PCI DSS Dos
- Secure your network, deploy firewalls and disable unnecessary services and protocols. Even if you are a Card Present merchant, you most likely have internet connectivity which may indirectly expose sensitive data. Be particularly careful with wireless (remember TJX)
- When you make changes to systems carry out security testing to ensure you are not introducing vulnerabilities into your card environment.
- Get rid of card data if not absolutely needed. If needed apply strong encryption to both data and data encryption keys. Have a strict key management policy and if you transmit data make sure the link is encrypted.
- Encrypt and securely store all data back-ups – make sure 3rd party providers are PCI DSS compliant.
- Restrict access to card data on a need-to-know basis
- Deploy comprehensive monitoring tools to monitor activity in your systems and networks – use tools so that suspicious activity is alerted
- Document your information security policies and follow them. Don’t buy “off-the-self” PCI DSS policy statements – they may not work for your organisation and if you can’t follow them they are useless to you.
- If you develop your own payment solutions and interfaces document and implement secure coding standards and make sure they’re followed.
- Get PCI DSS compliance statements from your suppliers and check the status of 3rd party applications you use for PA-DSS compliance (Payment Application Data Security Standard).
- Apply strict physical access control to your data centre.
PCI DSS don’ts:
- Never ever store Track, PIN of CVV data in either logs or in the database.
- If possible, don’t store card data after authorisation in logs or in the database.
- If your servers which store, transmit or process data are co-located or hosted don’t assume that the provider’s generic firewall is adequate. You may be on the same network as hundred of insecure servers which could compromise you.
- Don’t allow undocumented or untested change to take place in your environment – it could open up exposures.
- Don’t allow staff to download data containing full card numbers for use in the general office environment or to store off on laptops for analysis.
- Don’t allow production card data to be used in test environments.
- Don’t allow card data to be sent via unencrypted email.
- Don’t leave data files on file servers – move them off to secure servers for processing and delete them when processed
Hubert O’Donoghue, Managing Partner O-C Group
For more info go to: http://www.o-cgroup.com/service-pci.shtml
Source by hubert o donoghue