ayment Card Security and Training: Why It MattersComprised of specific requirements regarding payment card security procedures, policies and guidelines, there are numerous programs that train, test and certify qualified professionals in PCI Security standards.
In discussions of credit and electronic payment security, it’s not unusual to hear the acronym PCI, or its expansion: “Payment Card Industry,” discussed. In the most general of terms, this refers to use of various kinds of financial cards such as debit, credit, prepaid, e-purse, point of sale (POS), and automatic teller machine (ATM) cards, all of which can carry or convey monetary value. More specifically, the term PCI refers to a trade organization called the Payment Card Industry Security Standards Council, aka pcisecuritystandards.org, a council formed in September 2006 whose goal is to manage the continuing evolution of the Payment Card Industry Data Security Standard, also known as PCI-DSS.
The original charter members of this organization included American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, so it’s safe to say that all the major credit and debit card issuing companies have been in on the action since its inception.
The real focus for PCI is its data security standards, the PCI-DSS, which form a body of security standards. They are comprised of a dozen significant requirements that lay out directives against which organizations may measure their payment card security procedures, policies, and guidelines. Ideally, organizations that deal with payment cards in some way (accepting or processing payment, handling transactions, and so forth) should comply with qualified assessments for all twelve PCI-DSS requirements, and obtain a compliance certification, along with a listing on the PCI Standard Council’s official list of Approved Companies & Providers.
The PCI Security Standards Council itself defines compliance as a matter of “…following the 12 requirements in the standard, working with your acquiring bank, and using the tools offered through the Council” to affirm and maintain compliant status. They also go on to point out that “…PCI DSS compliance is an ongoing process, not a one-time event” that requires participating organizations to “…continuously assess…[their]…operations, fix any vulnerabilities that are identified, and make the required reports to the acquiring bank and card brands…” with which they do business.
A review of the dozen PCI DSS requirements makes the focus and intent of this program crystal clear:
- Install and maintain a firewall configuration to protect cardholder data and information
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data and information
- Encrypt transmission of cardholder data and information across all open or public networks
- Use and regularly update anti-virus software on all systems that might be affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data and information on the basis of business “need to know
- Assign a unique ID to each person with computer access, and monitor all such access
- Restrict physical access to cardholder data and information
- Track and monitor all access to network resources and cardholder data and information
- Regularly test security systems and processes
- Maintain a proactive policy to address information security
In practice, achieving PCI-DSS compliance consists of several processes or approaches, all of which fit together like building blocks, and help organizations develop proper security postures and attitudes, as well as helping to assure that the PCI-DSS requirements are all met:
- Organizations will usually choose from a laundry list of approved security tools and technologies that already meet PCI-DSS requirements to provide software and services related to payment cards.
- Organizations will develop security policies, procedures, network architectures, software designs, and various other critical protective measures already known to meet PCI-DSS requirements.
- Organization proceed from the root perspective that the goal is to ensure that cardholder data and information is kept safe and secure throughout every access or transaction, to protect against potential data breaches
- Organizations will typically make use of consultants or train up staff to create PCI-DSS compliant designs and security measures for the IT environments, to ensure that cardholder data and information remains secure from unauthorized access, loss, or data breach.
- Organizations make use of assessment services (or vendors) to check design and implementation of systems and services that involve access to cardholder data and information, and perform regular ongoing audits and assessments to ensure compliance with PCI-DSS standards and requirements over time.
Ed TittelEd Tittel is a 30-year-plus veteran of the computing industry, who’s worked as a programmer, a technical manager, a classroom instructor, a network consultant and a technical evangelist for companies that include Burroughs, Schlumberger, Novell, IBM/Tivoli and NetQoS. He has written and blogged for numerous publications, including Tom's Hardware, and is the author of over 140 computing books with a special emphasis on information security, Web markup languages and development tools, and Windows operating systems.
See here for all of Ed's Tom's IT Pro articles.
(Shutterstock cover image credit: Credit Card Payment Security)