Merchants 5 Step Guide
To PCI Compliance
|
ISO / Acquirers 5 Step Guide
To PCI Compliance
|
|
Regularly monitor and test networks
Requirement 10: Track and monitor access to network resources and Cardholder data
The use of logging mechanisms and audit trials allow an organization to track user activities. According to the PCI DSS, having the ability to log and track helps to determine where a problem occurred.
The following PCI DSS requisites represent a sample of Requirement 10:
- Establish a process for linking all access to system components to each individual user.
- Implement automated audit trails for all system components, with administrative privileges to each individual.
- Secure audit trails so they cannot be altered.
- Limit viewing of audit trails to those with a job-related need.
- Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 10.1-10.7 for more information.
Requirement 11: Regularly test security systems and processes
Without continual testing of the security systems in place, hackers can capitalize on system-wide vulnerabilities within processes and custom software.
The following PCI DSS requisites represent a sample of Requirement 11:
- Quarterly Security Testing-Test all security controls, network connections and restrictions annually, and use a wireless analyzer at least quarterly to identify all wireless devices in use.
- Quarterly Vulnerability Scans-Run internal and external network vulnerability scans quarterly, especially after any change in the network.
- Penetration Testing-Once a year, perform penetration testing, especially after an operation system upgrade, a sub-network added to the environment, or a web server added to the environment.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 11.1-11.5 for more information.
Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security
One of the most basic tools to combat a security breach is an actual written policy for all employees in the organization.
As the PCI DSS states, "A strong security policy sets the security tone for the whole company and informs the employees what is expected of them."
The following PCI DSS requisites represent a sample of Requirement 12:
- Establish, publish, maintain, and disseminate a security policy that addresses all of the requirements in the specifications.
- Develop daily operational security procedures that are consistent with requirements in this specification.
- Develop usage polices for critical employee-facing technologies to define proper use of these technologies for all employees and contractors.
- Prohibit cardholder data storage onto local hard drives, floppy disks, or other external media, when accessing cardholder data remotely via a modem.
See https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf 12.1-12.10 for more information
 Print this page
 Send this page to a friend
|
Step 1: An Introduction to PCI Compliance
Step 2: Finding The PCI DSS Merchant, Service and Compliance Level
Step 3: Attaining PCI DSS Compliance-Merchant
Step 4: Finding a PCI DSS Approved Scanning Vendor (ASV)
Step 5: Completing the PCI DSS Self Questionnaire
|
Sponsored Listing:
|
| |
|
|
