Maintain an Information Security Policy

Requirement 12 of the PCI DSS: Maintain a policy that addresses information security for all personnel

Here we are at the 12th and final requirement of the PCI DSS. What a journey this has been.  Looking back, we discussed creating a secure network starting with a firewall at the perimeter, all the way down to limiting users’ access and having unique usernames and passwords for your staff.  The final step is to create an information security policy that will guide you and your staff through all of the processes and procedures of your business with security in mind.  Think of the information security policy as your rules and expectations of your staff. It is pertinent that everyone in the company, from top to bottom, understands the guidelines spelled out in the information security policy.  Let’s take a look at a few of the requirements in the PCI DSS that your information security policy needs to cover.

The very first point specified in requirement 12.1 is to establish, publish, maintain and disseminate an information security policy that addresses all PCI DSS requirements.  I believe that if this requirement is followed properly you will be setting yourself up to have true, consistent behavior in regards to security and not just a check box approach.

This brings me to the most important part of an information security policy: Training.  Requirement 12.6 reads:

Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

I feel that having a proper training program set up for your employees is one of the biggest factors in successfully implementing a security policy.  If personnel are not educated about their security responsibilities, the security guidelines you have established may become ineffective through errors or unintentional actions.  The weakest point of an organization’s security is the end user.  If the end user is not trained or educated on security best practices, then critical data will be much harder to protect.  (more…)

Regularly Monitor and Test Networks

Requirement 11 of the PCI DSS: Regularly test security systems and processes

Requirement 11 is one of the more technical requirements of the PCI DSS that focuses on testing the Cardholder Data Environment (CDE) for vulnerabilities.  Some of the steps in this requirement will not be able to be completed by the merchant without some outside assistance.

To help you to better understand this requirement, I am going to first explain Requirement 11.2.2, which reads:

An Approved Scanning Vendor (ASV) is an organization approved by the PCI SSC which performs vulnerability scans on merchants’ CDEs.  External vulnerability scanning is a specific test that looks for weaknesses in a network’s perimeter that can be exposed or exploited by malicious individuals looking to gain unauthorized access into the network.  The PCI SSC has a specific list of rules and guidelines that an ASV must comply with in order to be certified by the PCI SSC to perform external vulnerability scanning for merchants in the pursuit of PCI compliance.  Currently the PCI SSC has a list of over 130 certified Approved Scanning Vendors that can be found at the PCI SSC’s website.  Having these external vulnerability scans run each quarter is only the beginning of what a merchant will need to do to meet requirement 11.

Now that you understand what external vulnerability scanning is, let’s go back to Requirement 11.2.1 which talks about internal vulnerability scanning.  (more…)

In an earlier blog, we told you about how the PCI Security Standards Council (SSC) released a series of short training videos that make learning about PCI compliance just a little more entertaining.  The second video in their series focuses on passwords and why implementing a strong password is important.  The creative geniuses at the PCI SSC made this video especially entertaining by comparing an easy to remember password (1234) to a beautiful woman.

Check out their second video for yourself, Password Protection.

(more…)

Merchants take notice!  As of October 28, 2013, all payment applications that are validated according to the Payment Application Data Security Standard (PA-DSS) version 1.2 are facing their validation becoming expired.  This means the application vendor who provides you with your Point-of-Sale (POS) system will be deemed non-compliant (and so will you) unless they take the proper steps to meet the validation requirements of the updated PA-DSS version 2.0.

As a merchant, you need to make certain the payment application you have in place is a validated payment application according to the latest version of the PA-DSS.  This involves the following:

• Confirm your payment application is on the List of Validated Payment Applications on the PCI SSC’s website.  Here you can view which version of the PA-DSS your application is currently validated under, when they are up for revalidation and their validation expiration date.
• Keep an eye out for any phone calls, emails or communications from your application vendor in regards to necessary updates that need to be made to your payment application system.
• Contact your application vendor directly to find out what is expected of you as the merchant.  The upgrading process will vary by vendor and could range from simply downloading a software update/patch to your POS system to your vendor requiring you to install entirely new hardware.  (more…)

Over the past three weeks the PCI Security Standards Council has released four separate press releases providing guidance on how to maintain cardholder data security when utilizing various technologies.  Understandably, this can be a lot of information to digest and it can be difficult for a merchant to fully comprehend how each of security guidelines relates to their business environment.

To make it easier, we have put together brief summaries of each of the four press releases and how they pertain to you, the merchant.

PCI Security Standards Council Publishes ATM Security Guidelines
Released: January 30, 2013

Summary:
The ATM Industry Association’s (ATMIA) 2012 ATM Global fraud survey confirmed that payment card skimming remains the top threat to ATMs.  To help defend against skimming and other threats, the PCI Council along with a number of other industry groups developed a comprehensive set of compromise-prevention best practices to help with better ATM security.

How it pertains to me, the merchant:

• Merchants who have ATMs in their business are liable for the compliance of that machine, regardless if you own it or not.  Make sure you or whoever owns the ATM is maintaining PCI compliance and following the PCI SSC’s ATM Security Guidelines.

• Since you and your employees are in the physical presence of the machine, you should also maintain an active role in inspecting it for skimming devices or any other signs of tampering.  (Read: Skimming Prevention: Overview of Best Practices for Merchants)

• If an ATM within your business is breached it likely will negatively affect your brand.  Consumers will naturally associate a breach with your company.  It does not matter if you own it or not.

(more…)