Payment Card Industry Data Security Standard

Credit cards are widespread and their use for online payments is increasing dramatically. However this increase has also brought about a growth in credit card fraud. In March 2007, TJX Companies Inc. disclosed that at least 45.6 million credit and debit card numbers were stolen by hackers who broke into its network. In a bid to tighten up security and prevent similar breaches to that experienced by TJX, all businesses handling credit/debit card data now need to comply with strict security standards drawn up by the world’s major credit card companies including VISA and MasterCard. These requirements are known as the Payment Card Industry Data Security Standard (PCI DSS), and to date these govern all the payment channels including retail, mail orders, telephone orders and e-commerce.

The Payment Card Industry Data Security Standard and GFI Software
Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data. Furthermore, PCI DSS compliance needs to be achieved by December, 2007 – this is the deadline posed by credit card companies. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data.

GFI Software offers organizations who need to become PCI DSS compliant 2 solutions:

• GFI EventsManager - a complete event log management system and
• GFI LANguard - a complete network vulnerability management solution that includes vulnerability scanning, patch management and network auditing.
  

What is the Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS framework is divided into 12 security requirements which can be grouped into three main areas:

1. Collection and storage of all log data so that it is available for analysis
2. Reporting on all activity so as to be able to prove compliance on the spot
3. Monitoring and alerting whereby administrators can constantly monitor access and usage of data and be warned of problems immediately.

Read more about PCI compliance

As from December 31, 2007 all businesses handling cardholder data – irrespective of size – have to be compliant with strict security standards drawn up by the world’s major credit card companies. This includes:

• Banks and financial institutions
• Educational institutions
• Healthcare
• Hotels and restaurants
• Government
• Insurance companies
• Manufacturing
• Retail
• Post offices
• Technology companies
• And many more!
  
  

Reference Material

The following is a list of reference material related to PCI DSS – all material can be accessed for FREE – no registration required.

Additional information

• PCI DSS FAQs

Whitepapers

• PCI DSS made easy: An information guide
• Automating vulnerability management for PCI DSS compliance
• Automated event log management for PCI DSS compliance

Checklists

• Which PCI DSS requirements can I meet by using GFI EventsManager?
• Which PCI DSS requirements can I meet by using GFI LANguard?