BlackHat_Consultants_written_information_security_policies
 

Payment Card Industry Data Security Standard (PCI DSS)

The #1 reason to buy a Written Information Security Program (WISP) is having a written security program in place is mandatory for all Merchants, regardless of their size. The PCI Security Standards Council even makes that point clearer with a new site aimed at smaller merchants that you can check out for yourself at this site: https://www.pcisecuritystandards.org/smb/.

This is the real reason why you should care about PCI DSS, since it is arguably the most critical issue facing businesses in terms of Information Security liabilities. You may have overlooked the fine print when you signed your merchant agreement, but if you do accept credit or debit cards, you are legally bound to be compliant with the PCI DSS.
PCI DSS - Merchant Guide

Please click on the image to the left to open a document that covers the PCI DSS in terms of small and medium businesses. This addresses the liability issues and what practical steps businesses must take action on.

It might be best to print it out and read over with a cup of coffee! It should be able to answer all of your questions.


 

The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These compromises cover the full spectrum of organizations, from the very small to very large merchants and service providers.

A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:

    1. Regulatory notification requirements,
    2. Loss of reputation,
    3. Loss of customers,
    4. Potential financial liabilities (for example, regulatory and other fees and fines), and
    5. Litigation.

Post-mortem compromise analysis has shown common security weaknesses that are addressed by PCI DSS, but were not in place in the organizations when the compromises occurred. PCI DSS was designed and includes detailed requirements for exactly this reason — to minimize the chance of compromise and the effects if a compromise does occur.

Investigations after compromises consistently show common PCI DSS violations, including but not limited to:

  • Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised entities are unaware that their systems are storing this data.
  • Inadequate access controls due to improperly installed merchant POS systems, allowing malicious users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)
  • Default system settings and passwords not changed when system was set up (Requirement 2.1)
  • Unnecessary and insecure services not removed or secured when system was set up (Requirements 2.2.2 and 2.2.4)
  • Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to the database storing cardholder data directly from the web site (Requirement 6.5)
  • Missing and outdated security patches (Requirement 6.1)
  • Lack of logging (Requirement 10)
  • Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)
  • Poorly implemented network segmentation resulting in the cardholder data environment being unknowingly exposed to weaknesses in other parts of the network that have not been secured according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)
[Home] [WISP] [HackerView] [Consulting] [CompTIA_Security_Trustmark] [PCIDSS] [About Us] [Contact Us]

Copyright 2005-2012. All rights reserved.
BlackHat Consultants, LLC is Veteran owned - We are proud to support the small & medium businesses that help make this a great country.

The CompTIA Security Trustmark logo is a registered trademark of CompTIA (Computing Technology Industry Association). All rights reserved.