PCI DSS specifies 12 different requirements to secure cardholder data and requires a qualified assessor to examine a merchant's environment to ensure compliance. Penalties for non-compliance range from small fines to the inability to use a specific type of credit or debit card.
Specific to risk assessment, the PCI DSS standard requires that "security controls, limitations, network connections and restrictions" are tested at least annually. It also mandates quarterly use of a wireless analyzer to see if your Wi-Fi networks are vulnerable. Additionally, the regulation requires quarterly vulnerability scans to ensure that no known vulnerabilities put cardholder data at risk.
I strongly recommend that organizations also conduct a more formal penetration test, ideally performed by outside resources, at least once a year, and also use automated pen testing tools internally more often. Why? Because the bad guys are testing your network and applications every day. They are performing risk assessments all the time, trying to figure out how to compromise your systems, so you should use their same tools and techniques to find and remediate problems.
For more information:
- In this tip, contributor Khalid Kark defines the framework that makes organizational risk management work in your enterprise.
- In this expert response, Joel Dubin discusses whether or not tokenization can meet PCI DSS standards for storing credit card data.
Dig deeper on PCI Data Security Standard
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.