Java Reference
In-Depth Information
◾
SOX—Sarbanes-Oxley Act 2002
◾
HIPAA—Health Insurance Portability and Accountability Act
◾
GLBA—Gramm-Leach-Bliley Act
5. 3. 2.1 PCI-DSS
he PCI-DSS or the Payment Card Industry Data Security Standard has become one of the most
widely known security compliance requirements in the world today. he PCI-DSS is aimed at
any organization that stores, processes, or transmits cardholder information. he PCI-DSS is
the creation of all ive payment brands in the world: Visa, MasterCard, JCB, American Express,
and Discover. he standard was created in the year 2004 to ensure that certain security measures
were implemented by organizations handling cardholder information to protect against data theft,
thereby leading to huge losses for the entire industry. he standard gained a tremendous amount
of traction after the much-publicized security incidents at TJMaxx
*
and CardSystems,
†
where
millions of dollars' worth of cardholder information was reportedly compromised. he payment
brands exerted greater pressure on entities to ensure that they adhered to the standard, thereby
securing sensitive cardholder information. he PCI-SSC or the Payment Card Industry Standards
Council currently governs the PCI-DSS. It is an industry setup body that manages and governs
the standards and its assessors.
he PCI-DSS is ideally for merchant organizations and payment-processing organizations.
hese are organizations that generally come in contact with a great deal of cardholder informa-
tion, either during storage, processing, or transmission. he PCI-DSS also applies to banks and
service providers like software development organizations and business process outsourcing orga-
nizations, as they provide services to entities like merchants, processors, and banks and come in
contact with cardholder information as a result of their relationship with these entities.
he PCI-DSS comprises a set of 12 requirements, which are broadly as follows:
◾
Requirement 1:
Install and maintain a irewall coniguration to protect cardholder data.
Requirement 2:
◾
Do not use vendor-supplied defaults for system passwords and other secu-
rity parameters.
Requirement 3:
◾
Protect stored cardholder data.
◾
Requirement 4:
Encrypt transmission of cardholder data across open, public networks.
◾
Requirement 5:
Use and regularly update antivirus software.
Requirement 6:
◾
Develop and maintain secure systems and applications.
◾
Requirement 7:
Restrict access to cardholder data by business need-to-know.
◾
Requirement 8:
Assign a unique ID to each person with computer access.
◾
Requirement 9:
Restrict physical access to cardholder data.
Requirement 10:
◾
Track and monitor all access to network resources and cardholder data.
◾
Requirement 11:
Regularly test security systems and processes.
Requirement 12:
◾
Maintain a policy that addresses information security.
hese requirements are generally referred to as granular security standard in this industry. With
the 12 main requirements and the total of 340+ subrequirements, PCI-DSS is also a stringent
*
TJ Maxx breach details: http://www.consumerafairs.com/news04/2007/05/tjx_wireless.html.
†
CardSystems breach details: http://money.cnn.com/2005/06/17/news/master_card/index.htm.
Search WWH ::
Custom Search