Welcome!

Open Web Authors: Liz McMillan, Lori MacVittie, Gilad Parann-Nissany, Carmen Gonzalez, Mark R. Hinkle

Related Topics: Security, XML, SOA & WOA, Search, Web 2.0, Open Web

Security: Article

What Are the Basics of PCI DSS?

Why is it so important to businesses today?

First, PCI DSS stands for Payment Card Industry Data Security Standard. It started out as a series of five separate programs, namely: American Express Data Security Operating Policy, Discover Information and Compliance, JCB Data Security Program, MasterCard Site Data Protection and Visa Card Information Security Program.

While each program was unique and came from different (in some cases, competing) brands, the overall aim was the same throughout: to ensure merchants meet minimum levels of security in storing, processing and transmitting cardholder data in order to better protect card issuers.

The five separate but similar policies were eventually collated in 2004 when the PCI DSS was created. Soon afterward, each company aligned their own policies to correlate with that of the new industry standard.

Updates
Since its creation in 2004, the PCI DSS policy has undergone numerous updates in order to keep on top of recent developments, whilst improving clarity and flexibility. One of the largest of these updates came in 2009 when the PCI DSS was amended to deal with wireless transactions. This brought about the recommendation for all firms to use a Wireless Intrusion Prevention System to remain PCI DSS-compliant in the new marketplace.

Another sizeable update came in 2010 regarding call centre work. Often in call centre work, customers are asked to read out their card information, including the CVV code, to the person on the other end. Furthermore, the majority of calls are recorded for security and training purposes, meaning that others in the call centre can gain access to the recordings without needing to undergo security clearance. This made the process of 'skimming' details incredibly easy.

This practice leads to revisions into procedure for call centre recordings. Now, call centres are not permitted to store recordings that include the three-digit CVV number if they can be queried.

Requirements
When in operation, PCI DSS is aimed at providing 12 requirements to cover six main control objectives. The first objective is to build and maintain a secure network. To ensure compliance, businesses need to install and maintain a firewall to protect cardholder data. They must also not use vendor-supplied defaults for their security measures (such as using 'password', the business name or '0000' as a passwords or codes).

Secondly, in order to protect cardholder data, businesses must protect any information they have stored on system and ensure that any data that is transmitted across open, public networks is comprehensively encrypted.

The third control objective is to maintain a vulnerability management programme. To attain compliance, businesses must use and maintain anti-virus software on all their systems that may otherwise be affected by malware. This must be kept up-to-date at all times to guarantee protection against even the newest threats. Businesses must also develop and maintain secure systems and applications across the network.

To implement strong access control measures (the fourth objective), businesses must restrict access to cardholder data by business on a need-to-know basis. They must then assign each different computer user with a unique ID so usage can be tracked back to each individual. Firms must also restrict physical access to cardholder data.

The fifth objective tasks firms with regularly monitoring and testing their networks. To ensure compliance here, businesses must track and monitor all access to network resources and cardholder data, as well as regularly test their security systems/processes.

Lastly, businesses must ensure they maintain a policy that addresses information security.

Keeping up to date with PCI DSS can be a large undertaking for a brand, but high-profile cases of firms that have seen their security breached - as well as the fall-out that came afterwards - shows just how important it is to stick closely to the best practice guidelines.

More Stories By Dominic Monkhouse

Dominic Monkhouse joined PEER 1 Hosting as managing director of the company's new UK operations in January, 2009, bringing more than 14 years of IT industry experience to the team. He is the key executive responsible for building and growing PEER 1 Hosting's expansion into Europe. In his role as managing director, Dominic is responsible for sales, marketing and service delivery across PEER 1 Hosting's UK business and ensuring overall customer satisfaction. His role is integral to the company's continued commitment to customer service.

Before joining PEER 1 Hosting, Dominic served as managing director of IT Lab, where he was able to quickly transform the company into the fastest growing IT service provider in the UK SME market. Prior to IT Lab, he was managing director of Rackspace, which grew from a staff of four to 150 under his guidance.

