Any PCI DSS experts on here? - SV650.org

02-12-08, 08:54 AM

Any chance of putting some bullet points of compliance down on here and possibly any good resources?

Tks,

Kev

02-12-08, 08:05 PM

unless you have about a million to spend on being compliant I'd avoid PCI

02-12-08, 09:43 PM

I didn't think you could avoid it?

fizzwheel · 02-12-08, 09:47 PM

Quote:

Originally Posted by krhall

I didn't think you could avoid it?

If you process credit / debit cards in any way shape or form you can't.

We're going through it at the moment. But I've so far avoided having anything to do with it.

03-12-08, 01:41 AM

Basic requirements for compliance:

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

I don't really have a list of how to go about implementing any of those requirements though. That usually dealt with on a case-by-case basis.

03-12-08, 04:41 PM

Quote:

Originally Posted by krhall

I didn't think you could avoid it?

ha!! you'd be surprised how many are not compliant and nobody can do anything to them.......well won't do anything to them

03-12-08, 05:41 PM

Quote:

Originally Posted by 600+

ha!! you'd be surprised how many are not compliant and nobody can do anything to them.......well won't do anything to them

From my list above, I've seen companies larger than you'd expect to fall down on requirements 1, 5 & 6. From there, with sufficient knowledge, all data is obtainable, therefore they're not compliant IMO.

03-12-08, 06:52 PM

oh I totally agree with you Baph

03-12-08, 09:52 PM

I know a few too, fortunately a lot of what we have been doing for years is very good I think we just need some tweaking and for me to read the book!

Fortunately I know enough about it to know that the ownership of it does not sit with me...........which I am pleased about.

02-12-08, 08:54 AM	#1
krhall Guest Posts: n/a	Any PCI DSS experts on here? Any chance of putting some bullet points of compliance down on here and possibly any good resources? Tks, Kev

02-12-08, 08:05 PM	#2
600+ Guest Posts: n/a	Re: Any PCI DSS experts on here? unless you have about a million to spend on being compliant I'd avoid PCI

02-12-08, 09:43 PM	#3
krhall Guest Posts: n/a	Re: Any PCI DSS experts on here? I didn't think you could avoid it?

03-12-08, 01:41 AM	#5
Baph Guest Posts: n/a	Re: Any PCI DSS experts on here? Basic requirements for compliance: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security I don't really have a list of how to go about implementing any of those requirements though. That usually dealt with on a case-by-case basis.

03-12-08, 06:52 PM	#8
600+ Guest Posts: n/a	Re: Any PCI DSS experts on here? oh I totally agree with you Baph

03-12-08, 09:52 PM	#9
krhall Guest Posts: n/a	Re: Any PCI DSS experts on here? I know a few too, fortunately a lot of what we have been doing for years is very good I think we just need some tweaking and for me to read the book! Fortunately I know enough about it to know that the ownership of it does not sit with me...........which I am pleased about.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Experts of the law?	gettin2dizzy	Idle Banter	11	17-08-08 03:46 PM
Diesel car experts?	the_lone_wolf	Idle Banter	45	30-07-08 12:42 PM
Bandit experts	Spider	Bikes - Talk & Issues	5	24-12-07 01:31 PM
any plumbers/DIY experts	hovis	Idle Banter	27	01-10-07 08:22 PM
A question for do experts	svJvJ	Idle Banter	4	30-09-07 12:27 PM