Some of What You Wanted to Know About PCI DSS

• A Best practises program for the security of the IT processes, that including masking and encryption of card data, hardening of the configuration, scanning for vulnerabilities, penetration testing, and regular updating of passwords, with regular reviews of the system security.

Since much of the data was stored in databases that were accessible online, the measures were focused in three areas:
• It also includes an implementation and overview of the best practises for physical and external security, such as building and personnel security measures.

basics accounting'>basics accounting - The PCI DSS was originally developed by the payment card companies such as MasterCard and Visa in response to the expanding number of occurrences of misuse and theft of payment card details. PCI DSS is the Payment Card Industry Data Security Standard that includes a list of the preferred practises, and best measures for transmitting, processing, handling and storing payment card data. The original PCI DSS was released in December of 2004 and mandated a wide range of measures to ensure that payment card data was protected.
PCI DSS has now evolved, and the PCI Security Standards Council has now been established by the major credit card brands. It has adopted the responsibility for education, management and development of the 12 point PCI DSS, which in turn explodes into more than 250 points. The standard can be viewed at pcistandard.org and summary of some of the salient points follow. Firewalls should be used in configurations where data processing of card data is operated separately from corporate networks. Internet facing data must also be separated from card processing data. Systems should be made secure and hardened as much as possible, with the use of non-default passwords, Secure Socket Layer /TLS and Secure Shell for any system access. Unnecessary services and protocols should be disabled, to prevent unwanted access. Regular file integrity and penetration-testing should become a normal part of the operating procedures. Results should be carefully analyzed by independent parties.


Storage of all cardholder data should be minimized and encrypted to render it unusable if it is lost or stolen. Access to card holder data must be managed, monitored, tracked and restricted to users on a need to know basis. All access should also be logged and backed up in the case of audits.
• Implementing of technological security measures, such as intrusion detection systems, strong firewalls, data encryption, file-integrity and anti-virus software.

Each user should be assigned a unique user id with a strong authentication procedure. Access to cardholder data should be monitored and tracked. It also encourages much stronger physical security procedures, with restricted access to certain areas, and the inclusion of video monitoring, door locks, badge readers and even some biometric identification.


The organization also recognizes that the policy become meaningless if procedures are not followed, and encourages adoption and implementation of the policy at the highest levels. In many instances, it may require a cultural change to ensure that all employees appreciate the importance of the objectives of the policy.