 |
|
 |
|
|
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 5 | August 6, 2008
|
 |
|
What is the PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It is a set of security standards developed by the credit card companies, including Mastercard, Visa and American Express, to protect sensitive data related to credit cards and credit card transactions.
|
|
|
Who is affected by the PCI DSS?
Any organization that transmits, stores, or processes credit card information is required to comply with the PCI DSS. This includes merchants and service providers.
|
|
What is required by the PCI DSS?
The PCI DSS includes specific security requirements which are organized under 6 broad security objectives:
Objective 1: Build and Maintain a Secure Network
Objective 2: Protect Cardholder Data
Objective 3: Maintain a Vulnerability Management Program
Objective 4: Implement Strong Access Control Measures
Objective 5: Regularly Monitor and Test Networks
Objective 6: Maintain an Information Security Policy
|
|
What do I have to do?
Every organization that transmits, stores, or processes credit card information is required to comply with the PCI DSS. However, the extent to which you are required to report on your compliance depends on the volume of card transactions you handle. If you're Level 1 (high volume/millions of transactions), you need a full PCI audit to validate compliance. If you're level 4 (low volume/just a few transactions), the completion of a self assessment questionnaire from PCI is usually enough.
|
|
Does PCI have teeth?
Yes, there are fines and penalties for non-compliance, in addition to the possible revocation of the right to process credit card transactions.
|
|
Are there any deadlines?
Most of the PCI compliance deadlines have already passed, although the card brands are still in the process of notifying their customers about compliance. You may hear from one of the brands that you need to be in compliance, or you may get notification from your processor if you have a relationship with them rather than the card brand directly.
|
|
What is the typical compliance process?
Most organizations are not in compliance with the PCI DSS before doing a PCI audit, so the typical life cycle of compliance involves 3 steps:
 |
 |
 |
 |
 |
|
A gap analysis between what you are doing and full PCI compliance |
 |
|
Fix any security issues. |
 |
|
Self assessment or 3rd-party audit (depending on your level) to validate compliance. |
|
 |
 |
 |
 |
The Big Gotchas
The biggest cost by far is upgrading your security program to be PCI compliant. So from a cost and compliance perspective, two important considerations are:
Network Segmentation: Many of the PCI DSS requirements only apply to the portions of your network that transmit, store, or process credit card information. Segmenting your network so that these functions are isolated greatly simplifies the compliance process.
Objectivity of Audit Process: Because the biggest compliance expense by far is remediation (buying and implementing IT solutions can cost 10-times the cost of an audit) it is very important to understand the relationship (and profit motive) between the person doing your PCI audit and the person doing your remediation.
|
|
For More Information:
 View Redspin PCI FAQ
View PCI Website
|
|
|
 |
