Step 1: A Good Defense is an Offense

When it comes to preventing data breaches, no organization can be 100 percent protected, however taking preventative steps to stop a potential data breach, whether one actually ever happens or not, should be an on-going requirement for any organization as of 2008.

Though PCI Compliance is now mandatory for any organization that processes credit card transactions, it's still seen as a compliance issue instead of a preventative step to prevent a data breach before it happens.

Integrating the tenants of PCI DSS, whether or not an organization must comply with the standards at this time, with an organization's security policy, ensures that the instances of a data breach decrease.

PCI Compliance regulations stipulate the following protocols to decrease the chance of data breaches, for organizations that routinely handle credit card data and money transactions with credit cards:

• Build and maintain a secure network - Install firewalls and make sure that any changes to existing rules are sufficiently logged. Ensure that Web servers that must access the Internet are hosted in a neutral area between the organization's private network and the outside public network. All database servers, which hold customer account information, should be inside the company's network, protected by a firewall.
  
  
• Protect cardholder data - SSL encryption or higher should be utilized when storing customer account numbers, or for data in motion over public networks. As well, all customer data must be disposed of when no longer needed.
  
  
• Maintain a vulnerability management program - Any vulnerability management program should include antivirus software on all workstations and servers. As well PCI DSS dictates that an organization follow guidelines from the Open Web Application Security Project (OWASP) for developing Web applications.
  
  
• Implement strong access control measures - All stored passwords should be encrypted and an organization should restrict access to only those who need the information as part of their job. Routinely audit account numbers and remove outdated or malicious accounts.
  
  
• Regularly monitor and test networks -Review and monitor server logs, perform routine vulnerability scans and install Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).
  
  
• Maintain an information security policy - Create and maintain an information security policy that covers access control, network and physical security, and application and system development. Keep the policy updated, change when needed and distribute it to all system users.

                    

Print this page

Send this page to a friend

Data Breaches Part I - Is it possible to prevent the inevitable? Introduction Step 1: A Good Defense is an Offense Step 2: Perform a company-wide risk assessment/inventory Step 3: Educate employees on breach/data security Step 4: Create a pre-breach containment and communication plan Step 5: Create a rapid response and internal audit/compliance team Epilogue: Spend now or pay later Data Breaches Part II Five Steps to manage a data breach Introduction New changes to PCI DSS Self Assessment Questionnaire Step 1: Spot/investigate the breach Step 2: Circle the wagons: Deploy the rapid response team Step 3: Create a Notification Plan Step 4: Implement the Notification/Communications Plan Step 5: Perform a response audit after the event Navigating state disclosure laws Outsourcing data breach response to a third-party Recommended reading PCI Compliance Polls Are you currently PCI Compliant? Yes No Working towards compliance Why are you looking at PCI Compliance Required By Credit Card Processor Required By Bank Want to meet industry standards Looking to secure network What merchant level do you fall under for PCI Compliance? Level 1 Level 2 Level 3 Level 4 I have no idea View PCI Merchant Level Results View All PCI Compliance Poll Results EV SSL Certificate Guide Sponsored Listing: