harris 160217 8 chapter 10 legal regulations

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: t cards as a safe method of conducting transactions. Visa began their own program, the Cardholder Information Security Protection (CISP) program, while other vendors began similar initiatives. Eventually, the credit card brands joined forces and devised the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council was created as a separate entity to maintain and enforce the PCI Data Security Standard. ch10.indd 870 12/4/2009 11:39:09 AM All-in-1 / CISSP All-in-One Exam Guide, 5th Ed. / Harris / 160217-8 Chapter 10: Legal, Regulations, Compliance, and Investigations 871 The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit card data. Varying levels of compliance and penalties exist and depend on the size of the customer and the volume of transactions. However, credit cards are used by millions and accepted almost anywhere, which means just about every business in the world must comply with the PCI DSS. The PCI Data Security Standard is made up of 12 main requirements broken down into six major categories. The six categories of PCI DSS are: Build and Maintain a Secure Network, Protect Cardholder Data, Maintain a Vulnerability Management Program, Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and Maintain an Information Security Policy. The control objectives are implemented via 12 requirements, as stated at https:// www.pcisecuritystandards.org/security_standards/pci_dss.shtml: • Use and maintain a firewall. • Reset vendor defaults for system passwords and other security parameters. • Protect cardholder data at rest. • Encrypt cardholder data when it is transmitted across public networks. • Use and update antivirus software. • Systems and applications must be developed with security in mind. • Access to cardholder data must be restricted by business “need to know.” • Each person with computer access must be assigned a unique ID. • Physical access to cardholder data should be restricted. • All access to network resources and cardholder data must be tracked...
View Full Document

This note was uploaded on 06/01/2013 for the course NET 125 taught by Professor Hurst during the Fall '12 term at Wake Tech.

Ask a homework question - tutors are online