1. Identify the touch points between the objectives and requirements of PCI DSS and YieldMore’s IT environment. The objectives and requirements for PCI DSS compliance is the same for every business wanting to accept credit card payments. There are 6 control objectives with 12 requirements.
PCI DSS Requirements
1. Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
3. Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
6. Maintain an Information Security Policy
12. Maintain a policy that addresses information security
2. Determine appropriate best practices to implement when taking steps to meet PCI DSS objectives and requirements. The best way to implement best practices is following the requirements. Some of the requirements listed above read like a guideline i.e. not using vendor supplied default passwords. Obviously you would want to make your own strong password that would be difficult to guess. 3. Justify your reasoning for each identified best practice. The justification for best practice is you want to make the credit card information as secured as possible. The company will be handling the income of people and if something goes wrong and people get access to the information the business will go under. No potential customer will want to do business with them. 4. Prepare a brief report or PowerPoint presentation of your findings for IT management to review. In order to better serve their customers, YieldMore wants to begin accepting credit card payments.
In order for the company to begin the process of accepting credit cards it must first be PCI DSS compliant. PCI DSS is an information security standard. So the company has meet six objectives and each of those objectives has requirements that must be met to be compliant. The first objective is to build and maintain a secure network. Two requirements must be met in order for that objective to be met. First is to install and maintain a firewall configuration to protect cardholder data and do not use vendor-supplied defaults for system passwords and other security parameters. The second objective is protecting cardholder data. Two requirements are needed to meet that objective. Protect stored cardholder data and encrypting transmission of cardholder data across open, public networks are the requirements for the second objective.
The third objective is to maintain a Vulnerability Management Program with using and regularly updating anti-virus software on all systems commonly affected by malware and developing maintaining securing systems and applications requirements. Implementing a strong access control measure objective would be easy to achieve. The requirements for the fourth objective is restricting access to cardholder data by business need-to-know, assigning a unique ID to each person with computer access, and restricting the physical access to cardholder data.
The fifth objective is to regularly monitor and test networks. Tracking and monitoring all access to network resources and cardholder data is the first requirement. Regularly testing security systems and processes is the other requirement. Maintaining a policy that addresses information security is the only requirement for the final objective, maintain an Information Security Policy. Once all these objectives are met then the company would be PCI DSS compliant.