What is PCI- DSS?
The Payment Card Industry (PCI) Data Security Standard (DSS) is a worldwide standard mandated by Visa and MasterCard for the protection and Security of cardholder information.
To whom it applies
"Any organization that processes credit card information, including merchants and third-party service providers that store, process or transmit credit card/debit card data "
- Standards and requirements for data security
- Non-legislative, but enforceable through Fines
PCI DSS-“Digital Dozen”
Build and Maintain a Secure Network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an Information Security Policy
12: Maintain a policy that addresses information security
Build and Maintain a Secure Network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5: Use and regularly update anti-virus software
6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an Information Security Policy
12: Maintain a policy that addresses information security
To Become a PCI Compliance we need Classify them in different buckets
No “single technology” makes company PCI compliant. Above figure shows the broad classification of all 12 Requirement controls.
Continue in part -2
No comments:
Post a Comment