+1 to that. Your business is responsible for determining your liability with respect to PCI. IT may well be called upon to provide a service in terms of scoping out your infrastructure and the technical implementation of what is required. Start here: https://www.pcisecuritystandards.org/merchants/index.php You may have relatively little to do if you sell candles to vicars locally, though the formal vs. informal requirements should be understood (ie. an annual external pentest may sound like something you just do once a year, but the ongoing programme requirements are anything but one-off). Any firm that deals with complex systems/networks and a high transaction level may well have a large Compliance team dealign specifically with frameworks such as PCI. Let me quote them: "It's a matter of following the 12 requirements in the standard, working with your acquiring bank and using the tools offered through the Council. Remember that PCI DSS compliance is an ongoing process, not a one-time event. You'll need to continuously assess your operations, fix any vulnerabilities that are identified, and make the required reports to the acquiring bank and card brands you do business with." and these are the 12 (oh so simple sounding!!) requirements: 1
Install and maintain a firewall configuration to protect cardholder data. 2 Do not use vendor-supplied defaults for system passwords and other security parameters. 3 Protect stored cardholder data. 4 Encrypt transmission of cardholder data across open, public networks. 5 Use and regularly update anti-virus software. 6 Develop and maintain secure systems and applications. 7 Restrict access to cardholder data by business need to know. 8 Assign a unique ID to each person with computer access. 9 Restrict physical access to cardholder data. 10 Track and monitor all access to network resources and cardholder data. 11 Regularly test security systems and processes. 12 Maintain a policy that addresses information security. a ________________________________ From: Ziots, Edward [mailto:[email protected]] Sent: 23 September 2011 21:12 To: NT System Admin Issues Subject: RE: PCI compliance Honestly, it really comes down to what your QSA evaluates your controls at, on whether you meet the standard of PCI compliance or not. Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Erik Goldoff [mailto:[email protected]] Sent: Friday, September 23, 2011 3:17 PM To: NT System Admin Issues Subject: Re: PCI compliance may depend on which of the 4 merchant levels the business falls under. When I was Ham Boy, we had a QSV scan and recertify our external IPs every month, but we only had the big full review yearly for the entire business. On Fri, Sep 23, 2011 at 2:00 PM, David Lum <[email protected]> wrote: For a site to be PCI compliant, is it an annual review process, or once PCI always PCI or ?? Surely someone here knows off the top of their head... David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
