I think someone made slight reference to logging but this PCI requirement also merits considerable thought. Read the logging requirements imposed by PCI - any access to the sensitive data, viewing or updating cardholder data, must be logged. What's more, the log must be consolidated so that access to any 1 cardholder data 'set' across your enterprise should be combined so it can be viewed holistically. So you're probably facing an export of your UV/UD/MV logs to some tool like loglogic.com to monitor security events. This is a new administrative requirement for users of your software pkg. At minimum some human must consistently scan the logs, or the flagged events, if performed by some forensic tool.
Your network - once you store cardholder data on your enterprise, you must now perform due diligence on your network such as penetration testing to insure the network is secure from external or internal intrusions. This involves everything from routers to wireless access points. Hth, -Baker This communication, its contents and any file attachments transmitted with it are intended solely for the addressee(s) and may contain confidential proprietary information. Access by any other party without the express written permission of the sender is STRICTLY PROHIBITED. If you have received this communication in error you may not copy, distribute or use the contents, attachments or information in any way. Please destroy it and contact the sender. _______________________________________________ U2-Users mailing list [email protected] http://listserver.u2ug.org/mailman/listinfo/u2-users
