Professional Documents
Culture Documents
Understanding the
12 Requirements of PCI DSS
Practical steps to achieve and maintain compliance
opinion piece | Understanding the 12 Requirements of PCI DSS
Proactive steps to become Once the assessment is completed, you Step 5: Proactively monitor and
compliant should map PCI mandatory requirements manage the network
and government regulations to current While larger organisations seem to be more
Once you understand the requirements, it is business processes and systems. This is focused on ensuring that sensitive data
recommended that you communicate these an important step since mandates and remains secure throughout the life cycle
to the broader organisation and follow regulations may overlap, and also to ensure of business applications, businesses of all
proactive steps to achieve and maintain previous investments and work is leveraged. sizes find tracking and monitoring a major
PCI DSS compliance without losing sight of Once this mapping exercise has been business challenge. This can be mitigated
your overall IT security posture. completed, you can then prioritise changes by enacting clear policies of network
to both operational processes and systems. administration, but again, can only be
Step 1: Build a roadmap accomplished once full understanding
As a first step, it is important to build Step 3: Build a secure architecture of the “real view” of current practices
a roadmap to determine your existing Once assessments have taken place is attained. Logging and monitoring are
status and future goals, because the organisations need to build an key technology enablers in ensuring a
requirements on the different merchants architecture that supports the overall IT secure network, as are frequent network
and provider levels will affect your security and compliance roadmap. This penetration tests.
approach to the project. Each project often includes re-architecting the existing In addition, having a centralised control
should have an agreed start, target and network and security controls to create an framework allows companies to effectively
end date and should be assigned the right architecture that can address changes in implement policies while providing a
resources within your business to ensure the 12 requirements. linkage to business controls, including
successful implementation. A resource In an ideal world, all consumer-specific controls over financial reporting.
within the IT department or if appropriate, data, not just payment data, should It helps protect sensitive information from
the entire business, should be tasked with be encrypted. While the PCI DSS has unauthorised disclosure, safeguards the
keeping abreast of new threats and any very specific requirements regarding accuracy and completeness of information,
impending changes/additions to the PCI encryption of personal account numbers, ensures that information and vital IT
DSS requirements. This ensures that you forward-thinking organisations should services are available when required, and
can adapt your roadmap and milestone view this as an opportunity to remain provides information and services with a
projects accordingly. at least one step ahead of industry high level of efficiency.
In addition, validation should be an mandates and potential legislation. In conclusion, it is crucial that IT
ongoing effort with quarterly and annual organisations build a platform to achieve
tasks, including onsite assessments and Step 4: Develop appropriate PCI compliance and maintain the
audits, self-assessment questionnaires and storage, retrieval and disposal appropriate level of compliance going
quarterly security scanning of all Internet- processes forward. Organisations that successfully
accessible systems and applications. The vast majority of retailers, large and demonstrate to executives what their
small, hold on to sensitive data for a period current security practices are through a
Step 2: Assess performance of two years. However, many experts consolidated view, where the dangers
and risk strongly advise, “Don’t store it if you lie, and what their practices should be
Organisations need to conduct a thorough don’t need it” as the golden rule of data as defined by industry regulations and
assessment of where personal account security risk avoidance. Businesses need to benchmarks, have a far greater chance of
data is held. They need to understand become more systematic in the destruction defining the financial risk that surrounds
where weaknesses exist and how they of transactional data once the business non-secured customer-specific data
need to be addressed. Without conducting purpose for keeping it has passed. and securing appropriate boardroom
this assessment, virtually no retailer can be commitment and investment.
anything more than reactive in their data
security practice.
opinion piece | Understanding the 12 Requirements of PCI DSS
Monitoring
various regulatory and governance
requirements are common. Understanding Security controls
what regulations affect your business will
enable you to map the common activities
into an overall compliance plan. Network infrastructure
Why should PCI DSS be the PCI DSS is a comprehensive regulation from an IT perspective, because it
basis of your compliance plan? deals with major issues. It is therefore the best standard upon which to
build your compliance plan.
It assists you to:
• Build and maintain a secure network and
thereby ensuring that you have the most
appropriate network technology and
configurations for your business
• Maintain a vulnerability management
programme which is about maintaining
the network correctly and having the
right malware protection for your systems
• Implement strong access control measures
which entail who can access what data
and how you control their access
• Regularly monitor and test networks
to prove that malicious activity is not
occurring
• Maintain an information security policy,
which is often conducted at too high
a level. The definitions in the PCI DSS
standards allow for a greater level of
control which in turn leads to more
effective management
CS / DDCC-0776 / 04/11 © Copyright Dimension Data 2011 For further information visit: www.dimensiondata.com
Middle East & Africa Asia Australia Europe Americas
·
ALGERIA ANGOLA ·
CHINA HONG KONG AUSTRALIAN CAPITAL TERRITORY ·
BELGIUM CZECH REPUBLIC · ·
BRAZIL CANADA CHILE
·
BOTSWANA GHANA KENYA · ·
INDIA INDONESIA JAPAN · ·
NEW SOUTH WALES QUEENSLAND ·
FRANCE GERMANY ·
MEXICO UNITED STATES
· ·
MOROCCO NAMIBIA NIGERIA ·
KOREA MALAYSIA ·
SOUTH AUSTRALIA VICTORIA ·
ITALY LUXEMBOURG
·
SAUDI ARABIA SOUTH AFRICA ·
NEW ZEALAND PHILIPPINES WESTERN AUSTRALIA ·
NETHERLANDS SPAIN
·
TANZANIA UGANDA SINGAPORE TAIWAN · ·
SWITZERLAND UNITED KINGDOM
UNITED ARAB EMIRATES ·
THAILAND VIETNAM