PCI DSS is a global information security standard consisting of 12 different requirements – assembled and released by the Payment Card Industry Security Standards Council (PCI SSC). It was created to assist organizations that hold, process or pass on credit card information to help in preventing credit card fraud.
This particular blog post will detail some of the differences between PCI DSS 1.1 and 1.2, and offer several best practices and four useful tips in consideration of obtaining and maintaining PCI DSS compliance. Changes are in the works for DSS, with a formal announcement coming in the fall,
Below are some of the key changes from PCI DSS v1.1 to v1.2:
Wireless network changes from v1.1 to v1.2:
Anti-virus requirement differences:
Four useful tips (going beyond the checklist):
1. Compliance is not a one-time project – it is an ongoing process
a. One of the biggest dangers of the checklist is that it can't be viewed as a one-time project. It is an ongoing process of checking/re-checking the various security controls, as well as enforcing them. Companies should not consider themselves immune to attacks simply because they have achieved compliance.
2. End-to-end encryption (E3)
a. PCI DSS doesn't mention, or require, encrypting the data from the point at which the customer's card was “swiped.” This step will significantly reduce the value of data if it is intercepted.
3. Avoid the low-hanging fruit
a. People tend to go for the path of least resistance. For instance, if their network is unique in its design, and there is a new method of accessing data, and the checklist does not cover the new method, it might be glossed over and compliance would still be achieved. Scheduled reviews of a company's PCI DSS compliance will help ensure that as technology and networks continue to progress, new threat vectors are addressed. For instance, Requirement 5 of the PCI DSS states that for compliance a vendor must use and regularly update anti-virus programs. As there are varying levels in the quality of anti-virus software, a vendor could choose to implement a low detection/high false-positive anti-virus program and have a fairly ineffective anti-virus application running on their systems.
4. “Chain of events” or the “error chain”
a. As in the aviation world, when there is an accident it is referred to as a “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage.
Do you have additional best practices, tips or observations? You can also share your experiences regarding PCI DSS – experiences, challenges, benefits or any other comments regarding your company and credit card security.