Achieving PCI DSS Compliance
The Payment Card Industry- Data Security Standard (PCI-DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The main objective behind the formulation of this standard is to prevent credit card fraud and to protect card holder information. This standard is applicable to all organizations which accept card payments, and store, process, or exchange card holder information.
However, from the perspective of organizations, achieving PCI-DSS compliance can be quite a challenging affair. Even a minor slip or compromise could result in huge financial losses as well as loss of reputation. While organizations have been employing various methods to ensure compliance with PCI-DSS, these methods suffer certain serious inadequacies:
· In most organizations, encryption across computer networks is inconsistent. Therefore, credit card data are protected in some cases, but not in others
· Some merchants store credit card data unnecessarily, and also fail to prevent them from being transmitted to less secure parts of the network
· Some organizations fail to maintain a log of network activity, which can help reveal instances of attempted hacking. Hence, it becomes impossible to track unauthorized access to credit card data
· Compliance management systems deployed by some companies are not proactive but reactive. So they do not scan for vulnerabilities or abnormal system activities. Hence they fail to completely protect the system from security attacks
· Certain organizations employ disparate systems for compliance to HIPAA, SOX and other regulations, but fail to understand that these systems do not address PCI-DSS requirements
Therefore, achieving PCI-DSS compliance necessitates the adoption of a fool-proof method with 12 basic requirements:
1. Installation and maintenance of a firewall configuration to protect card holder data
2. Preventing usage of vendor-supplied defaults for system passwords and other security parameters
3. Protection of stored card holder data
4. Encrypted transmission of card holder data across open, public networks
5. Usage and frequent update of anti-virus software
6. Development and maintenance of secure systems and applications
7. Restriction of access to card holder data
8. Assignment of a unique ID to each person with system access
9. Restriction of physical access to card holder information
10. Tracking and monitoring of all access to network resources and card holder information
11. Regular testing of security systems and processes
12. Formulation and maintenance of a policy that addresses IT compliance and security
However, using disparate systems to meet these multiple requirements is not the answer. It is important for organizations to resort to an integrated compliance management software solution, which offers key features to support these requirements. By doing this, organizations can not only ensure secured storage, processing and exchange of card holder information but also safeguard their brand image and reputation.