The
term PCI stands for Payment Card Industry, and we all are quite
familiar with the different types of credit card / payment solution
companies available, like Master Card, PayPal, and Visa etc. This
article will further discuss how these companies manage their security
of card holders' data.
These companies run under the standards of
PCI DSS, which stands for Payment Card Industry Data Security Standard.
According to these standards, the information of card holders are to be
kept secured.
History of PCI DSS
There are Five programs:
1. American Express' Data Security Operating Policy
2. Discover's Information Security and Compliance
3. JCB's Data Security Program
4. Master Card's Site Data Protection
5. Visa's Card holder Information Security Program
They were
initiated by these credit card companies.The intention of each company
was nearly the same; and that was, to develop an additional layer of
protection for card holders and card issuers, by making sure that
merchants meet the minimum levels of security when processing, storing
and transmitting credit card data.
These same ideas led to the
formation of the Payment Card Industry Security Standards Council (PCI
SSC), and the companies combined their policies to create the PCI DSS.
There
have been a number of versions of the PCI DSS up till now, with the
first version 1.0 released on 15 December 2015 and the latest version
3.2,launched in April 2016.
Why there's a need for PCI DSS
The
PCI DSS was developed to limit credit card fraud. PCI Compliance is
however more about security, than compliance. The objective of PCI
Compliance is to confirm that security standards are met when processing
customer payments, as well as for customer data management.
Verification
of PCI Compliance is checked annually by a QSA (Qualified Security
Assessor), who creates a ROC (Report on Compliance). Although this is
generally for companies handling millions of transactions, companies
with less volume are only required to fill in a (SAQ) Self-Assessment
Questionnaire as the means of reporting PCI Compliance.
The PCI
DSS set up twelve requirements for PCI Compliance, which are organized
into six groups known as Control Objectives. Every single version of the
PCI DSS has categorized these twelve requirements differently, into an
amount of sub requirements; but still the twelve main requirements have
not been altered from the time of the standard's inception.
Objectives and Requirements:
1. Develop and manage a secure network
I. Setup and uphold a firewall configuration to protect data of the card holder.
ii. Don't use vendor-supplied defaults as system passwords nor for other security line ups.
2. Keep Cardholders' Data protected
iii. Protect the stored data of card holder.
iv. Convert the card holders' data of the card into codes across open and public networks.
3. Maintain the vulnerability of management program
v. Use and update antivirus regularly on the system getting most likely affected by malware.
vi. Build and maintain only secure systems and applications.
4. Use strong data admission control
vii. Restrict the businesses from accessing the cardholders' data.
viii. Provide a unique access ID to every user with computer access.
ix. Restrict access to cardholders' data physically.
5. Monitor and test networks regularly
x. Keep a track of the access to cardholders' data and network resources.
xi. Test the security processes and systems regularly.
6. Keep the Information security policy maintained
xii. Keep a policy that deals with information security.
https://oag.treasury.gov.za/RMF/Lists/Framework%20Feedback/DispForm.aspx?ID=3106
http://www.dnrec.delaware.gov/fw/Hunting/Lists/Deer%20Damage%20Assistance%20Program%20Application/DispForm.aspx?ID=1526
https://www.tourism.gov.za/Lists/Site%20Feedback/DispForm.aspx?ID=3380
http://portal.ca.gov.vn/Lists/VGCA_Contact/DispForm.aspx?ID=2318
http://www.kzntreasury.gov.za/Lists/FRAUD%20RISK%20ASSESSMENT%20QUESTIONNAIRE/DispForm.aspx?ID=1366
http://www.hio.gov.eg/Lists/DailyVisitors/DispForm.aspx?ID=4465
https://www2.anm.gov.my/Lists/Soal%20Selidik%20Perakaunan%20Akruan/DispForm.aspx?ID=4027
http://disperindag.depok.go.id/forum/index.php?threads/1001credit.11766/
http://transition.doe.louisiana.gov/Lists/Parental%20Discussions/DispForm.aspx?ID=3066
http://ogp.pr.gov/lists/prueba%20survey/DispForm.aspx?ID=494
http://cpsustentaveis.planejamento.gov.br/forum/profile/imeocolo
https://www.ecda.gov.sg/growatbeanstalk/Lists/Rate%20This%20Website/DispForm.aspx?ID=1750
https://www.gov.bn/Lists/eDarussalam%20Survey/DispForm.aspx?ID=3366
http://www.bansefi.gob.mx/Lists/Encuesta/DispForm.aspx?ID=1163
https://www.fic.gov.za/ContactUs/Lists/Media%20Queries/DispForm.aspx?ID=274
https://chalmers.in.gov/forums/users/imeocolo/
https://www.customs.gov.vn/Lists/InterviewThreads/DispForm.aspx?ID=1945
http://gisdata.scag.ca.gov/Lists/AccessRequests/DispForm.aspx?ID=6734
No comments:
Post a Comment