Achieving PCI DSS compliance
Protecting your customers’ credit card information
Joel Friedman, CSO, DataPipe
While every organization has unique data security requirements, a chief concern for many is protecting their customer’s credit card information. There is good cause for concern. Stolen financial information and identity theft not only creates loss of revenue, clients, and partners, but it can result in significant fines and opens the door to lawsuits and loss of the public trust. Safeguarding sensitive data must be addressed proactively - in the initial stages of IT planning - and should be integrated with all standard operating procedures at every level of the organization.
A critical first step for any business is to assess whether or not you need to be and/or are PCI DSS compliant. PCI DSS is the global payment card industry security requirement for entities that store, process, or transmit cardholder data. Any company that has credit card information entering their servers, even momentarily, is subject to PCI DSS compliance regulations.
Meeting PCI DSS standards begins with an assessment of your current compliance posture. Here is a checklist of core PCI DSS components:
• Cardholder data is encrypted, and CVV2 data is not stored.
• Web Application Firewall or code review is employed to protect against known attacks.
• DMZ and database servers are segregated with no direct access to the database server from the Internet.
• Employees are required to use two-factor authentication to access remote IT resources.
• Company conducts (or uses automated real-time) log review with proper retention of said logs.
• File integrity monitoring has been implemented to alert if any unauthorized critical system settings or files are altered.
• Company follows the proper four change control procedures as outlined by the PCI DSS specification.
• Company has implemented patch management to guarantee patches are applied within the required 30 days.
• Comprehensive policies and procedures which adhere to section 12 of the PCI DSS are in place.
• Company is utilizing Intrusion Detection, Vulnerability Assessment and Antimalware controls.
• Penetration testing is conducted regularly.
• In-house IT facilities meet PCI DSS physical security requirements including 90 days of video retention in data centers.*
After assessing your company in light of these criteria you may need to turn to a PCI DSS Services Provider. When chosen carefully, the right provider will give you maximum value for your investment as you rely on their expertise and experience to guide you toward full PCI DSS compliance.
Ultimately, achieving PCI DSS compliance assures a vital aspect of data security and signals your customers and stakeholders that you are a trustworthy partner.
*Please note: This is not a comprehensive summation of PCI DSS required controls. Please refer to the standard located at http://www.pcisecuritystandards.org.