Merchants 5 Step Guide
To PCI Compliance
|
ISO / Acquirers 5 Step Guide
To PCI Compliance
|
|
Implement strong access control measures
Requirement 7: Restrict to cardholder data by business need to know
One of the most common, yet overlooked, vulnerability for any organization and for the systems within that organization, is a lax access control policy.
Many organizations still allow employees, with no direct connection with the data, to view sensitive cardholder data or to access network systems.
In order to adhere to Requirement 7, a merchant or service provider must do the following:
- Computing resources and cardholder information-Limit access to employees whose job requires that they have access to the data.
- Implement a "deny all" mechanism-For systems with multiple users, put in place a mechanism that automatically denies any employee who is not authorized to view the data.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 7.1-7.2 for more information.
Requirement 8: Assign a unique ID to each person with computer access
In order to comply with PCI DSS, each computer user in your organization should be assigned a unique ID, before you allow the user to access your system and the cardholder data stored within your system.
The following PCI DSS requisites represent a sample of Requirement 8:
- Employ either a password, token devices, or Biometrics.
- Use remote authentication, dial-in service, terminal access, controller access, controller system (TCACS) with tokens, or VPN with individual certificates for employees, administrators and third parties.
- Encrypt all passwords during transmission and storage on all system components.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 8.1-8.5 for more information.
Requirement 9: Restrict physical access to Cardholder data
The lack of enforcing restrictions on an employee's physical proximity to sensitive data, such as credit card data, continues to be a very common and basic violation.
This requirement forces organizations to apply rules on access and proximity to the actual credit card data, and it develops procedures to identify employees and visitors.
The following PCI DSS requisites represent a sample of Requirement 9:
- Restrict physical access to wireless access points, gateways and handheld devices.
- Restrict physical access to publicly accessible network jacks.
- Store media back-ups in a secure location, preferably an off-site facility.
- Physically secure all paper and electronic media-computers, electronic media, networking and communications.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 9.1-9.10 for more information.
 Print this page
 Send this page to a friend
|
Step 1: An Introduction to PCI Compliance
Step 2: Finding The PCI DSS Merchant, Service and Compliance Level
Step 3: Attaining PCI DSS Compliance-Merchant
Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)
Step 5: Completing the PCI DSS Self Questionnaire
|
Sponsored Listing:
|
| |
|
|
