Читать книгу The Official (ISC)2 CISSP CBK Reference - Leslie Fife, Aaron Kraus - Страница 52

If your organization handles payment card information (i.e., credit or debit cards), you are likely required to demonstrate PCI DSS compliance. PCI DSS is a proprietary security standard established in 2004. PCI DSS establishes technical and operational requirements for merchants and service providers that accept or process cardholder data and/or sensitive authentication data, as well as for software developers and manufacturers of the applications and devices used in payment card transactions.

NOTE The Payment Card Industry Security Standards Council (PCI SSC) was formed in late 2006 with the goal of ongoing management of the PCI DSS. The PCI SSC is composed of MasterCard Worldwide, Visa International, American Express, Discover Financial Services, and Japan Credit Bureau. To learn more about the Council and the PCI DSS, visit www.pcisecuritystandards.org.

The PCI DSS includes more than 200 security controls organized into 12 requirements, further categorized into 6 goals that generally align with security best practices. Per the PCI SSC, the PCI DSS covers the following:

 Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data.Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

 Protect Cardholder DataRequirement 3: Protect stored cardholder data.Requirement 4: Encrypt transmission of cardholder data across open, public networks.

 Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update antivirus software or programs.Requirement 6: Develop and maintain secure systems and applications.

 Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need to know.Requirement 8: Assign a unique ID to each person with computer access.Requirement 9: Restrict physical access to cardholder data.

 Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data.Requirement 11: Regularly test security systems and processes.

 Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security for employees and contractors.

Although PCI DSS is not yet a legal requirement, it is often a contractual requirement, and a prime example of an industry standard that is used to mandate, enforce, and audit security standards for applicable organizations across almost all jurisdictions. Because it is not a legislation, PCI DSS is not governed by or enforced by any government body. Instead, compliance with PCI DSS is assessed and enforced by the payment card companies (e.g., Visa, Mastercard, American Express, etc.) mentioned earlier in this section. Failure to satisfy PCI DSS requirements can cost an organization its ability to receive and process such payment card transactions.