Some requirements are procedural and require only changes to corporate policy, such as discontinuing the use of default passwords. Other requirements are likely already in place such as firewalls and virus scanning. PCI compliance cannot be achieved by any one vendor, process, or product, and is an ongoing process rather than a one-time project.
There are two main issues central to many of the requirements: protecting identities and protecting information. Seen this way, the 12 requirements can be organized below:
- Requirement 3: Protect Stored Data
- Requirement 4: Encrypt transmission of cardholder and sensitive information across public networks
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to data by business need-to-know.
- Requirement 8: Assign a unique ID to each person with computer access.
PCI compliance can be leveraged into compliance to other industry security standards as well. Entrust's suite of security solutions provide some of the most complete capabilities to address PCI requirements. Protecting identities and information have been the cornerstones of Entrust solutions for ten years.
Whether stored or being transmitted, critical information must be protected to ensure cardholder data is not compromised. The PCI requirements point to encryption as the only acceptable method of protecting information. Requirement six takes this protection of information a step further by requiring systems and applications to be built securely using standard best practices and integrating security functions into the core of applications. The guidelines for the protection of information are sweeping and introduce the need for a common set of tools that cross applications, systems and processes to manage security.
Protecting identities is the process for authenticating users and granting access to applications and information. Organizations need to be able to determine with certainty who they are dealing with (authentication) and then to control what they are allowed to see and do based on who they are and their role in the organization (access control).
Many organizations are assigning a unique ID to each person in the form of a usernames and passwords, but PCI demands more. Authentication methods that depend on more than one factor (multi-factor) are needed to identify users accessing corporate resources such as VPN remote access, Microsoft Windows desktops, servers and web-based and custom applications.
Authentication factors are independent ways to establish identity and privileges and can involve up to three:
- Knowledge – something the user knows (password, PIN)
- Possession – something the user has (ATM card, smart card)
- Attribute – something the user is (biometric, fingerprint, retinal scan)
As risks increase and breaches continue, brands are impacted by fraud incidents and PCI penalties loom, the true importance and necessity of multifactor authentication becomes clear. Organizations need a single, enterprise authentication platform that can flexibly control how to secure users and their connectivity, based on the risks associated with the transactions they are performing.
Organizations want to achieve compliance for PCI as quickly and cost effectively as possible. The optimal way of achieving compliance is by creating an ongoing process with products and policies that protect identities and information.
Payment Card Industry (PCI) Data Security standard includes 12 detailed requirements organized into six categories:
Build and Maintain a Secure Network
- Requirement 1: Install and maintain a firewall configuration to protect data
- Requirement 2:Do not use vendor-supplied defaults for system passwords and other security
Protect Cardholder Data
- Requirement 3: Protect stored data
- Requirement 4:Encrypt transmission of cardholder data and sensitive information across public
Maintain a Vulnerability Management Program
- Requirement 5: Use and regularly update anti-virus software
- Requirement 6:Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Requirement 7: Restrict access to data by business need-to-know
- Requirement 8:Assign a unique ID to each person with computer access
- Requirement 9:Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11:Regularly test security systems and processes
Maintain an Information Security Policy
- Requirement 12: Maintain a policy that addresses information security
-Bill Conner is Entrust Chairman president and CEO and a member of the Cyber Security Industry Alliance.