This is a simple guide to PCI DSS compliance. It is just that, a simple guide with no guarantees whatsoever.

For the definitive guide to this subject, see https://www.pcisecuritystandards.org/ or there's an excellent detailed overview at http://www.pcicomplianceguide.org/aboutpcicompliance.html

What's PCI?

The Payment Card Industry (PCI) is a joint industry organisation set up by a group of the major credit card companies. Part of PCI is the PCI Security Council.

What's PCI DSS?

PCI DSS is PCI's Data Security Standard (DSS) created, owned and managed by the PCI Security Council

Under the PCI DSS, an organization should be able to assure their customers that its credit card data/account information and transaction information is safe from hackers or any malicious system intrusion.

The PCI Security Standards Council is not a policing organization. It does not enforce the PCI DSS, nor does it set the penalties for violations of the PCI DSS. Enforcement is left to the specific credit card companies and acquirers. PCI DSS does not replace the individual credit card company's compliance programs.

Basic rules on PCI DSS compliance:

• PCI DSS compliance includes merchants and service providers who accept, capture, store, transmit or process credit and debit card data.
• As of September 2006, PCI DSS 1.1 includes 12 major requirements (see below). A single violation of any of the requirements can trigger an overall non-compliant status.
• Each non-compliant incident will result in steep fines, suspension and revocation of card processing privileges.

Who enforces PCI compliance?

Each credit card company separately determines who must be compliant, including any brand-specific enforcement programs.

Credit card companies and acquirer banks can levy stiff fines and remove the merchant's ability to process credit card transactions until the merchant is PCI compliant.

In order to be PCI DSS compliant, each card issuer has its own criteria for assigning a merchant level and validation compliance classification level for a merchant, third party or service provider.

For the majority of organizations, the standards set forth by Visa's CISP program and MasterCard's SDP program cover the qualifications for assigning both a merchant level and compliance level, along with incorporating PCI DSS.

What are the different PCI compliance levels?

Four compliance levels (1 to 4 with 1 being the highest) are defined for both Merchants and Service Providers.

The compliance level is based on transaction volume (the higher the number of transactions, the higher the level required) but the highest level may also be imposed on other organisations that have been attacked or are otherwise thought extra risky.

Each level of compliance has an associated defined level of compliance validation which defines the validation and audit actions and who needs to carry out the validation actions, in order to be PCI DSS compliant. For full details, see https://www.pcisecuritystandards.org/ or http://www.pcicomplianceguide.org/aboutpcicompliance.html

What are the 12 major PCI requirements?

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Requirement 2: Don't use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored card holder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict to cardholder data by business need to know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to Cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor access to network resources and Cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an information security policy

Requirement 12: Maintain a policy that addresses information security

How can Phoenix Datacom help?

Phoenix Datacom can help you or your security contractor meet PCI compliance by providing products directly related to the 12 requirements above, specifically in the area of network security, vulnerability, monitoring and testing.

Are you snowed under by event logs and alerts?     Are you responding to threats and vulnerabilities quickly enough?

You may have anti-virus, firewalls and IDS installed, but you are not compliant unless you are monitoring, analysing and responding to the hundreds and thousands of alerts and event log entries made by those devices. Very few organisations have the staff to do this and many rely on periodic checking of logs. Syslog corellation software may help but you are still not compliant unless you have the mechanisms and resources to analyse and respond immediately to a threat.

TriGeo - specifically designed for mid-sized organisations without limitless budgets or resources - is an award-winning security information and event management system that helps you solve this problem.

TriGeo automatically monitors alerts and syslog entries from devices such as anti-virus, firewalls, IDS/IPS/routers and servers (regardless of manufacturer), provides automatic corellation of alerts and event logs, AND it can be configured for active response with appropriate blocking commands to the alerting device - all in real-time.

>>Follow this link for more detail on TriGeo SIM/SIEM

Is wireless LAN a threat to you?

The PCI standards consider wireless LAN a particularly strong threat and require regular scans for wireless activity. If you are using wireless LAN in your network, how do you check that it is still configured for maximum security and how do you guard against wireless intruders? If you have decided not to use wireless technology, how do you know it hasn't been introduced accidentally or maliciously (e.g. through a wireless-enabled laptop) ?

AirMagnet provides a range of wireless security tools - from portable analysers for regular scans to permanently installed probes for 24x7 surveillance of wireless activity.

>>Follow this link for more detail on AirMagnet

Is your network safe against insider attack?    Is your network safe against innocent insider mistakes? 

People inside your firewalls can cause more loss than external attacks, through either malicious or accidental actions or even innocent unknown activity after hacking. Are you doing enough about internal security?

Sourcefire Enterprise Threat Management systems provide protection by combining Snort-based Intrusion Prevention, Network and User Behavior Analysis - spotting anomalous traffic for instance - Network Access Control - enforcing policies - and Vulnerability Assessment.

>>Follow this link for more detail on Sourcefire

Are your security devices connected in the best possible way?

Relying on span or mirror ports to connect in security devices is not good enough. Modern network access taps provide greater security, reliability and accuracy, particularly on heavily loaded networks or networks under attack. Better still, the latest generation of intelligent taps provide much greater flexibility and economy, connecting single network segments to multiple monitors, for instance, or aggregating multiple network segments onto one or multiple monitors and analysers.

VSS Monitoring provide a complete range of taps from simple 1:1 taps to intelligent, totally configurable n:n multiple taps featuring both data aggregation and data filtering.

>>Follow this link for more detail on VSS Monitoring network access taps

If the worst happens, do you have forensic evidence of what went wrong?

If there is a malicious leak or accidental loss of electronic data from an organisation, it is essential to plug the leak, discover the culprit, and seal the forensic evidence. Speed is essential. That's where network forensic solutions from Phoenix Datacom come in.

Phoenix Datacom network forensics solutions are independent appliances that connect to the network at key points to capture all data entering or leaving the network in real time. Forensic application software allows security investigators to establish very quickly the who, what, when and how of incidents, including recreating network traffic and sessions and sealing the forensic trail - a detective's dream.

>>Follow this link to request contact on network data capture and forensics solutions

To find out more about security and compliance products call Phoenix Datacom on 01296 397711 or use the Request More Info form.