Story image

Credit card safety part3

01 Dec 10

Last month we provided an overview of the ’Payment Card Industry Data Security Standard’ or PCI DSS. We encouraged you to draw yourself a high-level diagram of your cardholder data (CHD) environment.  
As we also said, the bigger the scope of your environment, the more your compliance will cost. You will need to work through the entire Standard and make sure you meet all the controls. A control that can be demonstrated to be ’Not Applicable’ is considered ’In Place’.
Our next piece of advice is ’Segment the Network’. This means using a firewall or other appropriate technology to logically separate the CHD environment from your other IT infrastructure. This is the most effective way (other than not having CHD) of reducing the scope of your environment.
The CHD must be protected when it is stored. This is usually achieved by using well-known encryption techniques. You need to make sure that only those within your business that have a legitimate need to see and work with the full CHD have access to it. This implies implementing some sort of role-based access control (RBAC).
To help you, the Secrity Standards Council has developed a Prioritized Approach’ to working through the Standard as you work towards compliance. The ’Prioritized Approach’ provides six security milestones that will help merchants incrementally protect against the highest risk factors and threats while on the road to PCI DSS compliance. The Council’s opinion is that the greatest impact on the reduction of CHD breaches will be achieved early in the compliance process if the higher ranked controls are addressed first. However, you still have to work through and meet all of the controls. The ’Prioritized Approach’ can be downloaded here: tinyurl.com/2f6u2b3
Meeting compliance is just the start. Once you have met all of the controls, you have to maintain them ’24 x 7’ for 365 days of the year.
No standard could ever hope to cover all possible business situations. For this reason, some of the controls may appear confusing or contradictory in your particular situation. Remember, last month we said that the controls normally have one of two intents, and if you refer back to them when in doubt, you can normally work out what the control means in your situation, ie:
1.    Prevent inappropriate disclosure of cardholder data
2.    Detect when inappropriate disclosure occurs, allowing quick remediation.
The Standard is also evolving. This is why we encourage all merchants to take a ’Security’ view rather than a ’Compliance’ view. What’s the difference between Secure and Complaint? To use an analogy, "Secure” is the designated driver who doesn’t drink for the evening. "Compliant” asks the bartender how many drinks he can have and still get away with driving home. If you are secure, compliance should occur as a result. You may be 100% compliant, but still not be secure. If you take the view of just doing enough to satisfy the Standard, then you will more than likely get caught out when the Standard changes (each revision gets tougher). Version 2.0 of the Standard was released in October 2010. If you have a copy of version 1.2 as a result of reading our earlier articles, make sure you get the latest copy.
Some of the controls have the potential to be quite costly to implement for smaller merchants. These include but are not limited to:


  • intrusion detection or prevention systems (IDS/IPS)

  • file integrity monitoring (FIM),

  • centralised log monitoring, and

  • annual penetration testing.


If you are in any doubt about any aspect of the Standard, we encourage you to speak to your bank (acquirer) or QSA. Ask your bank to confirm what level merchant you are and what your validation requirements are (SAQ, onsite audit etc).

Slashing commute time could save NZ from 900,000 tonnes of C02
In New Zealand, workers could save between 7.7 and 8.8 million hours of commuting time every year.
Experts comment on record 772mil-user data breach
Dubbed “Collection #1”, the data set contains emails and passwords with over a billion unique combinations of email addresses and passwords.
Why flexible working could make good business sense
“You can always give it a go on a trial basis. If it’s not working, be honest."
Chorus fibre roll out picks up pace
Chorus has announced that 50% of fibre installations are now being completed within a day.
Keep security in check when doing your mobile banking
Most mobile banking attacks happen through social engineering, which is when people are manipulated to hand over their usernames and passwords to cybercriminals.
AI, big data could be key to improving Māori health
"Being able to get experts of this level together to start exploring how we use data to ultimately better the lives of New Zealanders is one that we were determined to be involved with," says ACC chief.
Human assets the key to a successful digital transformation
Y Soft's Martin de Martini says it's vital that organisations continue to train and motivate their employees.
New blockchain solution aims to keep our food ethical
OpenSC enables anyone to scan product QR codes which automatically takes them to information about where a specific product’s journey.