Payment Card Industry Data Security Standard

While relatively a newcomer to the IT compliance scene, PCI DSS has been mandated by all members of the PCI Security Standards Council, including Visa International, MasterCard Worldwide, American Express, Discover Financial Services and JCB International. What this means, essentially, is that all banks that process the payment transactions associated with these cards are responsible for ensuring that merchants meet the standard or face severe penalties.

PCI DSS has an extensive reach — it applies not only to your business, but also to virtually any vendor that supports your organization by accepting, storing, processing or transmitting payment card data, including personal data from credit and debit cards. Any business partner or vendor that handles cardholder data (CHD) or sensitive authentication data (SAD) in these capacities is classified as a PCI merchant and is required to comply. Objectives and requirements

The overriding goal of PCI DSS is to ensure payment card data confidentiality, which means making sure that you and your vendors have the proper operational processes and controls in place to secure customer data and ensure it is auditable. Specifically, PCI DSS requirements are intended to ensure that organizations

 Build and maintain secure networks and systems

• Protect cardholder data

• Maintain a vulnerability management program

• Implement strong access control measures

• Regularly monitor and test networks

• Maintain an information

 Many of the PCI DSS standards have detailed requirements that focus on key processes and controls organizations must have in place for managing user identities and entitlements.

These include controls that:

  • Ensure each user is uniquely identified
  • Define access needs for each role
  • Assign access based on individual’s job classification and function
  • Limit access to cardholder data to only authorized users
  • Ensure each user has explicit approval for the least amount of data and privilege needed to perform his or her job role
  • Enforce strong password management settings
  • Track logging and recording of all privileged user activity
  • Prevent the abuse of system accounts
  • Secure audit logs 

 
About the Author
Allison Main
Allison Main is a senior product marketing manager for One Identity where she is focused on identity governance solutions. Allison joined the Quest IAM team in 2008 and she brings years of experience as...