12 requirements and explanations for Security

... From Biz2Biz NWA February 2009

Companies wanting to put that proactive piece in place may want to adhere to the PCI Data Security Standard. Here are the 12 requirements and explanations:

1. Install and maintain a firewall configuration to protect cardholder data.
= For home users, this might mean installing security software such as McAfee or Norton. For businesses it means hardware that protects your network from keeping hackers out. If you use a router, it may have a firewall built in. Consult your IT professional.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
= Be sure to change the manufacturer’s default passwords in your Point of Sale (POS) software or firewall or any hardware that stores or transmit credit card data.
3. Protect stored cardholder data.
= Make sure credit card data cannot be accessed by unauthorized staff. Retailers should limit the amount of data that is retained to data what is absolutely necessary and what is needed should be stored in an encrypted format.
4. Encrypt transmission of cardholder data across open, public networks.
= Your POS system vendor must be compliant with encryption standards and cardholder data should not be transmitted over the Internet unencrypted.
5. Use and regularly update anti-virus software.
= Keep your anti-virus software current.
6. Develop and maintain secure systems and applications.
= Keep your system security patches up to date and make sure your web applications are secure.
7. Restrict access to cardholder data by business need-to-know.
= Not everyone needs to have access to the POS software, but anyone with authority to take a credit card or access transaction information must have a unique password and identifier so that any access can be traced back to a specific user.
8. Assign a unique ID to each person with computer access.
= Check with your POS vendor if you need help with this. Your policy should require staff log out when not at the computer.
9. Restrict physical access to cardholder data.
= Keep data receipts with account numbers stored securely.
10. Track and monitor all access to network resources and cardholder data.
= Business owners and their managers must be able to track users of the system, access and audit logs of unique user IDs.
11. Regularly test security systems and processes.
= Can you hack your own system? To find out provide an inaccurate bad login name or password and see if the system lets you in. Visa recommends you ask your security vendors to provide additional testing, which may include testing a suspected security breach through your chain of command.
12. Maintain a policy that addresses information security.
= Create a security policy using these requirements as the guideline; keep your staff informed and your policies enforced.