Monday, June 08, 2009

PCI Compliance and Web Applications

What do the Payment Card Industry (PCI) compliance terms mean to your web-application?

There are six major categories, broken down to 12 requirements:

    Build and Maintain a Secure Network

    Requirement 1: Install and maintain a firewall configuration to protect cardholder data
    Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

    Protect Cardholder Data

    Requirement 3: Protect stored cardholder data
    Requirement 4: Encrypt transmission of cardholder data across open, public networks

    Maintain a Vulnerability Management Program

    Requirement 5: Use and regularly update anti-virus software
    Requirement 6: Develop and maintain secure systems and applications

    Implement Strong Access Control Measures

    Requirement 7: Restrict access to cardholder data by business need-to-know
    Requirement 8: Assign a unique ID to each person with computer access
    Requirement 9: Restrict physical access to cardholder data

    Regularly Monitor and Test Networks

    Requirement 10: Track and monitor all access to network resources and cardholder data
    Requirement 11: Regularly test security systems and processes

    Maintain an Information Security Policy

    Requirement 12: Maintain a policy that addresses information security

from: https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

No comments: