The Rules of Transactions
Does life take Visa, or any credit card, for that matter? Then your network needs some pretty good security.
- By Greg Shields
Does your Windows network store, process, or transmit credit card cardholder data? If it does, no matter if that data is used for a point of sale, telephone or Web transaction, you may be liable for the information that is stored and communicated across your network. And, in the case of a security incident, you could be liable for substantial fines and litigation from the very credit card companies you support today.
Although started as the Cardholder Information Security Program (CISP) by Visa back in 2001, this expanded requirements list on those who hold personal financial data has grown to encompass more than just companies that process Visa cards. Now also used by American Express, Diner’s Club, Discover, JCB, and MasterCard, the updated standards can impact you and your network if you’re involved in a data disclosure incident.
The Payment Card Industry Data Security Standard (PCI DSS) holds true for any vendor or service provider that handles, transmits, stores, or processes information using any of the cards listed above.
The PCI DSS standards are used to ensure that customer data is stored and transmitted across business networks in a way that limits the potential for data disclosure and financial remediation. The program is broken down into four levels based on the number of credit card transactions per year. As you go into higher numbers of transactions per year, the types and strength of security, encryption and data segregation on your network goes up.
The 12 basic requirements for all levels generically line up into these questions:
- Do you install and maintain a firewall configuration to protect data?
- Do you use vendor-supplied defaults for system passwords and other security parameters?
- Do you protect stored data?
- Do you encrypt transmission of cardholder data and sensitive information across public networks?
- Do you use and regularly update anti-virus software?
- Do you develop and maintain secure systems and applications?
- Do you restrict access to data by business and need-to-know?
- Do you assign a unique ID to each person with computer access?
- Do you restrict physical access to cardholder data?
- Do you track and monitor all access to network resources and cardholder data?
- Do you regularly test security systems and processes?
- Do you maintain a policy that addresses information security?
Tech HelpJust An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
A network in compliance with these 12 regulations fulfills the requirements of PCI DSS. If you answered "no" to any of these questions and credit card data comes through your network, you might consider having an assessment of your network security done either internally or by an outside firm.
You can get more information at the PCI Security Standards Council Web site at https://www.pcisecuritystandards.org.
Greg Shields is Author Evangelist with PluralSight, and is a globally-recognized expert on systems management, virtualization, and cloud technologies. A multiple-year recipient of the Microsoft MVP, VMware vExpert, and Citrix CTP awards, Greg is a contributing editor for Redmond Magazine and Virtualization Review Magazine, and is a frequent speaker at IT conferences worldwide. Reach him on Twitter at @concentratedgreg.