PCI DSS Dos and Don'ts

PCI DSS Dos

1. Secure your network, deploy firewalls and disable unnecessary services and protocols. Even if you are a Card Present merchant, you most likely have internet connectivity which may indirectly expose sensitive data. Be particularly careful with wireless (remember TJX)

2. When you make changes to systems carry out security testing to ensure you are not introducing vulnerabilities into your card environment.

3. Get rid of card data if not absolutely needed. If needed apply strong encryption to both data and data encryption keys. Have a strict key management policy and if you transmit data make sure the link is encrypted.

4. Encrypt and securely store all data back-ups – make sure 3rd party providers are PCI DSS compliant.

5. Restrict access to card data on a need-to-know basis

6. Deploy comprehensive monitoring tools to monitor activity in your systems and networks – use tools so that suspicious activity is alerted

7. Document your information security policies and follow them. Don't buy “off-the-self” PCI DSS policy statements – they may not work for your organisation and if you can't follow them they are useless to you.

8. If you develop your own payment solutions and interfaces document and implement secure coding standards and make sure they're followed.

9. Get PCI DSS compliance statements from your suppliers and check the status of 3rd party applications you use for PA-DSS compliance (Payment Application Data Security Standard).

10. Apply strict physical access control to your data centre.

PCI DSS don'ts:

1. Never ever store Track, PIN of CVV data in either logs or in the database.

2. If possible, don't store card data after authorisation in logs or in the database.

3. If your servers which store, transmit or process data are co-located or hosted don't assume that the provider's generic firewall is adequate. You may be on the same network as hundred of insecure servers which could compromise you.

4. Don't allow undocumented or untested change to take place in your environment – it could open up exposures.

5. Don't allow staff to download data containing full card numbers for use in the general office environment or to store off on laptops for analysis.

6. Don't allow production card data to be used in test environments.

7. Don't allow card data to be sent via unencrypted email.

8. Don't leave data files on file servers – move them off to secure servers for processing and delete them when processed

Hubert O'Donoghue, Managing Partner O-C Group

For more info go to: http://www.o-cgroup.com/service-pci.shtml