The first blog in this series provided a historical overview and introduction to PCI compliance. This blog provides an overview of PCI DSS, which is aligned into 6 principles of PCI compliance (also known as “control objectives”) that describe at a high level the 12 requirements of PCI DSS Compliance.
The first principle of PCI compliance is “Build and Maintain a Secure Network”. This principle of PCI compliance encompasses requirements covering the data center network including firewalls (implementation, lockdown, port justification, and more) and vendor defaults (modification of vendor supplied defaults, configuration standards, encryption of non console administrative access, and more).
The second principle of PCI compliance is “Protect Cardholder Data”. This principle encompasses requirements covering protection of stored cardholder data (keeping storage to a minimum, restrictions on the data stored, storage encryption and more) and transmission encryption to and from the data center across public networks (encryption standards when transmitting, wireless transmission standards, restrictions against unencrypted transmission of cardholder data, and more).
The third principle of PCI compliance is “Maintain a Vulnerability Management Program”. This principle encompasses requirements covering anti-virus software (installation, capabilities, functionality, and more) and secure systems/applications (patching, security vulnerability awareness, security in the systems development lifecycle, and more).
The fourth principle of PCI compliance is “Implement Strong Access Control Measures”. This principle encompasses requirements covering cardholder data access restrictions (access on a need to know basis, access tracking, access forms, and more), assigning unique IDs by individual (password requirements, two factor authentication, password encryption, and more) and physical access restrictions to the data center and the managed servers. This is where Online Tech has been a lifesaver for several of my clients as they deploy in Online Tech’s PCI compliant data center. Online Tech takes care of all the physical access controls, video requirements, visitor requirements, backup storage requirements, network security.
The fifth principle of PCI compliance is “Regularly Monitor and Test Networks”. This principle encompasses requirements covering logging and monitoring access to network resources / cardholder data (central logging, logging requirements, logging review requirements, and more) and regular testing of security systems and processes (wireless analyzer, vulnerability scanning, penetration testing, and more).
The sixth principle of PCI compliance is “Maintain an Information Security Policy”. This principle contains one requirement, which covers (you guessed it) the need for an up to date and thorough Information Security Policy (incident response planning, role/responsibility assignments, employee usage requirements, and more).
For all of the above principles of PCI compliance – these will be covered in subsequent blog posts in this series in depth, and will include the benefit of prior lessons learned.
Adam Goslin, Co-Founder, High Bit Security, LLC
Adam has an IT career that spans more than 15 years, recently leading the IT and Infrastructure teams of Osiris Innovations Group as the Vice-President of IT, including leading the company through achieving PCI DSS Compliance. Adam went on to found the full service security firm, High Bit Security, LLC., specializing in assisting companies looking to achieve Payment Card Industry Data Security Standards compliance; and cost effective Penetration Testing.
For more information about PCI compliance, you can email Adam at agoslin at highbitsecurity.com
[...] for all of our clients who hold and handle credit card information. The series will explain the six objectives of PCI DSS and how to maintain PCI compliance for your company. We hope that you find it useful and we welcome [...]