Payment Card Data Security Assessments

Fortunately, for those businesses that accept credit cards and store those credit card numbers on their information technology resources, the compliance standards excerpted below from the Payment Card Industry (PCI) Security Standards Council are relatively straightforward. They ask little in addition to what your firm is likely to be already doing to achieve reasonable security over IT data and resources needed to conduct business.

Below is a simple matrix that outlines the PCI standards and notes where additional PCI-specific compliance measures are needed:

	PCI Requirement	Extra compliance effort required?
1	Install and maintain a firewall configuration to protect cardholder data.	No, unless you do not have a DMZ in your network configuration.
2	Do not use vendor-supplied defaults for system passwords and other security parameters.	No, unless you permit default passwords and don't have your IT auditors verify they have been changed.
3	Protect stored cardholder data.	No, unless your IT internal auditors do not verify the separation of duties as adequate, nor verify that the separations are enforced by your defined access profiles, and that physical access to PCI data is restricted and backup tapes are password protected and encrypted.
4	Encrypt transmissions of cardholder data across open, public networks.	No, unless you do not already have encrypted email and communication channels via your VPN or other means.
5	Use and regularly update anti-virus software.	No, unless your firm's anti-virus configurations are not up to snuff.
6	Develop and maintain secure systems and applications.	No, unless your IT audit function is not using a risk assessment to define the scope of their audits, or you do not have IT internal audit.
7	Restrict access to cardholder data by business need-to-know.	No, see #3 above.
8	Assign unique ID to each person with computer access.	No, unless you do not enforce unique network and application user ID's.
9	Restrict physical access to cardholder data.	No, unless your policy does not define physical access requirements and your IT internal audit does not verify that access restrictions are in place and can be relied upon.
10	Track and monitor all access to network resources and cardholder data.	Yes, monitoring of all access to cardholder data will likely require additional software to record and monitor access, additional IT internal audit steps will be needed to confirm the functionality of these tracking and monitoring efforts.
11	Regularly test security systems and processes.	Yes, a PCI registered firm must perform an independent review of your system security measures.
12	Maintain a policy that addresses information security.	No, your information security policy should already have stated maintenance and update requirements.

At FDC Associates we are expert at assessing gaps in your firm's PCI compliance program and providing clear remediation direction when you need it. We have a PCI-licensed business partner that will provide your independent PCI security scans at a reasonable rate. At FDC Associates, we have a complete PCI compliance solution. For more information, complete an Information Request or Contact Us.