Dominic has a Bachelor of Science in Agricultural and Food Marketing from Newcastle University and a MBA from Sheffield Business School in the UK. He frequently participates in public speaking events on the topic of creating great places to work and achieving continuous client satisfaction. He also is involved as a judge of the Sunday Times Customer Experience Awards.

@ThingsExpo Stories
Code Halos - aka "digital fingerprints" - are the key organizing principle to understand a) how dumb things become smart and b) how to monetize this dynamic. In his session at @ThingsExpo, Robert Brown, AVP, Center for the Future of Work at Cognizant Technology Solutions, outlined research, analysis and recommendations from his recently published book on this phenomena on the way leading edge organizations like GE and Disney are unlocking the Internet of Things opportunity and what steps your organization should be taking to position itself for the next platform of digital competition.
The Industrial Internet revolution is now underway, enabled by connected machines and billions of devices that communicate and collaborate. The massive amounts of Big Data requiring real-time analysis is flooding legacy IT systems and giving way to cloud environments that can handle the unpredictable workloads. Yet many barriers remain until we can fully realize the opportunities and benefits from the convergence of machines and devices with Big Data and the cloud, including interoperability, data security and privacy.
In their session at @ThingsExpo, Shyam Varan Nath, Principal Architect at GE, and Ibrahim Gokcen, who leads GE's advanced IoT analytics, focused on the Internet of Things / Industrial Internet and how to make it operational for business end-users. Learn about the challenges posed by machine and sensor data and how to marry it with enterprise data. They also discussed the tips and tricks to provide the Industrial Internet as an end-user consumable service using Big Data Analytics and Industrial Cloud.
SYS-CON Media announced that Splunk, a provider of the leading software platform for real-time Operational Intelligence, has launched an ad campaign on Big Data Journal. Splunk software and cloud services enable organizations to search, monitor, analyze and visualize machine-generated big data coming from websites, applications, servers, networks, sensors and mobile devices. The ads focus on delivering ROI - how improved uptime delivered $6M in annual ROI, improving customer operations by mining large volumes of unstructured data, and how data tracking delivers uptime when it matters most.
Today’s enterprise is being driven by disruptive competitive and human capital requirements to provide enterprise application access through not only desktops, but also mobile devices. To retrofit existing programs across all these devices using traditional programming methods is very costly and time consuming – often prohibitively so. In his session at @ThingsExpo, Jesse Shiah, CEO, President, and Co-Founder of AgilePoint Inc., discussed how you can create applications that run on all mobile devices as well as laptops and desktops using a visual drag-and-drop application – and eForms-buildi...
Things are being built upon cloud foundations to transform organizations. This CEO Power Panel at 15th Cloud Expo, moderated by Roger Strukhoff, Cloud Expo and @ThingsExpo conference chair, addressed the big issues involving these technologies and, more important, the results they will achieve. Rodney Rogers, chairman and CEO of Virtustream; Brendan O'Brien, co-founder of Aria Systems, Bart Copeland, president and CEO of ActiveState Software; Jim Cowie, chief scientist at Dyn; Dave Wagstaff, VP and chief architect at BSQUARE Corporation; Seth Proctor, CTO of NuoDB, Inc.; and Andris Gailitis, C...
SYS-CON Events announced today that CodeFutures, a leading supplier of database performance tools, has been named a “Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. CodeFutures is an independent software vendor focused on providing tools that deliver database performance tools that increase productivity during database development and increase database performance and scalability during production.
SYS-CON Events announced today that ActiveState, the leading independent Cloud Foundry and Docker-based PaaS provider, has been named “Silver Sponsor” of SYS-CON's DevOps Summit New York, which will take place June 9-11, 2015, at the Javits Center in New York City, NY. ActiveState believes that enterprises gain a competitive advantage when they are able to quickly create, deploy and efficiently manage software solutions that immediately create business value, but they face many challenges that prevent them from doing so. The Company is uniquely positioned to help address these challenges thro...
