Guide to passing PCI's five toughest requirements

It is well known by now that the major credit card companies have collectively mandated that all members, merchants and service providers storing, processing or transmitting cardholder data must adhere to the Payment Card Industry (PCI)'s "12 commandments" -- the dozen overarching best practices that make up the guideline -- or else risk possible fines and even the termination of credit card processing privileges. In addition, by Sept. 30, 2007, all Level 2 organizations -- merchants processing more than 150,000 Visa or MasterCard transactions each year or merchants that process more than 1 million transactions annually -- must be compliant with these standards. Unfortunately, the path to PCI DSS compliance can be demanding due to the amount of money, time and effort required.

This learning guide will review a few of the more challenging PCI DSS requirements and provide some tips that enterprises can use to achieve PCI DSS compliance.

    Requires Free Membership to View

Review the PCI DSS requirements

For more on the 12 basic requirements of the PCI Data Security Standard, check out our exclusive webcast, PCI Compliance: Best Practices and Common Misconceptions with guest speaker Roger Nebel.
PCI DSS: Where are organizations struggling?
All of the PCI DSS requirements seem to be fairly well defined, unlike those of the Sarbanes-Oxley Act. SOX does not provide any specific direction on how to secure information assets and has been open to varying interpretations by companies and compliance audit firms. Nevertheless, organizations still find it difficult to become PCI DSS compliant. In an interesting study conducted by VeriSign Inc., researchers found that organizations were most likely to be noncompliant with PCI Requirement 3. Seventy-nine percent of the failed assessments did not meet the requirement to protect stored data. According to VeriSign, the top five PCI assessment failings were:

Requirement 3: Protect stored data 79%
Requirement 11: Regularly test security systems and processes 74%
Requirement 8: Assign a unique ID to each person with computer access 71%
Requirement 10: Track/monitor network resources and cardholder data 71%
Requirement 1: Install and maintain a firewall configuration to protect data 66%

The Slaughterhouse-Five: Why are these problem areas?
Regardless of the fact that PCI DSS is definitely comprehensive, the list of requirements allows for 12 potential points of failure; the inability to pass any one means an organization won't be compliant. Additionally, even with the PCI DSS providing specific requirements, it can be interpreted differently by different types of organizations. Let's review the aforementioned PCI requirement failures, analyze why these might cause trouble for some organizations and discuss what measures can be taken to resolve the dilemma.


  Requirement 3: Protecting stored data
  Requirement 11: Regularly test security systems and processes
  Requirement 8: Assign a unique ID to users
  Requirement 10: Monitor access to network resources and data
  Requirement 1: Install and maintain a firewall configuration

Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via canvip@yahoo.com.

This was first published in September 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.