IT Jobs
Getting to grips with PCI Security Standard
The dirty dozen of important principles.
By David Cartwright | Techworld
Published: 13:12 GMT, 20 March 09
In these modern times, "PCI" is no longer the slot into which you insert your computer's network adaptor. No: PCI stands for the Payment Card Industry, and although it's regarded right now as a set of best-practice guidelines for protecting against credit/debit card fraud, you can be sure that before long the banks will stop recommending compliance and begin insisting on it.
If you accept payments using debit or credit cards, then, you'd better take notice of PCI.
Of course, there's a vast amount of common sense regarding how you accept, process and store payment card information. So unsurprisingly, a large portion of PCI is an enumeration of common-sense ideas. Let's walk through the key points, of which there are a dozen.
End-to-end encryption: The PCI security holy grail
1: Install and maintain a firewall configuration to protect cardholder data
Of course, you'd never consider running an ecommerce site - or any type of externally-connected network, for that matter. But take note of the third word: maintain. Most of us have installed firewalls, but do we check on them every so often to ensure that, for instance, we've no old rules that shouldn't be there any more, or there are user IDs belonging to users who've left the company. Most firewalls are installed and initially configured pretty well, but far too many lack maintenance.
2: Do not use vendor-supplied defaults for system passwords and other security parameters
No s**t, Sherlock, but it's easily done. Many sure you change EVERY default password - remember an intruder only needs read-only access to steal information.
3: Protect stored cardholder data
Another obvious one, but do you do this adequately? What do you do, for instance, with the three-digit security codes from the backs of people's cards? (Hint: if the answer isn't "dispose of them securely as soon as they've been used for authorisation" you're doing it wrong). How many members of staff have access to full card numbers? (Another hint: if the answer isn't "a select few, and only after intense authentication" you're doing that wrong too). If you absolutely need to store data, do it safely. If you don't need to store it, chuck it away securely, or at the very least blank out all but the last four digits of a card number in order to render it unusable.
4: Encrypt transmission of cardholder data across open, public networks
The obvious, easy bit of this one is to get yourself an SSL certificate on your Web site. But make the effort to consider ways in which card data might get shipped outside your network - for example, if you're having problems with your Merchant Services software and the supplier asks you to send a sample data file for them to use in debugging.
5: Use and regularly update anti-virus software
The easiest of the bunch, this one. Ideally use two or three different AV packages in parallel, to maximise your chances of catching new viruses as they appear.
6: Develop and maintain secure systems and applications
Following the easiest of the lot comes the hardest of the lot. It's a simple sentence, but it's a vast, open-ended problem. You don't have control over the security of most of your applications, because you didn't write them. What you can do, of course, is disable components that communicate willy-nilly across the Internet, auto-update themselves without warning, and so on. And of course, you can set your firewall to prohibit connections by default in order to give a further level of protection.
.gif)
Add your commentComments