PCI Compliance Combats Fraud and Improves Security
In most cases, when a customer clicks the “buy” button on a web site, a number of things happen on the backend. An application server connects to a database, multiple records are updated and sometimes a connection to a separate payment application is initiated. All those activities generate log files in various places: on the servers, applications, databases as well as on network and security infrastructure components. At the same time, the attackers know that there might be vulnerabilities in these processes and technologies that leave data unprotected. Internal threats such as insider misuse are of even greater concern in this case, since there are no perimeter defenses stopping such attackers.
According to recent FBI survey, financial fraud is the second-largest category of hacking events on the Internet today. Similarly, Gartner estimates that 20-30% of Global 1000 companies suffer losses due to mismanagement of private and confidential information. The costs to recover from these mistakes could reach up to $5-20 million per company, as it happened in a few recent cases affecting both commercial and government entities. Additionally, it is well known. brand damage results from waning consumer trust.
PCI Requirements Center on Security and Authorized Access
Complying with PCI, merchants and service providers not only meet their obligations to the payment system but create a culture of security that benefits everyone, including the top executives. The security requirements of PCI extend to all system components that are connected to the cardholder data environment:
- Network components: firewalls, switches, routers, intrusion prevention and detection systems, proxies and content filters, wireless access points as well as other network and security appliances.
- Servers: web, database, authentication, domain name service (DNS), mail, network time protocol (NTP), directory and others.
- Applications: all purchased and custom apps, internally and externally facing web applications, Intranet applications, etc.
PCI requirements revolve around the following goals:
- Build and maintain a secure network
- Protect cardholder data in transit and at rest
- Maintain a vulnerability management program
- Implement strong access control measures and audit them on a regular basis
- Continuously monitor networks and systems
- Maintain an information security policy
- Maintain audit trails of all of the above activities.