PCI DSS Consulting

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard imposed by the major credit card brands (e.g. Visa, Master Card, American Express, etc.) for organizations which process and or store credit card data. The following is a list of the 12 PCI DSS requirements?

 

  • (1) “Install and maintain a firewall configuration to protect cardholder data.” Your organization should focus on securing and hardening your network and securing the inbound and outbound traffic.

  • (2) “Do not use vendor-supplied passwords and other security parameters.” Most organizations tend to focus on hardening their operating systems, but this requirement is intended for all assets within the environment.

  • (3) “Protect stored cardholder data.” This requirement focuses on securing cardholder data at rest; this is the encryption and the storage of sensitive information.

  • (4) “Encrypt transmission of cardholder data across open, public networks.” If you transmit cardholder data over open or public networks, that data must be securely and appropriately protected.

  • (5) “Protect all systems against malware and regularly update anti-virus software or programs.” Do not focus on only anti-malware or only anti-virus; this requirement deals with both.

  • (6) “Develop and maintain secure systems and applications.” There’s more to this requirement than just securing applications. It’s about identifying vulnerabilities, patching your systems, change management, change controls, and secure software development.

  • (7) “Restrict access to cardholder data by business need-to-know.” Requirement 7 goes hand-in-hand with Requirement 8; it focuses on authorization.

  • (8) “Identify and authenticate access to system components.” Requirement 8 focuses on authentication.

  • (9) “Restrict physical access to cardholder data.” If a hacker as physical access to your assets, they pretty much own that data.

  • (10) “Track and monitor all access to network resources and cardholder data.” This requirement is all about logging.

  • (11) “Regularly test security systems and processes.” Your organization must ensure that you’re testing for vulnerabilities and managing the security of your environment so that your assets are protected.

  • (12) “Maintain a policy that address information security for all personnel.” This is the requirement that addresses the policy and procedure management and vendor management of your organization.

What are the risks and penalties for noncompliance with PCI DSS?

 

  • Monetary fines. Non-compliance can lead to fines from payment processors.

  • Forensic audits. Upon a data breach, an organization must provide their compliance documents to a forensic examiner.

  • Payment brand restrictions.

  • Brand reputation.

  • Reactive compliance.

 

How can Array Cyber Consulting help organizations cost effectively comply with the PCI DSS while minimizing the impact of compliance on the organization’s objectives?

 

  • Create and or review the organizations policies and procedures for PCI DSS compliance

  • Create and or review an organizational CCD data map to understand the movement and storage of CCD throughout the organization

  • Ascertain through surveys, interviews, and vulnerability scans the organization’s current state of PCI DSS compliance

  • Enumerate, risk rate, and prioritize all issues in regards to PCI DSS compliance to ensure optimum utilization of available compliance resources

  • Provide prioritized, and cost effective remediation recommendations which do not adversely affect the organization’s business objectives