The PCI DSS was developed by the major credit card companies and banks as a guideline to help organizations that process card payments prevent credit card fraud, hacking and various other security assaults. A company processing, storing or transmitting cardholder data must be PCI DSS-compliant to avoid losing the ability to process credit card payments, and is liable for fines if they do not comply.
PCI DSS originally began as five different company-specific programs: Visa Card Information Security Program, MasterCard Site Data Protection, American Express Data Security Operating Policy, Discover Information and Compliance, and the JCB Data Security Program. These companies formed the Payment Card Industry Security Standards Council, and on December 15, 2004, aligned their individual policies and created the PCI DSS. In September 2006, the standard was updated to version 1.1. These companies also put together the PCI Security Standards Council to administer the standard, with a mandate to provide advisory services and drive technical standards among the credit card companies themselves, step up enforcement, and consider incentives for compliance.
The PCI DSS aims to reduce the risk of an attack by mandating that vendors maintain firewall configurations, eliminate vendor-supplied defaults for security parameters, encrypt transmission of cardholder data, regularly update antivirus software, restrict access to data, and monitor all access to network resources. The PCI DSS also calls for companies that handle credit card transactions to maintain a policy that addresses information security, performs frequent security audits and network monitoring, and forbids the use of default passwords. Merchants and consumer organizations must be validated with an audit by a Qualified Security Assessor (QSA) company. (A complete list of QSAs is available from the PCI Security Standards Council.)
The security requirements of the PCI DSS apply to all system components. System components are defined as any network component, server or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder or sensitive authentication data. By segregating the segments that store, process or transmit such information, administrators may increase security by reducing the scope of the environment to be protected. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances and other security appliances. Server types include but are not limited to Web, database, authentication, mail, proxy, network time protocol and domain name servers (DNS). Applications include all purchased and custom applications, internal and external, as well as Web-based applications.
While U.S. firms were given the deadline of June 30, 2007 to achieve compliance, it is expected that the number of organizations achieving PCI DSS compliance will be small. Companies face huge challenges in meeting this standard in the United States, as well as in Europe and Asia for companies doing business with or in the U.S. A recent survey conducted by The Logic Group in Europe revealed that only three percent of respondents are fully PCI DSS-compliant. While some companies have simply accepted paying fines as a cheaper solution, the Gartner Group states that, “Protecting customer data is much less expensive than dealing with a security breach in which records are exposed and potentially misused. The Payment Card Industry compliance requirements provide enterprises with good justification to increase data protection.” (IT Compliance Institute)
In addition, in October 2007, Visa International announced a new payment applications security mandate for retail and consumer companies. This calls for new merchants that want to be authorized for payment card transactions to use only Payment Application Best Practice (PABP)-validated applications, and is scheduled to be implemented by 2010. This announcement has further intensified the pressure on retailers and service providers to become compliant.
Contents
executive Summary
introduction
How Juniper Helps Your firm Achieve compliance
A Leader in Network Access Control
Juniper Networks unified Access control
Addressing Pci dSS with uAc
Building and Maintaining a Secure Network
Protecting Cardholder Data
Maintaining a Vulnerability Management Program
Implementing Strong Access Control Procedures
Regularly Monitoring and Testing Networks
conclusion
About Juniper Networks
Download
PDF Ebook A Secure Network For Credit Card Transactions
