VantagePoint Security

SECURITY INDUSTRY WATCH

Credit Card Companies' Data Security Standards Now in Effect. Are you in compliance?

VISA, MasterCard, Discover, and American Express have joined up to create the Payment Card Industry Data Security Standard, or PCI DSS. The objective of the PCI DSS is to reduce financial losses caused by security breaches on merchant computer systems.

Every merchant, big and small, is potentially subject to the Data Security Standard. If your organization stores credit card numbers on computers or transmits credit card numbers on networks, then your organization is required to comply with the PCI DSS. This is the case whether you take payments online through a web site, or if you take payments "over the
counter" and record credit card numbers in computers for recordkeeping purposes.

Let's talk about merchant size for a minute, and we'll keep this simple. Organizations that process more than 20,000 VISA e-commerce transactions per year (that's only 1,667 per month or 55 each day) are required to submit a detailed statement of compliance by June 30, 2005 and submit to quarterly network vulnerability scans.

The PCI Data Security Standard is divided into twelve sections, which boil down to these three principles:

1. Identify and protect your critical data
2. Document and faithfully execute your processes
3. Keep good records

What if my organization does not attempt to meet the requirements? VISA is unlikely to be lenient, given that the security breaches related to credit cards are growing larger by the month. Your organization may be fined, or barred from processing VISA transactions.

BUILDING YOUR INFORMATION SECURITY PROGRAM
Part of a multi-part series

Part 3, Change Control

A vital part of any organization's security program is Change Control.

What is Change Control?

Simply put, Change Control is a process that ensures that only properly requested, reviewed, and approved changes are permitted on production computers and networks.

A vital part of Change Control is thorough recordkeeping. Requests, reviews, approvals, and completions must all be documented. Most larger companies have Change Control processes in place, but many smaller companies have yet to join the party.

What does Change Control have to do with security? Plenty. Two things, actually. First, Change Control helps prevent mistakes, some of which can have security implications. Second, when everyone in an IT department knows that all changes are being monitored, there is a smaller likelihood that insiders will attempt to commit any sort of fraud or sabotage. Because changes are monitored, there is a greater chance that the perpetrators will be caught.

Building a new a Change Control process, or fixing one that isn't working quite right, need not be difficult. Experienced security and process professionals can help an organization determine how Change Control can best be implemented.

TERM OF THE MONTH

ENCRYPTION: the process of obscuring information using precise mathematical formulas that makes the information unreadable except by those possessing special information. Once the pervue of spy agencies and research institutions, encryption is now in the business mainstream. Specialized tools and programs are available that can encrypt vital information such as credit card numbers that render the information unreadable except by
authorized parties. Encryption is a centerpiece of the Payment Card Industry Data Security Standard.

SUBSCRIPTION INFORMATION

Subscribe: newsletters/

Unsubscribe: newsletters/

Please allow 48 hours to process all subscription requests.

Contact us via e-mail at info@vantagepointsecurity.com or call us at 425.454.5455.