Leading Edge Practices
Every month, ITAudit will provide information on existing IT frameworks, legislation, best practices, and industry-specific regulations and standards to enhance auditors' knowledge in the area.
The Payment Card Industry Data Security Standard
Endorsed by American Express, Discover Card, JCB International, MasterCard, and Visa, the Payment Card Industry (PCI) Data Security Standard (DSS) requires all merchants and service providers around the world who store, process, or transmit customer credit card data to adopt security controls that ensure the integrity of customer information.
To obtain a compliance certificate with the standard, which was first introduced in December 2004, online retailers need to complete a series of 12 steps that must be certified annually and checked quarterly. These steps include:
- Installing and maintaining a firewall to protect data.
- Not using vendor defaults for system passwords and other security parameters.
- Protecting stored data by developing a data retention and disposal policy, among other activities.
- Encrypting transmission of cardholder data and sensitive information across public networks.
- Using and regularly updating antivirus software.
- Developing and maintaining secure systems and applications.
- Restricting access to data on a need-to-know basis.
- Assigning a unique identification number to each person with computer access.
- Restricting physical access to cardholder data.
- Tracking and monitoring access to network resources and cardholder data.
- Testing security systems and processes regularly.
- Maintaining a policy that addresses information security.
Although the PCI standard applies to merchants and service providers that use, store, process, or transmit credit card information, the security practices outlined in the PCI can be used by any organization that wishes to enhance existing data controls. For instance, businesses are required to perform quarterly network scans to validate the security of their network perimeters.
PCI RESOURCES
For more information about the standard, auditors can visit:
- The PCI Security Standards Council Web site, an independent body formed to develop, enhance, disseminate, and assist with the implementation of security standards for payment account security.
- Visa's PCI Program Web page (PDF, 108KB).
- MasterCard's Site Data Protection Web site (PDF, 175KB), which provides a list of best practices for scanning procedures.
- IT Compliance Institute's Web site, which published a question and answer article about the top 10 pitfalls to avoid in PCI compliance.
- The June 10, 2006, issue of ITAudit and read "Is Your Organization Ready for a PCI Standard Audit?", an article about the PCI and its requirements.
Site Search:
