PCI Compliance, the basics:
Being a network engineer for a company definitely has its ups and downs. My last job that I had was very heavily involved in a topic called PCI Compliance. Essentially, any merchant who accepts a consumer’s credit card information should adhere to these 12 specific “rules”. This standard was brought about by the major credit card companies to try and get a general rule by which to protect consumer credit card data. The 12 points of the PCI DSS (Payment Card Industry Data Security Standard) are as follows:
1. Protect all data through the implementation of a Firewall on the network where the data is.
2. Do not use ANY default passwords that come on any network devices
Protect Cardholder Data:
3. Protect all cardholder data
4. Encrypt the transmission of all data that goes over public networks
Maintain a vulnerability program:
5. Use and regularly update an anti-virus software program on all machines that have cardholder data.
6. Develop and maintain secure systems and applications
Implement strong access control measures:
7. Restrict access to the data by using file protection to specific people who “need to know”
8. Every person who has a login to a system with data must have a unique “login”
9. Physical access to the data must be restricted to people who “need to know”
Regularly monitor and test network:
10. Track and monitor all access to the systems that have the cardholder data
11. Regularly test the security of the network
Maintain an Information Systems Security policy.
12. Maintain a policy that will address all aspects of the network in regards to protecting cardholder data.
In the next article we will expand upon this subject by talking about the importance of this standard and how it can affect businesses who do not take the necessary precautions.