Tuesday, March 04, 2008 4:06 PM
by
richlyc
Guide to Payment Card Industry (PCI) Compliance
A much talked about item in the commerce space is PCI compliance. It also seems to be a point of confusion for a lot of people depending on how educated you are on the subject.
A Quick Background
First things first--the problem is simply that over the last few years there has been a lot of effort by retailers, banks, service providers, and credit card companies to protect their customers and instill confidence in online retail. As a result the PCI standard was born from the original Mastercard and Visa SDP (Site Data Protection) plan, Cardholder Information Security Plan (CISP), and the International Account Information Security (AIS) standard. Then in September 2006, five of the big guys, American Express, Discover, JCB, Mastercard Worldwide, and Visa International formed the PCI council and released V1.1 of the PCI Data Security Standard (PCI DSS).
The PCI Standard
This standard is universally known and has a key focus on six categorical requirements with a collection of 12 distinct requirements across those categories.
Here they are:
-
Build and Maintain a Secure Network
- 1. Install and maintain a firewall configuration to protect cardholder data
- 2. Do not use vendor-supplied defaults for system passwords and other security parameters
-
Protect Cardholder Data
- 3. Protect stored cardholder data
- 4. Encrypt transmission of cardholder data across open, public networks
-
Maintain a Vulnerability Management Program
- 5. Use and regularly update anti-virus software
- 6. Develop and maintain secure systems and applications
-
Implement Strong Access Control Measures
- 7. Restrict access to cardholder data by business need-to-know
- 8. Assign a unique ID to each person with computer access
- 9. Restrict physical access to cardholder data
-
Regularly Monitor and Test Networks
- 10. Track and monitor all access to network resources and cardholder data
- 11. Regularly test security systems and processes
-
Maintain an Information Security Policy
- 12. Maintain a policy that addresses information security
Is Your Product Compliant?
Wrong Question!
Our ECF commerce framework is simply an application that enables compliance and fits into an overall strategy that your company follows for compliance. By default we protect stored cardholder data and enable encryption of cardholder data appropriately. However, if you choose to not adhere to the PCI standard and decide to implement the ECF differently, then guess what? You have violated a part of the PCI standard. It is that simple. Meaning: it's your strategy and responsibility to adhere to PCI DSS.
People call and ask us if we are compliant and we always have to explain that compliance is a matter of adhering to the standard which is clearly outlined.
The Correct Question: How are we going to ensure that we are fully PCI compliant as an organization?
It Can't Be that Simple?
Its not. Like everything in life, if you want to do it right you have to think it through and ensure that you are doing everything in a way that ensures the standard is met. In addition, there are levels and qualifications required on an annual and quarterly basis also outlined in the standard.
Ok, I Get It. How do I find out More?
There are all sorts of sources on this subject and there are a lot of other companies that specialize in helping your organization hit the mark. One company we like is the folks at Qualys who have a great background in this and other matters. If you want a great starting point head on over to http://www.qualys.com/products/pci/qgpci/.
They also have a great whitepaper you can register and download called "Winning the PCI Compliance Battle," located at http://www.qualys.com/events/guides_wp/.
Go get 'em!