Are you ready for PCI compliance?

Features
By Davey Winder
published

Davey Winder takes a closer look at the financial transaction security standard and what you need to do to get certified.

"As such your merchant services organisation has typically stipulated in its merchant service contract that you should be in compliance with applicable scheme compliance programs which includes PCI DSS. PCI DSS is being codified into State Law in the US since 2007 and will likely be codified into Federal law within two years. At that stage the EU is very likely to follow suit so the advice is to get ready now".

At the end of the day, this is not a matter where business can afford to be choosy; not that it has a choice as compliance is mandatory anyway. Far better to get with the program and become compliant than risk either having the credit card company remove your privileges as it were, fine you for non-compliance or, worse case scenario, suffer a high profile data breach that irrevocably damages your reputation, brand and ability to remain competitive.

Even when budgets are being squeezed, PCI compliance is not an area where you can afford to cut corners.

Businesses should think of it as a marketing opportunity, a chance to show their customers and business partners alike that they take security seriously.

As Dr Graham Oakes, author of a book entitled 'Project Reviews, Assurance and Governance' rather succinctly told IT PRO when asked what companies that are not yet PCI compliant need to do: "If they're not seriously on the way to compliance now, then the main thing they need to do immediately is prepare a good excuse..."

The 12 core requirements of PCI-DSS compliance

According to the PCI Security Standards Council, the 12 core compliance requirements are:

Build and maintain a secure network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management programme

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement strong access control measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly monitor and test networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security

Davey Winder
Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.