably the most comprehensive standard developed to date. The credit card companies are serious about proving to the world that consumer information is safe in their hands. Demonstrating compliance with PCI is about following best practices, which is in the enterprises' best interests as well as the consumers.
Secure Computing's extensive portfolio of best-in-breed network, Web, and message gateway security appliances, as well as award-winning identity and access solutions provide a cohesive approach to achieving and demonstrating compliance with PCI and any other government, industry and/or corporate regulations facing today's enterprises.
|
