Friday, February 8, 2008

Profiting From PCI Compliance

The six categories of PCI best practices

Taken together, the six areas of data protection prescribed by the PCI standard help you build a comprehensive approach to overall security. They address security concerns from network protection to security governance policies.

1) Build and maintain a secure network.
Create a firewall to secure cardholder data.
Go Beyond vendor defaults for passwords and other security parameters.


2) Protect Cardholder data.
Protect stored data.
Encrypt Data Transmission.


3) Maintain a vulnerability management program.
Employ and update anti-virus software.
Develop and maintain application security.


4) Implement strong access control measures.
Restrict access to cardholder data on a need-to-know basis.
Assign a unique ID to each authorized user.
Restrict physical access to cardholder data.


5) Regularly monitor and test networks.
Track and monitor access to network resources and data.
Regularly test security systems and processes.


6) Maintain an Information Security Policy.
Develop and maintain policy-based security protocols.

While the PCI standard might seem like another snarl of red tape to companies already burdened with financial services industry regulations such as International Organization for Standardization (ISO) / International Electro technical Commission (IEC) 27002 and the Sarbanes-Oxley Act, the standard can actually simply your job enormously. It is so comprehensive and well designed that it can be seen as a compliance enabler for a broad set of industry regulations. And because privacy is a core concern for almost all business, PCI standard compliance supports your bottom line.


In fact, the PCI standard can actually become the central principle around which your overall governance and risk management strategy can be organized. By adopting the PCI standard as a best practice and aligning its security measures with your business processes, you will be likely see significant gains in efficiency and data security.

No comments: