The PCI-DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Established by the 5 major credit card industries in response to an increase in identity theft and payment card frauds. Every merchant/service providers who handles card data is responsible for safeguarding that information and can be held liable for security compromises and must comply with PCI-DSS. Organised criminal gangs operate globally in the dark web; Their only interest is money; Hence Data = Money; Their targets are everyone anywhere
PCI DSS Scope
- System component stores, processes, or transmits CHD/SAD or System component is on the same network segment-for example, in the same subnet or VLAN as system(s) that store, process, or transmit CHD/SAD.
- System component is on a different network (or subnet or VLAN), but can connect to or access the CDE (e.g., via internal network connectivity.
- System component can connect to or access the CDE via another system-for example, via connection to a jump server that provides access to the CDE).
- System components can impact configuration or security of the CDE, or how CHD/SAD is handled-for example, a web redirection server or name resolution server.
- System component provides security services to the CDE-for example, network traffic filtering, patch distribution, or authentication management.
- System component supports PCI DSS requirements, such as time servers and audit log storage servers.
- System component provides segmentation of the CDE from out-of-scope systems and networks-for example, firewalls configured to block traffic from untrusted networks.
- System component does NOT store, process, or transmit CHD/SAD.
- System component is NOT on the same network segment or in the same subnet or VLAN as systems that store, process, or transmit CHD.
- System component cannot connect to or access any system in the CDE
- System component cannot gain access to the CDE nor impact a security control for CDE via an in-scope system.
- System component does not meet any criteria described for connected-to or security-impacting systems, per above.
PCI DSS Requirements
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data and/or sensitive authentication data. It consists of steps that mirror security best practices.
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
OUR CONSULTING APPROACH
Our consulting approach overview
We bring together professionals in information security and risk management, privacy, organizational design, business continuity, legal and compliance management in this process.