Payment Card Industry Data Security Standard, also called PCI DSS, has been designed to provide guidelines and benefits for implementation of a standard set of security controls.
What is the first step? PCI DSS has twelve different standards, so it is better to start at the very beginning of the set of regulations.
The first requirement decrees that your system must have a firewall installed to ensure the security of cardholder data. This enables you to control the access of incoming traffic to sensitive information on your system.
The next requirement mandates that vendor-supplied default configuration should not be used for any security parameters like passwords. Default passwords are generally well known to the hackers and these will be their first means to gain access to your system.
Requirement number three states that cardholder data must be protected, and it has a very generalized statement. This can mean a lot of things, but here it means that physical and digital access to cardholder data must be restricted. The statement also regulates what kind of data can be stored and what cannot.
The fourth standard deals with the encryption of transmitted data across publicly accessible networks. Often a hacker will try to intercept data across open lines instead of trying to override security controls and beak into a system. It is extremely important that such data be encrypted so that even if it is intercepted, it is not readable to the hacker.
Requirement five controls the non-human threats. According to this mandate, you must use anti-virus software that is regularly updated so that your system is protected against malicious programs that are loose on the net. These programs can access your system through various means and you must be on your guard against them.
Sixth requirement is the development and maintenance of secure applications. All your applications and programs must be up-to-date and installed with latest security controls. If you discover any security lapses in your programs, they must be immediately fixed and patched up.
Requirement seven is the standard that regulate access to sensitive information on the basis of need-to-know related to business or legal purposes. Unless it is mandatory for people to have access to such information, they should not be allowed access to the data.
The eighth requirement states that everyone who is allowed access to computer systems must be assigned a unique ID. This is to ensure that activities on sensitive systems can be tracked and monitored according to who uses it and thus the activities can be traced back to the person who committed it, whether authorized or not.
Requirement number nine says that physical access to the systems must be restricted. This is to ensure that unauthorised personnel do not have access to hard copies, equipment and encryption keys.
The tenth requirement mandates that all access to cardholder data and other network access be tracked and monitored. This is an essential requirement, because if something does go wrong then such logging application can track down and analyze the source of the problem.
Requirement number eleven says that security systems and other processes must be regularly tested. Even if you think your security measures are flawless, a hacker may still find a loophole unknown to you. Testing the measures regularly will help you find such vulnerabilities in your system before a hacker does.
The twelfth and final requirement mandates the maintenance of a policy that concerns information security regarding employees. This is to ensure that your employees are aware of the standards and procedures in use. If your people don't know what is going on, then it is not possible to implement it effectively. Thus you must keep all employees informed of such systems.
Discover more about merchant account software as well as payment processing with out merchant account when you visit http://www.bluewithdrawal.com
Article Source: http://EzineArticles.com/?expert=Robert_R._Brady
