Guide to passing PCI's five toughest requirements

This learning guide will review a few of the more challenging PCI DSS requirements and provide some tips that enterprises can use to achieve PCI DSS compliance.

PCI DSS: Where are organizations str...

To read more you must become a member of SearchSecurity.com

As an existing member of the TechTarget network please activate your SearchSecurity.com account 

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

BROWSE BY TAG Risk Management Strategies,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   IT Security Audits,   VIEW ALL TAGS

RELATED CONTENT Risk Management Strategies Cloud computing in 2010: Be ready for risk management challenges How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues PCI Data Security Standard New data protection laws No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny The future of PCI DSS encryption requirements? Tokenization for PCI MasterCard reverses PCI compliance requirement PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization IT Security Audits Compliance strategy: How to become an internal IT auditor A guide to internal and external network security auditing Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary PCI DSS (Payment Card Industry Data Security Standard )  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

uggling?
All of the PCI DSS requirements seem to be fairly well defined, unlike those of the Sarbanes-Oxley Act. SOX does not provide any specific direction on how to secure information assets and has been open to varying interpretations by companies and compliance audit firms. Nevertheless, organizations still find it difficult to become PCI DSS compliant. In an interesting study conducted by VeriSign Inc., researchers found that organizations were most likely to be noncompliant with PCI Requirement 3. Seventy-nine percent of the failed assessments did not meet the requirement to protect stored data. According to VeriSign, the top five PCI assessment failings were:

Requirement 3: Protect stored data 79%
Requirement 11: Regularly test security systems and processes 74%
Requirement 8: Assign a unique ID to each person with computer access 71%
Requirement 10: Track/monitor network resources and cardholder data 71%
Requirement 1: Install and maintain a firewall configuration to protect data 66%

The Slaughterhouse-Five: Why are these problem areas?
Regardless of the fact that PCI DSS is definitely comprehensive, the list of requirements allows for 12 potential points of failure; the inability to pass any one means an organization won't be compliant. Additionally, even with the PCI DSS providing specific requirements, it can be interpreted differently by different types of organizations. Let's review the aforementioned PCI requirement failures, analyze why these might cause trouble for some organizations and discuss what measures can be taken to resolve the dilemma.

ABOUT THE AUTHOR:

Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via canvip@yahoo.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.