Skip to main content

PCI Compliance - Cheat Sheet

A bit of background regarding PCI compliance - as credit card use has become more widespread both offline and online, and as consumer concern about security has understandably grown, the credit card industries have made an effort to ensure that sensitive information is protected. To that end, in September 2006, the major credit card companies (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) formed the PCI Security Standards Council (SSC) and established a set of rules for what they called PCI compliance. These rules have to be followed depending on the size of a business and the number of credit card transactions handled, and if done properly will help protect consumers’ data from theft.

The Rules in a Nutshell

There are six major categories within the standards established by the PCI SSC, which are as follows:

–Build and maintain a secure network
–Protect cardholder data
–Maintain a vulnerability management program
–Implement strong access control measures
–Regularly monitor and test networks
–Maintain an information security policy

Within these six categories are 12 requirements that address particular issues and that are directly related to web application security:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

Where to Find More Info

Each requirement for PCI compliance is broken up into a variety of subsections that go into detail about the process, the full list of which can be viewed at www.pcicomplianceguide.org.

Section 6.6 is one of the most important subsections regarding web application security because it is coming under scrutiny as of July 2008.
Labels:

Comments

Anonymous said…
"PCI Compliance - Cheat Sheet"
7:56 AM
Post a Comment

Popular posts from this blog

Italian Baseball | Arriving (VERONA, ITALY)

ARRIVING IN VERONA, ITALY to PLAY BASEBALL On the train from Milano to Verona I found myself being suddenly freaked out. My family-heritage-enthusiasm was starting to leave me...and self doubt started to pop up. In moments like this...and in my lifetime I had plenty...I did what I was taught to do on the baseball diamond...stick to the fundamentals and don't try to do too much! So I took a deep breath and kept thinking to myself, 'one thing at a time...and the first thing is to get rid of this HUGE, unwieldy, ridiculously heaving duffel bag!' There are two things everyone should know about Italian train stations: Left Luggage - you can leave your bags with them, thus unburdening yourself for a small fee. Buses - there are lots of buses outside of train stations and if you take Bus #1, it will take you to Il Centro (the center) of town. So with this knowledge I rented one of their changing rooms for 30 minutes...took a shower and sorted through what I needed to begin my que...
2 comments
Read more

PCI-at-a-Glance for Gaming

There are four levels of PCI Compliance.  Level I is the highest standard .  Levels III & IV are self audits and should trigger serious red flags within your organization, as there is zero accountability. Why choosing a PCI Level I supplier saves money and limits risk! -         Liability : using a PCI Level I provider means that you absolve yourself from all liability as it pertains to the storage and transmission of credit card data. This means that if there was ever a breach and personal information was revealed, your SERVICE PROVIDER is liable, not your company. o     Imagine your Public Relations Team explaining to your end users that their personal credit card information was compromised because you did not choose a PCI Level I Compliant provider. -        Registration pages: o     You must host registration pages, because they cannot touch credit card data. - ...
1 comment
Read more