Our last two articles have focused on compliance. Last time we looked at HIPAA and the ramifications of that bill on healthcare providers and business associates. Today the spotlight will fall on the Payment Card Industry Data Security Standard (PCI-DSS). Following a who, what, how approach, this article presents the characteristics of entities that would benefit from or are required to follow the PCI-DSS standards. It then addresses what the PCI-DSS requirements are and concludes by describing how the compliance process works.
PCI-DSS applies to a wide range of corporations and companies that deal with credit card transactions and it can be a useful tool for other organizations as well. The PCI-DSS specification was created by credit card companies such as Discover, American Express, Visa, and MasterCard to protect the individual from credit card fraud and identity theft through standardization of security controls surrounding the protection of credit card information. Similar to ISO standards, PCI-DSS is not a government regulation full of fines for non-compliance. Rather, the standard thrives under positive reinforcement by allowing companies to demonstrate that they have achieved a level of information assurance suitable to protect customer credit card information. However, it should be mentioned that there can be fines if an organization has a loss of credit card information and they are not PCI-DSS compliant.
Compliance is recommended for all companies that process, store or transmit credit card data. Some ask why they should expend the time and resources to become compliant if the process is voluntary. Firstly, PCI-DSS compliance can give customers more confidence in your ability to protect their data. Second, a company that is compliant with PCI-DSS will be better equipped to comply with other regulations and standards such as HIPAA, COBIT, or ITIL since many of the requirements overlap. Thirdly, the recommendations in PCI-DSS are reasonable and practical for many companies who take information security seriously and they can bring significant benefit to the organization’s ability to safeguard systems and data.
The PCI-DSS requirements are comprised of six categories called control objectives.
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security|
Excerpt from the PCI-DSS 1.2 standard
How does one become certified?
For many companies, the compliance process is a somewhat ambiguous and what little is known of the process is often representative of the outliers rather than the norm. Compliance seminars and information security speakers often talk of the penalties for non-compliance or the immense costs of compliance initiatives and this can make the activity seem quite frightening. However, the PCI-DSS process is relatively straight-forward.
After implementing controls to satisfy the objectives above, a company then must complete periodical reports outlining their compliance with PCI-DSS. Small companies can complete a self-assessment and then pass a vulnerability scan performed by an approved scanning vendor. Larger companies go through an audit by qualified security assessors. An annual audit is required to maintain your PCI-DSS standing.
Where to next?
This entry regarding PCI-DSS covered who needs to comply with it, what is required, and how the process works. As you can see, the process is not as complex as some believe and organizations can improve the security of handling credit card information and provide an increased level of assurance to customers that their credit card information is being protected. Seriously consider the PCI-DSS control objectives if you handle credit cards and contact a professional to learn how to most effectively implement PCI-DSS in your organization.
For more information