OVERVIEW OF THE PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that is intended to help organizations that store, manage, transmit, or process payment card information to proactively protect customer account data. The PCI DSS was developed by the PCI Security Standards Council, an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The PCI Security Standards Councils’ mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.
In today´s world of ever expanding use of electronic payments, PCI compliance has become one of the most important issues facing business owners and consumers alike. PCI regulations were developed for businesses to protect their valued customers and prevent identity theft and payment card fraud.
The payment card industry has intense pressure from banks, service providers and merchants to improve their data security. Regrettably some players in the IT security industry are spreading fear, uncertainty and doubt which has led to widespread abuse of the PCI DSS. In reality, the PCI DSS was designed to facilitate the broad adoption of consistent data security measures on a global basis. Inexperience and misinterpretation of PCI requirements, especially with respect to security products, has led to costly mistakes. At GhostWatch we cut through this rhetoric so our clients manage risk efficiently and effectively.
While this sector is no stranger to regulations the challenges have heightened the importance of effective financial and IT risk management to continue delivering stable returns and supporting robust governance and compliance processes.
WHAT ARE THE PCI DSS REQUIREMENTS?
The PCI DSS specifies 12 requirements, organized into six logical groups, for compliance:
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors
How can GhostWatch help?
To address the need for expert guidance, the PCI Security Standards Council has trained and certified GhostWatch as a Qualified Security Assessor (QSA). The QSA is a certification for experienced security consultants that enable them to conduct the On-Site Data Security Assessment for PCI DSS Compliance. Individual QSA’s must meet specific experience requirements, and train for and pass a QSA exam. QSA’s are also required to meet continuing education requirements and recertify every year by attending additional training by PCI and pass the recertification exam.
We approach our clients not simply as an auditor, but rather as a trusted advisor that is proactive in guiding organizations working to achieve PCI compliance. GhostWatch´s personnel are trained to provide clarification of the underlying intent of the PCI requirements and to assist organizations in identifying reasonable means of satisfying the PCI DSS without bias towards any security product or vendor. Behind our approach is the knowledge and experience from thousands of hours of client interactions and an outstanding reputation for subject matter expertise. Overall our methodology is designed to ensure our clients manage risk with the most efficient use of internal and external resources.