SISTEMAS
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

PCI Compliance Checklist – Achieving PCI DSS Compliance

To comply with the PCI DSS, an organization should follow three steps:

  • Assessment – this includes identifying the cardholder data, taking an inventory of the technology and business processes and analyzing them for vulnerabilities.
  • Remediate – once detected, fix the vulnerabilities and don’t store unnecessary cardholder data.
  • Report – document and submit remediation validation reports, as well as compliance reports, to the bank and card brands involved.

PCI Compliance Best Practices

The following best practices can help you improve security measures, to more easily comply with PCI-DSS security requirements.

Use a firewall – Per the first requirement, you’ll need to install a reliable firewall to protect your network and run regular testing to ensure efficiency.

Do not use default passwords – To be in PCI compliance, you must ensure all devices and user accounts use passwords that are unique, and that includes lowercase and capital letters, numbers and symbols, to make them more secure.

Use both digital and physical measures to protect cardholder data – The PCI standard requires you to put in place electronic and physical barriers to prevent unauthorized access to passwords. Some of these barriers may include authentication protocols, strong password policies, locked servers and locked cabinets for sensitive physical data. A related measure is restricting access to cardholder data and encrypting the transmission of cardholder information.

Create and enforce a security policy – A security policy should be drafted, supported by management, and made known across the organization, as well as to third-party vendors and customers. You should include a summary of how you protect customer data, explaining password and access requirements.

Establish an incident response process – Have a clear process for detecting, remediating, mitigating and recovering from security incidents.

Keep track of changes – Identify and review changes made to processes or technologies affecting cardholder data. Establish change controls, identifying the impact on compliance for every change.

Keep software patched and install security updates – Many of the world’s biggest security breaches resulted from an exploit of a known software vulnerability. Keeping software up to date, scanning systems for vulnerabilities and remediating them, is a critical defensive measure.

  • No labels