|
Dec 08
2009
|
|
|
What are PCI data security standards, what is PCI compliance, and how does all this affect my business?
Payment Card Industry data security standards are a framework that should be adhered to by any organisation taking payments by debit or credit card. If your business relies on some form of eCommerce hosting, both you and your data centre services provider need to be PCI compliant.
Your aquiring bank, that is, the financial organisation that accepts card payments on your behalf, is responsible for monitoring your compliance with the standards. Failure to comply with the standards may result in you not being able to, completely or partially, accept payment by debit and credit cards.
The PCI Data Security Standard has twelve requirements which must be implemented and adhered to. Here's a brief resume of the standards, with some words of explanation. More information is available from https://www.pcisecuritystandards.org/
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Firewalls regulate the data that flows between the outside world and your network. Your hosting service's data center will need to be soundly firewalled, as will your business.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Make sure that you have changed all default passwords on all hardware.
Requirement 3: Protect stored cardholder data
Do not store sensitive data unless it's absolutely necessary.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
When cardholder information is sent between networks, that data exchange must be encrypted.
Requirement 5: Use and regularly update anti-virus software
All systems affected by malware must be screened. Linux hosting solutions are not vulnerable to virus attack, but should still be screened so they cannot pass on malware to susceptible devices.
Requirement 6: Develop and maintain secure systems and applications
Every important system should have software patches applied as soon as they appear.
Requirement 7: Restrict access to cardholder data by business need-to-know
Access to sensitive information should be allowed only on a need-to-know basis.
Requirement 8: Assign a unique ID to each person with computer access
This ensures that any action taken can be traced back to a specific individual
Requirement 9: Restrict physical access to cardholder data
This requires your company to have a physical security policy.
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Take a proactive approach to security, with regular testing.
Requirement 12: Maintain a policy that addresses information security
A solid security policy helps set the tone for the whole company.