What is it? The PCI Data Security Standard is a common approach to safeguarding sensitive data initiated by Visa and MasterCard and now adopted by the major card brands.
Who does it apply to? The Payment Card Industry (PCI) Data Security Requirements apply to all merchants, and service providers that store, process or transmit cardholder data.
How is it assessed? Compliance is validated annually by on-site assessment audits (or self-assessment for smaller merchants & payment processors) and additionally by network scans.
Why be compliant and how to achieve it?
Compliance may protect your organisation against potentially very large fines if your card-holder data environment is compromised. Complying with the PCI standard is achievable through a straight-forward pre-compliance check and remediation process before your audit or assessment.
Requirements?
What does the standard require merchants and payment processors to do?
- Build and Maintain a Secure Network Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Regularly test security systems and processes
- Maintain an Information Security Policy
What's included?
Which components must comply with the standard?
The PCI security requirements apply to any network component, server, or application included in, or connected to, the cardholder data environment.
Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.
Pre-compliance Assessment
PRE-COMPLIANCE HEALTH-CHECK SERVICE
To successfully pass a PCI DSS assessment, it is strongly recommended that the gap is determined between your existing security posture and that which is demanded by PCI DSS.
A Pre-Compliance Health Check service by one of the UK's leading PCI auditors, offers an expert analysis of your current compliance status. By identifying and prioritising areas requiring remediation, it culminates in a gap-analysis that provides a starting point from which to work towards full compliance.
Section 10: Log Management
Event Log Management for PCI-DSS
Collection of event log data to track access to card holder data is a key element of the PCI-DSS standard (section 10). This requires implementation of an enterprise class event log management system.
Ancoris recommends the deployment of either ArcSight Express or ArcSight Logger, LogLogic or NetIQ Security Manager.
