Retailers must take stock of PCI
By Cameron Sturdevant credit card processors, but can significantly reduce stor- essential for understanding
E WEEK LABS since any retailer found to age costs. Your organization what is happening in your
Until now, most re- leak cardholder data can be can also reduce liability by infrastructure.
tailers have escaped required to submit to this not storing this kind of sensi- Requirement 1 also asks
the embrace of regu- external auditing—on pen- tive data, which increasingly for descriptions of roles,
latory compliance, but the alty of losing card process- requires mandatory disclo- groups andresponsibilities of
Payment Card Industry Data ing privileges—it’s a set of sure if it is breached. network management. This
Security Standard, or PCI regulations that few is an opportunity for
DSS, is changing all that. businesses can avoid. IT managers to imple-
A 12-part, private-industry- For I T organiza- What PCI asks ment best practices for
defined rule set, PCI DSS gov- tions, the compli- of organizations network and system
erns cardholder data handling ance disruption that management.
and transaction processing comes along with Build and maintain a secure network Because PCI is
amongmerchants, banks and PCI DSS can serve Protect cardholder data sweeping up large
card processing companies. as an opportunity to Maintain vulnerability management numbers of retailers
The PCI standard refer- build more secure Implement strong access controls that have not been faced
ences technologies such as net works, improve Monitor and test networks with much outside reg-firewalls, wireless protocols change management Maintain an information security policy ulatory responsibility,
and encryption methods, systems, and tighten thereisaswellingnum-
Source: PCI Security Standards Council
with the goal of guiding up server and appli- ber of products offered
companies that handle credit cation configurations that boast get-certified-card data to build and main- to achieve compliance and Another section of the PCI quick offers. Don’t assume a
tain secure networks, protect operational efficiency. standard that boils down to IT PCI compliance vendor will
cardholder data, maintain a e Week Labs identified a management best practices cover all the bases. Carry a
vulnerability management number of PCI DSS man- is one that governs network printout of PCI DSS require-program, implement strong dates that couldsignificantly monitoring. For example, ments with you into every
access control measures, improve operations. sections of PCI Requirement compliance vendor meet-monitor and test networks, For starters, by following 1 ask for a “current network ing. Ask vendors for specific
and maintain an information Requirement 3.1, which man- diagram with all connections points they cover and where
security policy. dates that companies “Keep tocardholderdata.” This isthe they are weak. Expect to use
The rule set entails out- cardholder data storage to a perfect justification for acquir- several tools to get coverage of
side auditing only for large minimum,” organizations ing a mapping tool, which is all 12 requirements. ´
