BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE - · PDF fileCHECKLIST: PCI/ISO COMPLIANCE ... (ISO...
-
Upload
hoangduong -
Category
Documents
-
view
237 -
download
5
Transcript of BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE - · PDF fileCHECKLIST: PCI/ISO COMPLIANCE ... (ISO...
CHECKLIST: PCI/ISO COMPLIANCEBy Melbourne IT Enterprise Services
/ BROCHURE /
MELBOURNE IT ENTERPRISE SERVICES 2
CHECKLIST: PCI/ISO COMPLIANCE
If your business handles credit card transactions then you’ve probably heard of the Payment Card Industry data security standard or PCI, as well as Information Security
Management (ISO). These terms are being mentioned more frequently as major corporate data breaches of international retailers and financial institutions place
millions of card records in the hands of cybercriminals. As a significant and growing problem, the PCI/ISO standards are designed to prepare businesses and institutions
with an online presence to protect themselves from the attentions of hackers.
PCI/ISO compliance should be a priority for any business looking to protect itself from data breaches
along with any potential legal action that could result from such incidents. In addition, being able to
actively demonstrate to your customers that you are doing everything possible to keep their personal
and financial data secure will improve customer relations and protect against significant reputational
losses which often cannot be measured in terms of dollars.
HOW SHOULD THESE CHECKLISTS BE USED?For online retailers and service providers looking to deliver their product and process credit card
transactions, there are a number of considerations regarding regulatory certification and maintaining
compliance with the regulatory standards of various initiatives. This checklist highlights the different
requirements businesses need to account for when looking to maintain compliance with The
Payment Card Industry Data Security Standard and the ISO Code of Practice for Information Security
Management (ISO 27001/27002).
Use this checklist to provide a high level summary of your status of against the key aspects of regulatory
compliance and identify where compliance management service providers can help fill the identified
gaps that can streamline the process through pre-certification and the reduction of validation
requirements.
MELBOURNE IT ENTERPRISE SERVICES 3
PCI DSS CHECKLISTThe Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements
designed to ensure that all companies that process, store or transmit credit card information maintain a secure operational environment. The following requirements
need to be taken into account for PCI DSS compliance:
Do you have an installed firewall solution
to protect cardholder data?
Do you routinely use anti-virus software
solutions which are regularly patched
and updated to ensure optimal
efficiency?
Do you have personalised system
passwords and other security
parameters rather than vendor-supplied
defaults?
Can you develop and maintain secure
systems and applications with hardened
and securely written code?
Can you restrict physical access to
cardholder data? I.e.: Can you limit
physical access to authorised personnel
through the use of tangible security
measures?
Can you properly identify and
authenticate access to system
components?
Are you able to efficiently track and
monitor all access to network resources
and cardholder data?
Can you restrict cardholder data to a
“need to know” basis?
Can you adequately protect stored
cardholder data?
Do you encrypt the transmission of
cardholder details across open, public
networks?
MELBOURNE IT ENTERPRISE SERVICES 4
Do you regularly test security systems
and processes to ensure optimal
effectiveness?
Do you maintain a policy that addresses
all pertinent information security issues
for all personnel?
Are you aware of the many benefits of
PCI DSS compliance, including increased
levels of consumer and business partner
trust?
Are you aware that the PCI standards of
compliance still apply to your business
even if you only accept credit card
payments over the phone?
Are you aware of the steep fines
which can be levied against banks and
businesses for non-compliance?
Do you know your “merchant level”
(ranging from 1 through to 4 depending
on the volume of annual credit card
transactions carried out by your
organisation) and the subsequent
effect of your merchant level on your
compliance requirements?
Did you know that being PCI DSS
compliant will help you become
better prepared for complying with
recently introduced regulations as well
as regulations proposed for future
implementation?
PCI DSS CHECKLIST
MELBOURNE IT ENTERPRISE SERVICES 5
ISO CHECKLISTThis comprehensive set of security standards provides the guiding principles for
improving information security management within any given organisation. It covers best practice relating to every part of information security from implementation through
to ongoing maintenance. While there are hundreds of potential controls outlined and suggested, the following checklist addresses the main points regarding ISO compliance:
Does your organisation maintain a clear,
well-defined and easily understandable
security policy which employees can
adhere to?
Is the organisation’s security of
information handled by a dedicated
team with an appointed departmental
head responsible for updating and
maintaining the security policy?
Is the head of information security
also responsible for security asset
management with clearly defined
protocols for their access and
operation?
Does your organisation’s security
policy comprehensively cover
human resources security? Are
employees properly instructed in all
ongoing security protocols including
communication and ethics?
Does your organisation’s security policy
account for physical and environmental
security where access to security
hardware is properly restricted to
authorised personnel?
Has your organisation made a thorough
assessment of potential security risks
which could affect it, along with the
likelihood of occurrence and estimated
potential impact of each threat?
Does this assessment take into account
the organisation’s overall business
strategy and objectives?
Does this assessment take into account
the legal, statutory, regulatory and
contractual requirements that an
organisation, its trading partners,
contractors and service providers have
to satisfy?
MELBOURNE IT ENTERPRISE SERVICES 6
SOURCES
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
https://www.pcicomplianceguide.org/pci-faqs-2/#1
https://www.iso.org/obp/ui/#iso:std:54533:en
ABOUT MELBOURNE IT
Melbourne IT Enterprise Services designs, builds and manages cloud solutions for Australia’s leading enterprises. Its
expert staff help solve business challenges and build cultures that enable organisations to use technology investments
efficiently and improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian
enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security
experts repeatedly deliver results. This is why many of the brands you already know and trust, rely on Melbourne IT.
THE RIGHT SOLUTION IS MELBOURNE ITmelbourneitenterprise.com.au
1800 664 222 [email protected]