Part 1:
Discuss the following:
How does using the payment card industry data security standards (PCI DSS) as a model, help assure the development of programs that are compliant with governmental, trade association, and accepted business practices?
Part 2: Respond to
Steven Oster
Greetings Professor Jude and Classmates:
How does using the payment card industry data security standards (PCI DSS) as a model, help assure the development of programs that are compliant with governmental, trade association, and accepted business practices?
According to the PCI DSS Quick Reference Guide, the goals and PCI DSS Requirements in version 3.2.1, it states that vendors need to do the following to be compliant with governmental, trade association, and accepted business practices:
Build and maintain a secure network and associated systems
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
Protect all systems against malware and regularly update antivirus software or programs
Develop and maintain secure systems and applications
Implement strong access control measures
Restrict access to cardholder data by business need to know
Identify and authenticate access to system components
Restrict physical access to cardholder data
Regularly monitor and test networks
Track and monitor all access to network resources and
cardholder data
Regularly test security systems and processes
Maintain an information security policy
Maintain a policy that addresses information security for all personnel. (PCI, 1, p. 8/1)
Further, the University of California at San Francisco (UCSF) Controllers Office, Credit Card Merchant Services suggests that you protect card data, by using secure means such as using unique and strong password and access control measures; conducting regular system updates; watching for suspicious activity; conducting staff training, so employees securely handle card data; do routine inspections and ensure your payment terminals are secure, accomplish periodic risk assessment and conduct penetration testing by your data/network security teams;; limit data storage, and; and finally have an incidence response plan should you end up having a breach (UCSF, 2).
In summary, businesses that follow these accepted business practices, using a comprehensive security framework, that includes strong access control measures, and an effective vulnerability management program that incorporates regular monitoring and testing, can ensure compliance with all governmental regulatory and industry trade associations guidelines. Furthermore, by using PCI DSS as a model, businesses can also ensure that they are following the necessary steps to protect their customers’ data and maintain their trust.
Posted inUncategorized