Pci Dss Compliance Do S And Donts

PostDateIcon September 1st, 2010 | PostAuthorIcon Author: admin

Pci Dss Compliance Do S And Donts

PCI DSS Dos

  1. Secure your network deploy firewalls and disable unnecessary services and protocols. Even if you are a Card Present merchant you most likely have internet connectivity which may indirectly expose sensitive data. Be particularly careful with wireless remember TJX

  2. When you make changes to systems carry out security testing to ensure you are not introducing vulnerabilities into your card environment.

  3. Get rid of card data if not absolutely needed. If needed apply strong encryption to both data and data encryption keys. Have a strict key management policy and if you transmit data make sure the link is encrypted.
  4. Encrypt and securely store all data backups make sure 3rd party providers are PCI DSS compliant.

  5. Restrict access to card data on a needtoknow basis

  6. Deploy comprehensive monitoring tools to monitor activity in your systems and networks use tools so that suspicious activity is alerted

  7. Document your information security policies and follow them. Don’t buy offtheself PCI DSS policy statements they may not work for your organisation and if you can’t follow them they are useless to you.

  8. If you develop your own payment solutions and interfaces document and implement secure coding standards and make sure they’re followed.

  9. Get PCI DSS compliance statements from your suppliers and check the status of 3rd party applications you use for PADSS compliance Payment Application Data Security Standard.

  10. Apply strict physical access control to your data centre.

PCI DSS don’ts:

  1. Never ever store Track PIN of CVV data in either logs or in the database.

  2. If possible don’t store card data after authorisation in logs or in the database.

  3. If your servers which store transmit or process data are colocated or hosted don’t assume that the provider’s generic firewall is adequate. You may be on the same network as hundred of insecure servers which could compromise you.

  4. Don’t allow undocumented or untested change to take place in your environment it could open up exposures.

  5. Don’t allow staff to download data containing full card numbers for use in the general office environment or to store off on laptops for analysis.

  6. Don’t allow production card data to be used in test environments.

  7. Don’t allow card data to be sent via unencrypted email.

  8. Don’t leave data files on file servers move them off to secure servers for processing and delete them when processed

Hubert O’Donoghue Managing Partner OC Group

For more info go to: http://www.ocgroup.com/servicepci.shtml

About the writer:  Hubert O’Donoghue is a globally acknowledged expert in the Payments Industry and has owned and managed Payment Processing Companies providing processing services in all regions. He now provides consulting services to Merchants Card Issuers and Acquirers and Payment Service providers on all issues relating to Payments and in particular Payment Card Industry Data Security Standard PCI DSS

Related posts:

  1. Some People Like To Be Invited
  2. The Basic Needs Of Any Good Business Card
  3. Payment Gateway Security Key
  4. Harnessing The Power To Stop Fraud
  5. When Does A Casual Design Work For You
PostCategoryIcon Posted in e-commerce

Comments are closed.

Links
Search
Archives
Recent Posts
Blogroll
Advertising


-
Copyright © 2009 How e-commerce. All Rights Reserved.