PCI Compliance
|
What is PCI compliance? Payment Card Industry Data Security Standards (PCI DSS) are network security and
business practice guidelines adopted by Visa, MasterCard, American Express, Discover Card, and JCB to establish
a “minimum security standard” to protect customer’s payment card information. It’s a requirement for all
merchants that store, transmit, or process payment card information.
Even though PCI compliance is mostly up to you, using Elbowspace can help.
Below are listed some of the controls, that we have implemented, to help with your compliance:
1) Install intrusion detection & prevention systems.
2) Install file-integrity monitoirng software.
3) Maintain audit-trail history logs for at least one year.
4) Maintain security badge entry, video surveillance & access logs at the
web server physical location.
5) Implement the following USERID & PASSWORD standards for all user accounts:
a) User must re-authenticate password if the session is idle for 15 minutes or more.
b) Lockout the user for 1 hour after 5 or more consecutive failed login attempts.
c) Force the user to change passwords at least every 90 days.
d) New passwords must be different than the last five.
e) New passwords must contain at least 7 character with both alpha &
numeric characters.
f) If an account has been inactive for 90 days or more, th user must
call in to re-activate his/her account.
6) Review all application programs for common vulnerabilities.
Implement changes to prevent vulnerabilities like XSS, CSRF & SQL injection.
7) Install the latest vendor-supplied patches to all software especially the
operating system & web server.
8) All application programs written & re-written using
OWASP & PCI DSS programming standards.
9) Install anti-virus software.
10) Remove all unecessary programs, scripts, drivers, file-systems, DBMs & web
servers from each physical server and change all vendor supplied defaults.
11) Implement strong 256 bit encryption for the tranfer of sensitive data.
12) Encrypt all card member information before storing.
|
| |
|
