| The Standards for information security in the | | | | but many merchants have been caught without |
| modern, fast-paced business environment will | | | | implementing this step sufficiently. The recent |
| continue to grow and evolve as the tactics and | | | | decision in the famous TJX case, in fact, concluded |
| techniques that hackers and other criminals use also | | | | that the company did not do everything they could |
| evolve. The PCI DSS (Payment Card Industry Data | | | | have and/or should have done to protect cardholder |
| Security Standard) was created by the five major | | | | data. This included storing and transmitting |
| credit card companies to be a tool and a standard by | | | | unencrypted data. What's the lesson here? Anyone |
| which merchants can employ and maintain a secure | | | | can get caught not doing everything necessary for |
| business environment for their customers. | | | | their customers' safety. |
| The PCI DSS is a set of 12 requirements that any | | | | Requirements five and six of the PCI DSS deal with |
| merchant that processes, stores, or transmits | | | | maintaining a vulnerability management program. This |
| sensitive credit card data must adhere to. These | | | | includes using and regularly updating anti-virus |
| requirements are not all easy, nor are they | | | | programs - because not all threats come from |
| necessarily cheap to implement. They are, however, | | | | hackers. Any programs or applications you develop |
| very necessary. | | | | must also be secure. This means that you must use |
| So what, exactly, are the information security | | | | all patches and updates that are necessary to remain |
| requirements of the PCI DSS? Some are more simple | | | | current with all the new technologies. |
| than others, some are (or should be) common sense, | | | | The next steps are about implementing strong |
| others are more complex and, because of their | | | | access control measures. This includes limiting access |
| less-than obvious nature, are included specifically | | | | to cardholder data to business need-to-know, |
| because they get overlooked by merchants and | | | | assigning unique Ids to everyone who has computer |
| targeted by hackers. | | | | access and restricting physical access to cardholder |
| We'll begin with the more obvious requirements. The | | | | data. This is important in information security for the |
| first and second requirements are about building and | | | | simple reason that a lot of security can be added by |
| maintaining a secure network. This includes installing a | | | | knowing exactly who can see th info. And if there |
| firewall and keeping it up-to-date, and changing any | | | | ever is a problem, tracing the source of the problem |
| default vendor-supplied passwords that may have | | | | can be a much more efficient process. |
| come with your system. Firewalls are important | | | | The PCI DSS also requires that a merchant regularly |
| components on any system for information security | | | | tests and monitors their systems. Why? Because |
| as they give you control over the traffic that can | | | | simple implementation isn't enough. Doing something |
| get into or out of your system. And most | | | | once and expecting it to be self-sustaining isn't going |
| vendor-supplied passwords have already made it into | | | | to work. Regular testing is the only way to ensure |
| the hacker community and are unsafe to keep | | | | that you will find any problems in the system before |
| around. | | | | any criminals do. |
| The next two requirements of the PCI DSS involve | | | | The twelfth requirement of the PCI DSS states that |
| taking the necessary steps to protect cardholder | | | | you must maintain a policy on information security. |
| data. This begins with simple steps like keeping | | | | What this means is that it is your responsibility to |
| stored data to a bare minimum, and can also include | | | | make sure each part of the company understands |
| making sure that you keep all your own passwords | | | | their own responsibility toward the PCI DSS. |
| encrypted, and all physical access limited to specific | | | | It's about knowledge and information. And in the end, |
| people. It gets a little more complex when you start | | | | this knowledge can help you provide your customers |
| encrypting all transmissions of credit card data. | | | | with a safe environment in which to conduct |
| Again, some of these requirements seem obvious, | | | | electronic transactions. |