PCI-DSS is a term used in circles where personal and customer data is stored as a part of the business process. The acronym PCI-DSS abbreviates quite a mouthful: Payment Card Industry Data Security Standard. Developed by the PCI Security Standards Council, it was intended to assist in decreasing fraud in the payments industry. While it is a global standard, it is by no means law here in the United States; each state has its own regulations in regards to cardholder data and associated fines for non-compliance. Compliance is performed by a:
- Qualified security assessor (QSA)
- Internal security assessor (ISA)
- Self-assessment questionnaire (SAQ)
Compliance is of vital importance to any organization that stores cardholder data or personal data, as these items are susceptible to theft and fraud. With the regularity of data breaches and cyber-attacks, being compliant means protecting yourself from the loss of customer trust, revenue, reputation, and customers.
Achieving compliance is an involved process that should be undertaken by an individual in the organization who understands everything involved. At its core, this “standard requires merchants and member service providers (MSPs) involved with storing, processing, or transmitting cardholder data to”:
- Build and maintain a secure IT network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- And maintain an information security policy.
Twelve additional requirements better address what an organization needs to do in order to be compliant:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data. This includes all policies, procedures, and processes used in the storage of data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs. Since new malware is being used all the time for system attacks, protecting systems means regularly updating anti-virus programs to reflect new threats.
- Develop and maintain secure systems and applications. Software updates help to safeguard against latest vulnerabilities.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes. Penetration testing is integral to security; it should be carried out in regular intervals and after changes to the network.
- Maintain a policy that addresses information security for employees and contractors. This policy should be reviewed and updated based on new risks to your organization.