Thursday, January 20, 2011

PCI Update

What may happen as the result of not being PCI?


If cardholder data is stolen you could incur fines, penalties and even termination of the right to accept payment cards! Find out more on the web at: https://www.pcisecuritystandards.org/security_standards/why_comply.php

Who do these requirements apply to?

Merchants and service providers that accept, capture, store, transmit or process credit or debit card data. If you are reading this it most likely applies to you.

There are 6 goals or categories with 12 requirements each having several sub-requirements listed in the PCI documentation. Below you will find the 6 categories and the 12 main requirements. This information can also be located at the website for the PCI Security Standards Council which was formed to promote PCI compliance. The council does not enforce the standards; the enforcement is done by the card brands. The requirements outline a minimum level of protection for payment card data and should be recognized as such.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes.

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel.

Being compliant with the PA-DSS guidelines is an ongoing process and grocers need to be ever vigilant. You can find up-to-date PA-DSS and PinPad information at http://www.pcisecuritystandards.org/.