Thursday, April 19, 2012

PCI Update

What may happen as the result of not being PCI? If cardholder data is stolen you could incur fines, penalties and even termination of the right to accept payment cards! Find out more on the web at: https://www.pcisecuritystandards.org/security_standards/why_comply.php


Who do these requirements apply to?
Merchants and service providers that accept, capture, store, transmit or process credit or debit card data. If you are reading this it most likely applies to you.


There are 6 goals or categories with 12 requirements each having several sub-requirements listed in the PCI documentation. Below you will find the 6 categories and the 12 main requirements. This information can also be located at the website for the PCI Security Standards Council which was formed to promote PCI compliance. The council does not enforce the standards; the enforcement is done by the card brands. The requirements outline a minimum level of protection for payment card data and should be recognized as such.


Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters


Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks


Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications


Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data


Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes.


Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.


Being compliant with the PA-DSS guidelines is an ongoing process and grocers need to be ever vigilant. You can find up-to-date PA-DSS and PinPad information at http://www.pcisecuritystandards.org.