What are the most commonly accepted database security controls used to comply with PCI DSS? I'm concerned that...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
since there is some subjectivity involved, our assessor won't be OK with our choices.
Ask the expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
If the database in question is contained within a cardholder data environment, you must comply with each and every provision of the Payment Card Industry Data Security Standard (PCI DSS). In such a case, review the PCI DSS guidelines thoroughly and ensure that the operating environment complies with each requirement contained within the standard.
That being said, there are some common steps that can ease the burden of achieving a PCI-compliant database. First, carefully consider whether it is necessary to store sensitive cardholder information, particularly account numbers, in the database. If business practices can be modified so that this information is not stored in electronic form, the number of actions that must be taken to maintain PCI DSS compliance will be reduced dramatically. For example, many organizations are choosing to outsource portions of their credit card operations and do not retain anything other than the last four digits of credit card numbers to simplify their compliance environments.
If an organization does choose to store credit card information in its database, payment account numbers must be encrypted at all times using strong encryption and appropriate key management practices that maintain the security of this highly sensitive information. Additionally, it is never permissible to store the security code associated with a credit card or the complete contents of the magnetic strip on a credit card.
Beyond the steps required to protect credit card data, secure system administration practices must also be applied as described in PCI DSS to database servers, including implementing strong authentication, ensuring the use of encryption for nonconsole administrative access and maintaining a detailed log history for the organization's database servers. Databases must be implemented on servers dedicated to that function and placed in a network zone where they may not be directly accessed from the Internet.
Maintaining a PCI-compliant database is a complex undertaking and a responsibility that should not be assumed lightly. I strongly recommend that any organization undergoing this process carefully evaluates its business practices to determine whether the use of a database to store credit card information is absolutely necessary. If it is, engage in a methodical risk assessment and review the database security controls already in place against the PCI DSS requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Here are some important criteria for hiring a partner to review your information security program, with a focus on HIPAA and HITECH compliance.continue reading
New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.continue reading
HIPAA data breach reporting now uses an electronic Web portal, so what does this mean for covered entities? Expert Mike Chapple explains.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.