PCI Compliance Management and Compliant Hosting
The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Why should a merchant, comply with the PCI Security Standards? At first glance, especially if you are a smaller organization, it may seem like a lot of effort, and confusing to boot. But not only is compliance becoming increasingly important, it may not be the headache you expect.
PCI DSS Requirements
Complying with the Payment Card Industry Data Security Standard (PCI DSS) is a great first step to protecting your business, your customers, and your reputation from the repercussions of cardholder data theft. The Payment Credit Card Industry Data Security Standard (PCI DSS) requires merchants, and service providers that store, process, or transmit cardholder data to apply security requirements to all “system components”. Additionally, everybody who simply accepts card payment must comply as stated in their merchant agreement with their bank.
But what are the “security requirements”? How are “system components” defined? Do the rules really apply to you? This page is your one stop link to answer those and many more questions. What PCI DSS says about Logging? For PCI DSS your organization must do the following with logs and log management:
Regardless of the Level assigned to you, YOU MUST:
- Have good log data
- Collect Logs
- Store Logs for at least 1 year
- Protect your Log data
- Review Logs daily
Stone Street can help you with parts of all 12 requirements but we specifically focus on, and build tools for, PCI DSS Requirement 10.
The benefits of Stone Street’s solutions for PCI compliance:
- The Stone Street platform in conjunction with the Compliance Suite: PCI Edition and Compliance Manager add-on products provide the foundation for log
collection, archival, and review (Requirement 10). - Stone Street Security Event Manager speeds up the process of daily log review by prioritizing incidents.
- Stone Street Database Security Manager provides monitoring as a compensating control for database encryption (Requirement 3).
PCI DSS Requirement 1 requires you to install and maintain a firewall configuration and to periodically review firewall policies. Requirement 3 requires encryption of cardholder data or to install monitoring as a compensating control. PCI DSS Most importantly, requirement 10 mandates to “track and monitor all access to network resources and cardholder data,” including a requirement to retain log data for one year, with a minimum of 3 months available online, and to review log data “daily”.
Requirements satisfied by PCI Edition of the Stone Street Compliance Suite can help you satisfy:
| Category | PCI Data Security Standard | Control Header |
|---|---|---|
| Security | Requirement 1 | Install and maintain a firewall configuration to protect data |
| Requirement 2 | Do not use vendor-supplied defaults for system passwords and other security parameters. | |
| Requirement 11 | Regularly test security systems and processes. | |
| Change Management | Requirement 6 | Develop and maintain secure systems and applications. |
| Identity and Access | Requirement 7 | Restrict access to data by business need-to-know. |
| Requirement 8 | Assign a unique ID to each person with computer access. | |
| Monitoring and Reporting | Requirement 10 | Track and monitor all access to network resources and cardholder data. |
Click here for a full PCI DSS Virtualization Guideline
Call Us: 1-877-748-7866
A Stone Street Solutions Team Member can assist you in customizing a solution designed for your environment. Call us to discuss which options will work best for you.
from a service specialist >>>