IoT is still a vague buzzword for many people. In his session at @ThingsExpo, Mike Kavis, Vice President & Principal Cloud Architect at Cloud Technology Partners, discussed the business value of IoT that goes far beyond the general public's perception that IoT is all about wearables and home consumer services. He also discussed how IoT is perceived by investors and how venture capitalist access this space. Other topics discussed were barriers to success, what is new, what is old, and what the future may hold. Mike Kavis is Vice President & Principal Cloud Architect at Cloud Technology Pa...
Dale Kim is the Director of Industry Solutions at MapR. His background includes a variety of technical and management roles at information technology companies. While his experience includes work with relational databases, much of his career pertains to non-relational data in the areas of search, content management, and NoSQL, and includes senior roles in technical marketing, sales engineering, and support engineering. Dale holds an MBA from Santa Clara University, and a BA in Computer Science from the University of California, Berkeley.
SYS-CON Media announced that Cisco, a worldwide leader in IT that helps companies seize the opportunities of tomorrow, has launched a new ad campaign in Cloud Computing Journal. The ad campaign, a webcast titled 'Is Your Data Center Ready for the Application Economy?', focuses on the latest data center networking technologies, including SDN or ACI, and how customers are using SDN and ACI in their organizations to achieve business agility. The Cisco webcast is available on-demand.
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
"People are a lot more knowledgeable about APIs now. There are two types of people who work with APIs - IT people who want to use APIs for something internal and the product managers who want to do something outside APIs for people to connect to them," explained Roberto Medrano, Executive Vice President at SOA Software, in this SYS-CON.tv interview at Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Performance is the intersection of power, agility, control, and choice. If you value performance, and more specifically consistent performance, you need to look beyond simple virtualized compute. Many factors need to be considered to create a truly performant environment. In his General Session at 15th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, discussed how to take advantage of a multitude of compute options and platform features to make cloud the cornerstone of your online presence.
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the technology industry and how do they see opportunities for other women in their area of expertise.
Almost everyone sees the potential of Internet of Things but how can businesses truly unlock that potential. The key will be in the ability to discover business insight in the midst of an ocean of Big Data generated from billions of embedded devices via Systems of Discover. Businesses will also need to ensure that they can sustain that insight by leveraging the cloud for global reach, scale and elasticity.
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...
As enterprises move to all-IP networks and cloud-based applications, communications service providers (CSPs) – facing increased competition from over-the-top providers delivering content via the Internet and independently of CSPs – must be able to offer seamless cloud-based communication and collaboration solutions that can scale for small, midsize, and large enterprises, as well as public sector organizations, in order to keep and grow market share. The latest version of Oracle Communications Unified Communications Suite gives CSPs the capability to do just that. In addition, its integration ...
“The age of the Internet of Things is upon us,” stated Thomas Svensson, senior vice-president and general manager EMEA, ThingWorx, “and working with forward-thinking companies, such as Elisa, enables us to deploy our leading technology so that customers can profit from complete, end-to-end solutions.” ThingWorx, a PTC® (Nasdaq: PTC) business and Internet of Things (IoT) platform provider, announced on Monday that Elisa, Finnish provider of mobile and fixed broadband subscriptions, will deploy ThingWorx® platform technology to enable a new Elisa IoT service in Finland and Estonia.
From telemedicine to smart cars, digital homes and industrial monitoring, the explosive growth of IoT has created exciting new business opportunities for real time calls and messaging. In his session at @ThingsExpo, Ivelin Ivanov, CEO and Co-Founder of Telestax, shared some of the new revenue sources that IoT created for Restcomm – the open source telephony platform from Telestax. Ivelin Ivanov is a technology entrepreneur who founded Mobicents, an Open Source VoIP Platform, to help create, deploy, and manage applications integrating voice, video and data. He is the co-founder of TeleStax, a...