Showing posts with label regulations. Show all posts
Showing posts with label regulations. Show all posts

Wednesday, April 27, 2005

Payment Card Industry Security Guidelines

I heard about this back in December, but it slipped off my radar. Now news outlets like The Register and News.com are reporting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Payment Card Industry (PCI) Data Security Standard. Prior to standardization on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PCI, vendors had to juggle cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Visa Cardholder Information Security Program (CISP), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MasterCard Site Data Protection Program, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 American Express Data Security Operating Policy (DSOP), and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Discover Information Security and Compliance (DISC) document.

The PCI was publicized back in December when Visa released a memo (available in .pdf form here) letting vendors know what was happening.

The PCI standard consists of twelve requirements:

Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security parameters

Protect Cardholder Data
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security

Visa's Cardholder Information Security Program page has cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most browsable online content, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Mastercard page has information as well.

Merchant e-Solutions summarizes PCI, with a note than level 2 (150,000 to 6,000,000 transactions per year) and 3 (20,000 to 150,000 transactions per year) merchants require validation by a "Qualified Independent Scan Vendor" no later than June 30, 2005. Some documents also mention a "Qualified Independent Security Assessor." I've emailed Visa to find out how a vendor becomes "qualified," although one of my friends is already taking his security company through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process.

I think helping merchants meet cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se standards will usher a new wave of assessment business for security vendors. On a smaller scale, requirements to "Regularly Monitor and Test Networks" include intrusion detection and traffic audit components, so I look forward to participating in this process myself.

I noticed Foundstone offers a series of Webcasts on PCI and ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r standards. Regarding ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r standards, Application Security Inc. helpfully summarizes several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in one place.

Update: I just got this email from Visa:

Thank you for your interest in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Visa CISP program. Visa is unable to qualify additional security assessors at this time. We are, however, currently considering opening cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 qualification program again to accept new security assessors. We will keep your information on file and respond if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program opens again. We will also make this information available on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 website, so be sure to check back periodically.

Your company may certainly assist companies in meeting and maintaining compliance with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CISP requirements. Unfortunately, Visa is unable to review compliance solutions at this time.

MasterCard owns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 scan vendor qualification program. You will need to contact MasterCard to apply for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program. https://sdp.mastercardintl.com/

Regards,
The CISP Team
http://www.visa.com/cisp

Update 2: Here is Visa's list of Qualified Independent Security Assessors in .pdf format. Here is Mastercard's list of Qualified Independent Scan Vendors. Mastercard explains cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir vendor certification process on that page, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have not yet responded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 email I sent yesterday. Mastercard does provide a Web-based form to let candidate vendors begin cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 certification process.

Update 3: I got an email from Mastercard pointing me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 resources I outlined earlier. The sender said Mastercard charges $5,000 to become a Qualified Independent Scan Vendor. How can cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y possibly justify this cost? Unlike Visa, however, Mastercard is currently accepting new applicants to become Qualified Independent Scan Vendors.