Unformatted text preview: t cards as a safe method of conducting transactions. Visa began their
own program, the Cardholder Information Security Protection (CISP) program, while
other vendors began similar initiatives.
Eventually, the credit card brands joined forces and devised the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council was created as a separate entity to maintain and enforce the PCI Data Security Standard. ch10.indd 870 12/4/2009 11:39:09 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 871
The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit
card data. Varying levels of compliance and penalties exist and depend on the size of
the customer and the volume of transactions. However, credit cards are used by millions and accepted almost anywhere, which means just about every business in the
world must comply with the PCI DSS.
The PCI Data Security Standard is made up of 12 main requirements broken down
into six major categories. The six categories of PCI DSS are: Build and Maintain a Secure
Network, Protect Cardholder Data, Maintain a Vulnerability Management Program,
Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and
Maintain an Information Security Policy.
The control objectives are implemented via 12 requirements, as stated at https://
• Use and maintain a firewall.
• Reset vendor defaults for system passwords and other security parameters.
• Protect cardholder data at rest.
• Encrypt cardholder data when it is transmitted across public networks.
• Use and update antivirus software.
• Systems and applications must be developed with security in mind.
• Access to cardholder data must be restricted by business “need to know.”
• Each person with computer access must be assigned a unique ID.
• Physical access to cardholder data should be restricted.
• All access to network resources and cardholder data must be tracked...
View Full Document
This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.
- Fall '12