Payment Card Industry (PCI) Compliance

In 2005 Visa and MasterCard released a set of security requirements known as the Payment Card Industry (PCI) Data Security Standard. The purpose of PCI is to protect cardholder information, reduce debit and credit card fraud, and identify security issues that could lead to the compromise of cardholder information by imposing strict security standards on how cardholder data is handled and stored.

PCI requires that those businesses that process, store, or transmit cardholder account and/or transaction info rmation adhere to its requirements. This includes all members, merchants, retailers, and payment service providers. Failure to comply with PCI and any subsequent breach of card data within a merchant�fs site may result in substantial fines and, potentially, the inability to accept card payments.

The PCI standard virtually mandates that organizations employ database security software like IPLocks to maintain compliance. Here's how IPLocks addresses key requirements of the PCI standard:

• Section 2: Do not use vendor-supplied defaults for system passwords and other security parameters
• Finds default passwords
• Provides verification of system security settings
• Detects unwanted services
• Provides configuration and security recommendations
• Section 3: Protect stored cardholder data
• Monitor data access for valid use
• Provide insider threat protection
• Validate compensating controls (see PCI Appendix B)
• Examine transactions and selection of data
• Section 5: Use and regularly update anti-virus software or programs.
• Provides checks for databases similar to anti-virus programs
• Discovers database vulnerabilities
• Detects out-of-date patches and recommends correct patches
• Section 6: Develop and maintain secure systems and applications
• Detects unwanted accounts
• Performs penetration tests
• Identifies out of date patch levels
• Discovers database vulnerabilities
• Documents impact of vulnerabilties and changes
• Recommends remediation required to addrss vulnerabilities
• Section 7: Restrict access to data by business need-to-know
• Verifies business and security rules regarding data access are being followed
• Monitor access grants and privilege changes to find unauthorized changes
• Maintains activity trail for data access
• Identifies user, application, and location of data access
• Detects threats in real-time and respond appropriately
• Section 8: Unique User IDs
• Verifies user identity
• Verifies password settings
• Maps client and/or network identity to database activity
• Reconcile account activity with privilege levels
• Monitor all access to databases containing credit card data
• Section 10: Monitor all access to Credit Card Holder data
• Record all access to and transactions with credit card data
• Report on failed login attempts
• Stores audit data in independant, limited access repository
• Alert on security policies through email, pagers, and system management tools
• Catch data access through console connections, stored procedures, and batch jobs
• Detect unusual activity or access to card holder data
• Section 11: Regularly test security systems and processes
• Verifies PCI controls through audit analysis
• Performs periodic penetration tests
• Performs periodic vulnerability assessments
• Verifies structural integrity and application logic through metadata monitoring
• Assures appropriate privilege levels through privilege change monitoring
• Section 12: Maintain a policy that addresses information security for employees and contractors
• Standardizes security policies for different user types, apply to all relevant databases
• Propagates alerts on policy violations to security, IT and other personnel
• Prepares both summary and detail reports for Management and IT

For more information, you can contact IPLocks directly at iplocks-sales@iplocks.co.jp or by calling +81-50-3786-6911.