Write short note on: Payment card Industry Data Security Standard (PCI-DSS)

12views

written 8.5 years ago by

teamques10 ★ 68k

• modified 8.5 years ago

The Payment Card Industry (PCI) has a Data Security Standard (PCI-DSs) that’s administered by the PCI Security Standard Council (PCI-SSC).
It is a proprietary information security standard for organization that handle cardholder information for major cards.
It was created to increase controls around cardholder data to reduce credit card fraud via its expense.
Validation of compliance is done annually by an external Qualified Security Assessor(QSA) that creates

ROC (Report of Compliance) – for organizations handling large volumes of transaction.
SAQ (Self-Assessment Questionnaire) – for companies handling smaller volumes.

Requirements of PCI-DSS

The table contains 12 requirements under 6 logically related groups, called as “control objectives”.
Requirements of version 1.2 released in Oct 2008.

Control Objectives	PCI requirements
1. Build and Maintain a Secure Network.	Install and maintain a firewall configuration to protect cardholder data.
2. Protect Cardholder Data.	Do not use vendor supplied defaults for system commonly affected by malware.
3. Maintain a Vulnerability Management Program.	Protect stored cardholder data.
Implement Strong Access Control Measures.	Encrypt transmission of cardholder data across open, public networks.
5. Regularly Monitor and Test Networks.	Use and regularly update anti-virus software on all systems commonly affected by malware.
6. Maintain an Information Security Policy.	Develop and maintain secure systems and applications.
Restrict access to cardholder data by business need to know.
Assign a unique ID to each person with computer access.
Restrict physical access to cardholder data.
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain a policy that addresses information security.

ADD COMMENT EDIT