PCI DSS, which stands for Payment Card Industry Data Security Standard, is a proprietary information security standard for organizations, developed by the Payment Card Industry Security Standards Council.

1. Ensuring PCI DSS Compliance – Part 1
This is a two-part article that looks at PCI DSS and the means of achieving compliance through an effective PCI
compliance management solution.
PCI DSS, which stands for Payment Card Industry Data Security Standard, is a proprietary information security
standard for organizations, developed by the Payment Card Industry Security Standards Council. In view of the
rampant rise in credit card frauds, this standard puts forward certain requirements, which the organizations that
handle cardholder information must comply with at any cost. PCI DSS compliance is necessary for major debit,
credit, prepaid, e-purse, ATM, and POS cards.Given below are the 6 control objectives and the 12 PCI DSS
requirements.
Build and Maintain a Secure Network
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Use and regularly update anti-virus software on all systems commonly affected by malware
Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain an Information Security Policy
Maintain a policy that addresses information security
The validation of PCI DSS compliance is done annually. In the case of organizations that handle large volumes of
transactions, an external Qualified Security Assessor (QSA)creates a Report on Compliance (ROC). On the other
hand, companies that handle smaller volumes have to complete the Self-Assessment Questionnaire (SAQ).
However, in reality, though most of the companies are achieving PCI DSS compliance, many are showing laxity
when it comes to PCI DSS compliance. Here is a look at some of the negligence on the part of the merchants and
business owners.
Encryption is often inconsistent across a company's computer system. Credit card data may be protected
in some instances, but not others.
Some companies unnecessarily store credit card data and, making matters worse, fail to isolate the data
from travelling across less secure parts of the network.
Some IT shops fail to keep a log of network activity, making it nearly impossible to spot instances where
malicious hackers or anyone without authorization are trying to access credit card data.
Some companies do not conduct regular scans for software vulnerabilities and abnormal activity.

2. Companies that thought they were all set after complying with such regulations as the Sarbanes-Oxley Act
and HIPAA/HITECH compliance discovered their controls were not adequate to meet the PCI DSS.
In the second and concluding part of this article, we will look at the best means of ensuring PCI DSS compliance.
Read more on - Vendor Management, IT Compliance, Security Posture Management