With the addition of new systems, devices, and virtual environments, achieving PCI compliance is an ongoing challenge. To be compliant, security professionals can no longer simply run vulnerability scans and collect firewall and intrusion detection logs; they need new tools and techniques that not only scan for and block potential threats, but also make it easy to maintain and prove compliance. In this guide, IT Managers and Security Professionals will get a better view into PCI DSS and learn how to overcome key challenges to reduce the cost of PCI compliance and ensure sensitive and personal information stays protected.
What are the PCI Data Security Standards
PCI DSS encompasses and applies to all system components defined as: any network, server, or application included in, or connected to, the cardholder data environment.
The number of networks and devices used to perform business functions and online transactions continues to grow, both in physical and virtual form. Consider that U.S. airline industry’s plans to switch to a completely “plastic” business model, eliminating all non-credit transactions – a clear sign that the world of using and storing cardholder data online is quickly becoming the cornerstone of many businesses.
The New Model: Cards Not Cash
The introduction of new digital business models continues to grow as well, introducing yet another set of physical and virtual systems and networks. Self-serve kiosks offering DVD rentals and credit-accepting vending machines that dispense soft drinks and the like are becoming more and more prevalent. Consumers and businesses continue to explore new ways to use credit cards in lieu of cash.
When we evaluate each of the business models associated with credit card transactions, we must look at each of the components that make up the business infrastructure that enables transactions to take place and the security models used to protect card holder data. Key components – networks, endpoints, and data – each have a role to play in ensuring the transaction takes place accurately and securely.
- Network: There is a huge web of communication and storage components involved when a credit card transaction is conducted, ranging from consumer devices connecting to business services through fulfillment services, and back.
- Endpoints: The number of endpoints as input/output devices can easily appear to be an infinite number. Consider the enterprise servers, enterprise desktops, merchant service and fulfillment servers and desktops, and, of course, the consumer devices – desktops, laptops, mobile devices, and smart phones that may touch sensitive information.
- Data: The data is the real crown jewel when it comes to the PCI DSS. All of the requirements, implementations, and audits revolve around making sure that card holder data is safe.