Guide to passing PCI's five toughest requirements

As data security breach threats increase and the Payment Card Industry (PCI) Data Security Standard's authority continues to expand, credit card-processing companies have little choice but to implement PCI's dozen requirements. Some best practices, however, are more difficult to achieve than the others. In this learning guide, Craig Norris explains how to successfully implement the five PCI DSS requirements that have been continuously stumping security professionals.

Craig Norris

It is well known by now that the major credit card companies have collectively mandated that all members, merchants...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

and service providers storing, processing or transmitting cardholder data must adhere to the Payment Card Industry (PCI)'s "12 commandments" -- the dozen overarching best practices that make up the guideline -- or else risk possible fines and even the termination of credit card processing privileges. In addition, by Sept. 30, 2007, all Level 2 organizations -- merchants processing more than 150,000 Visa or MasterCard transactions each year or merchants that process more than 1 million transactions annually -- must be compliant with these standards. Unfortunately, the path to PCI DSS compliance can be demanding due to the amount of money, time and effort required.

This learning guide will review a few of the more challenging PCI DSS requirements and provide some tips that enterprises can use to achieve PCI DSS compliance.

Review the PCI DSS requirements

For more on the 12 basic requirements of the PCI Data Security Standard, check out our exclusive webcast, PCI Compliance: Best Practices and Common Misconceptions with guest speaker Roger Nebel.

PCI DSS: Where are organizations struggling?
Sarbanes-Oxley Act compliance audit

Requirement 3: Protect stored data	79%
Requirement 11: Regularly test security systems and processes	74%
Requirement 8: Assign a unique ID to each person with computer access	71%
Requirement 10: Track/monitor network resources and cardholder data	71%
Requirement 1: Install and maintain a firewall configuration to protect data	66%

The Slaughterhouse-Five: Why are these problem areas?
Regardless of the fact that PCI DSS is definitely comprehensive, the list of requirements allows for 12 potential points of failure; the inability to pass any one means an organization won't be compliant. Additionally, even with the PCI DSS providing specific requirements, it can be interpreted differently by different types of organizations. Let's review the aforementioned PCI requirement failures, analyze why these might cause trouble for some organizations and discuss what measures can be taken to resolve the dilemma.

A GUIDE TO PASSING PCI'S FIVE TOUGHEST REQUIREMENTS

Requirement 3: Protecting stored data
Requirement 11: Regularly test security systems and processes
Requirement 8: Assign a unique ID to users
Requirement 10: Monitor access to network resources and data
Requirement 1: Install and maintain a firewall configuration
Conclusion

ABOUT THE AUTHOR:

Craig Norris, CISSP, CISA, G7799, MCSE, Security+, CAPM, TICSA, is a Regional Engagement Manager at an IT consulting firm in Dallas. He has been involved with information technology and security for over 12 years. He can be contacted via [email protected].

All of the PCI DSS requirements seem to be fairly well defined, unlike those of the . SOX does not provide any specific direction on how to secure information assets and has been open to varying interpretations by companies and firms. Nevertheless, organizations still find it difficult to become PCI DSS compliant. In an interesting study conducted by VeriSign Inc., researchers found that organizations were most likely to be noncompliant with PCI Requirement 3. Seventy-nine percent of the failed assessments did not meet the requirement to protect stored data. According to VeriSign, the top five PCI assessment failings were:

This was last published in September 2007

PCI DSS merchant levels

How does a PCI ISA help enterprise security and compliance?

TLS encryption: Why did the PCI SSC push back the deadline?

PCI gap assessment

Google forms cyber insurance pact with Allianz, Munich Re

Dispelling 4 of the top cloud security myths today

Guide to cloud security management and best practices

Cisco completes $4.5 billion Acacia deal

5 steps to conduct network penetration testing

5 benefits of Wi-Fi 6 for enterprise networks

Racial, gender diversity in tech improving at a glacial pace

The future of trust must be built on data transparency

What are the advantages and disadvantages of RPA?

Microsoft makes Universal Print generally available

Microsoft bolsters data security in 365

Microsoft to add a text prediction feature to Word

Microsoft ACS going GA with preview of Teams integration

Modernize and migrate mainframe apps to the cloud

How to create snapshots for Azure VMs and managed disks

Tech salary growth proving a mixed bag

A peek inside Grab’s DevOps practices

CW APAC: Tech career guide