Merchants 5 Step Guide
To PCI Compliance

   Step 1: An Introduction to PCI Compliance

   Step 2: Finding PCI DSS Level

   Step 3: Security Audits: 12 Requirements

   Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)

   Step 5: Completing the PCI DSS Self Questionnaire


 ISO / Acquirers 5 Step Guide
To PCI Compliance

   Introduction

   Step 1: Engage all resources

   Step 2: Identify and confirm a partner

   Step 3: Make your merchants aware of PCI Compliance

   Step 4: Supply tools to merchant

   Step 5: Implement and track

   Other considerations


 PCI COMPLIANCE
INFO

   New PCI Compliance 1.1 Standards

   PCI Compliant Basics

   PCI Compliance & Consumers

   Implementing PCI Compliance

   PCI Compliant Scan

   Further PCI Compliance Resources

   PCI Compliance Polls & Surveys


 PCI COMPLIANT
VENDORS

   Find PCI Scan Vendors

 About Us

   Contact Us

   PCI Compliance News

   SiteMap

   SSL Certificate

   EV SSL Certificate Guide






Host Security

When those hackers gain access through a remote POS terminal, the payment system traffic-from any and all remote POS terminals-is routed to a central location or repository, which is generally known as "the Host."

Getting access to the Host is like finding the "Holy Grail" for hackers, as a successful intrusion allows the hacker unrestricted access to any and all payment data, or password information, that is stored within the Host environment.

With Internet Protocol connections being utilized more and more for POS systems, hackers are finding the opportunities to obtain magnetic-stripe data via the Host. Magnetic-stripe data includes packages of Track 1 and Track 2 data-card numbers, names, expiration dates, PIN verification numbers-all coming from the black stripe on the back of a customer's credit card.

Following PCI DSS compliance rules, as it relates to Track 1 and Track 2 data, PIN numbers is paramount, as well as choosing PABP compliant software applications from the list at www.Visa.com/cisp.

As well merchants should ask the following questions to its POS vendor and/or reseller, concerning the Host software, or request the following attributes for Host software:
  • Does the software/product store PINs, PIN blocks or full magnetic stripe data?
  • Is the version of software now in use, PABP compliant?
  • Has the removal of previous data and prohibited date been removed?
Merchants, with or without a QPASP, can take steps on their own, via PCI DSS guidelines, to mitigate any security loopholes as it relates to the Host.

Some of these steps include:
  • Disable all ports that are not in use, or not needed for business functions.
  • Never use default passwords for your operating system, POS applications, dial-up access and remote management software.
  • Change passwords every 90 days, and make sure it is a strong and unique password for each user, for database servers, using following the guidelines of PCI DSS 8.5.11.
  • Pick obscure and meaningless server names, so the function and name of your business is not known by the server name.
  • Ensure that the POS system is only used for credit card data processing, and merchants must not use it for answering or sending email and web browsing.
  • Install software-based firewalls on all PCs used for remote access to the Host.
  • Limit physical access to the host system by locating the host system in a secured room.
  • Enforce a host log, when anyone accesses the Host system. This log should include the user's name, reason for access, login time and logout time. Users must log into the Host system with their own credentials and logout at the end of their session.
  • Install a password-protected screen saver on the Host system.


pci compliance                      pci compliance asv




pci compliancePrint this page

Send this page to a friend

|  Home  |  About PCI Compliance |  For Acquirers |  Find PCI Compliance Solutions | 
|  Preventing Data Breaches |  Managing Data Breaches |  Contact Us |    EV SSL Certificate Guide | 
© 2008 PCI Compliance Guide.org
   All right reserved - do not copy any material without written permission.