While some of the PCI requirements may be open to interpretation, it is also true that the PCI DSS standard is one of the most robust and clear when compared to other compliance regulations such as Sarbanes-Oxley. PCI is not only the least ambiguous of the lot but it is also the only standard that has gained universal approval.
What is the PCI standard?
The PCI standard is not rocket science and neither does it introduce any new, alien concepts which systems administrators should adopt; on the contrary it is an enforcement of practices that should already be in force on all corporate networks. Although PCI DSS was developed with the protection of cardholder data in mind, more than 98% of the requirements apply to any company that needs to secure its network and its data.
In essence, PCI DSS comprises 12 distinction standards that are designed to 1) Build and maintain a secure network, 2) Protect (cardholder) data in transit or at rest, 3) Maintain a vulnerability management program, 4) Implement strong access control measures, 5) Regularly monitor and test your IT infrastructure and finally, 6) Maintain an information security policy. The list below shows a breakdown of each category and what companies need to do to become compliant.
The PCI DSS requirements
Often referred to as the ‘digital dozen’, these define the need to:
Build and maintain a secure network
1: Install and maintain a firewall configuration to protect cardholder data
2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3: Protect stored cardholder data
4: Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5: Use and regularly update anti-virus software or programs
6: Develop and maintain secure systems and applications
Implement strong access control measures
7: Restrict access to cardholder data by business need-to-know
8: Assign a unique ID to each person with computer access
9: Restrict physical access to cardholder data
Regularly monitor and test networks
10: Track and monitor all access to network resources and cardholder data
11: Regularly test security systems and processes
Maintain an information security policy
12: Maintain a policy that addresses information security for employees and contractors
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.