What Does Your IT Team Need to Know About PCI DSS Compliance?
(Part 6 in our series on IT Compliance Concerns.)
In Part 5 of our series, we discussed how the Payment Card Industry Data Security Standard (PCI DSS) was created in an effort to o improve protections for storing, processing, and transmitting cardholder data. In this part, we will look at some of the details your IT team will need to deal with regarding PCI DSS compliance.
What are some of the Information Technology concerns for PCI DSS compliance?
Keeping in mind that the penalties for failing to comply with these standards can include fines and possibly the termination of privileges to process credit cards, your IT team will need to pay careful attention to many details. We discussed the twelve general requirements for PCI DSS compliance in our last post. Naturally, each one of these raises concerns for your IT department.
This includes installing and maintaining a firewall configuration to protect cardholder data. Additionally, your IT team will need to regularly test your firewall for effectiveness.
Not using vendor-supplied defaults for system passwords and other security parameters
Your company will need to create, maintain, and regularly update your system passwords with unique and secure passwords. You cannot allow your employees to simply continue to use passwords your vendors started them with. For an IT department, getting users to follow password requirements can be a frustrating process. Educating your employees so they understand the real need for inconvenient policies is key to winning their compliance.
Protecting stored cardholder data
(This applies only to companies that store cardholder data.) In addition to encrypting all stored cardholder data, your IT team may need to combine virtual and physical security features. Examples of virtual security: authorization, authentication, etc. Examples of physical security: restricted access, locks on cabinets, servers, etc.
Encrypting transmission of cardholder data across open, public networks
Given the increased use of public networks, your IT team will need to pay close attention to wireless networks and remote access solutions for this requirement.
Using and regularly updating antivirus software
Your IT department is probably already aware of the need for antivirus software. With this requirement in mind, to need to regularly update software and apply patches becomes even more important.
Developing and maintaining secure systems and applications
Your IT team will need to have a process for tracking newly discovered security vulnerabilities in the software your company uses. This may mean making use of alert systems provided by your software vendors.
Restricting access to cardholder data by business need-to-know
This simply means limiting the number of employees who have access to cardholder data. It requires your company to have carefully designed processes for determining which employees will have that access so that your IT team can then provide that access.
Assigning a unique ID to each person with computer access
This will ensure that when actions are taken on critical data, those actions can be connected to known, authorised users.
Restricting physical access to cardholder data
Again, limiting access limits the chances of a security breach.
Tracking and monitoring all access to network resources and cardholder data
This means logging networks and appropriate devices, as well as storing those logs in case they need to be used later as evidence in case of a security breach.
Regularly testing security systems and processes
This means conducting regular vulnerability scans for possible weaknesses.
Maintaining a policy that addresses information security
- Such a policy needs to address remote access and wireless technologies, removable electronic media, email, internet usage, laptops and other mobile devices, as well as addressing the monitoring of service providers.
To learn more about PCI DSS and related issues:
Other posts in this series:
Part 5: Is Your Company PCI DSS Compliant?