|
What is it?
Often denoted as PCI-DSS, the Payment Card Industry - Data
Security Standard was developed by major credit card companies as a guideline to
help organizations that process card payments combat and prevent credit card
fraud, hacking and various security vulnerabilities as well as threats. A company
processing, storing, or transmitting payment card data must be PCI DSS compliant
or risk losing their ability to process credit card payments, fines and imprisonment upon violation. Merchants and
payment card service providers must validate their compliance periodically. This
validation gets conducted by auditors.
Requirements
Currently, the standard has 12 requirements for compliance, organized into 6
groups called "control objectives," as follow:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Historical Transaction Logging
Within the 6 categories, spanning across 12 sets of stringent standard,
auditors occasionally demand company to provide an audit trail monitoring anomalies and security
forensics events. Below are a few major requirements:
- PCI-DSS 10.2 Implement an automated audit
trail for all system components to reconstruct events
- PCI-DSS 10.3 Record all audit trail
entries, such as Users ID, Type of Event, Date and Time, Success or
Failure Indication, and Origination of Event for all system components
- PCI-DSS 10.7 Retain a historical audit trail
for at least one year, with a minimum of 3 mo. on-line availability
PCI Data Security
Standard v1.1 
Such solution must be able to provide a complete historical trail with data
values from the past resulting from every read, update, change, delete and
accessed transaction, including those from privileged users.
Cost of Non-Compliance
"Members are subject to fines, up to $500,000 per incident...that is
compromised and not compliant at the time of incident" VISA
|
