Scribd
Upload
31 views2 pages

Shon Harris 7th Edition-114-115

Uploaded by

kleyderm8
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
31 views2 pages

Shon Harris 7th Edition-114-115

Uploaded by

kleyderm8
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

CISSP All-in-One Exam Guide


80
Payment Card Industry Data Security Standard (PCI DSS)
Identity theft and credit card fraud are increasingly more common. Not that these things
did not occur before, but the advent of the Internet and computer technology have com-
bined to create a scenario where attackers can steal millions of identities at a time.
The credit card industry took proactive steps to curb the problem and stabilize
customer trust in credit cards as a safe method of conducting transactions. Each of the
four major credit card vendors in the United States developed its own program that its
customers had to comply with:

• Visa Cardholder Information Security Protection (CISP)


• MasterCard Site Data Protection (SDP)
• Discover Discover Information Security and Compliance (DISC)
• American Express Data Security Operating Policy (DSOP)

Eventually, the credit card companies joined forces and devised the Payment Card
Industry Data Security Standard (PCI DSS). The PCI Security Standards Council was
created as a separate entity to maintain and enforce the PCI DSS.
The PCI DSS applies to any entity that processes, transmits, stores, or accepts credit
card data. Varying levels of compliance and penalties exist and depend on the size of
the customer and the volume of transactions. However, credit cards are used by tens
of millions of people and are accepted almost anywhere, which means just about every
business in the world is affected by the PCI DSS.
The PCI DSS is made up of 12 main requirements broken down into six major
categories. The six categories of PCI DSS are Build and Maintain a Secure Network
and Systems, Protect Cardholder Data, Maintain a Vulnerability Management Program,
Implement Strong Access Control Measures, Regularly Monitor and Test Networks, and
Maintain an Information Security Policy.

NOTE According to PCI DSS 3.1, Secure Sockets Layer (SSL) and early
Transport Layer Security (TLS) are not considered secure. New systems
should not use them, and existing systems can only use them until June
2016 provided they incorporate risk mitigations.

The control objectives are implemented via 12 requirements, as stated at https://www


.pcisecuritystandards.org/security_standards/pci_dss.shtml:

• Install and maintain a firewall configuration to protect cardholder data.


• Do not use vendor-supplied defaults for system passwords and other security
parameters.
• Protect stored cardholder data.
• Encrypt transmission of cardholder data across open, public networks.
• Protect all systems against malware and regularly update antivirus software
or programs.

此资料仅供个人学习,需要各种网络信息安全学习和考试相关资料以及交流讨论,可加入QQ群: 173456730

01-ch01.indd 80 14/04/16 11:42 AM


All-In-One / CISSP All-in-One Exam Guide, Seventh Edition / Harris / 184927-0 / Chapter 1

Chapter 1: Security and Risk Management


81
• Develop and maintain secure systems and applications.
• Restrict access to cardholder data by business need to know.
• Identify and authenticate access to system components.
• Restrict physical access to cardholder data.
• Track and monitor all access to network resources and cardholder data.
• Regularly test security systems and processes.
• Maintain a policy that addresses information security for all personnel.

The PCI DSS is a private-sector industry initiative. It is not a law. Noncompliance


or violations of the PCI DSS may result in financial penalties or possible revocation of
merchant status within the credit card industry, but not jail time. However, Minnesota
became the first state to mandate PCI compliance as a law, and other states, as well as the
U.S. federal government, are implementing similar measures.

NOTE As mentioned before, privacy is being dealt with through laws,


regulations, self-regulations, and individual protection. The PCI DSS is an
example of a self-regulation approach. It is not a regulation that came down
from a government agency. It is an attempt by the credit card companies
to reduce fraud and govern themselves so the government does not have
to get involved. While the CISSP exam will not ask you specific questions on
specific laws, in reality you should know this list of regulations and laws (at
the minimum) if you are serious about being a security professional. Each
one of these directly relates to information security. You will find that most
of the security efforts going on within companies and organizations today
are regulatory driven. You need to understand the laws and regulations to
know what controls should be implemented to ensure compliancy.

Many security professionals are not well versed in the necessary laws and regulations.
One person may know a lot about HIPAA, another person might know some about
GLBA, but most organizations do not have people who understand all the necessary
legislation that directly affects them. You can stand head and shoulders above the rest by
understanding cyberlaw and how it affects various organizations.

Employee Privacy Issues


Within a corporation, several employee privacy issues must be thought through and
addressed if the company wants to be properly protected against employee claims of inva-
sion of privacy. An understanding that each state and country may have different privacy
laws should prompt the company to investigate exactly what it can and cannot monitor
before it does so.
If a company has a facility located in a state that permits keyboard, e-mail, and
surveillance camera monitoring, for example, the company must take the proper steps to
ensure that the employees of that facility know that these types of monitoring may be put

此资料仅供个人学习,需要各种网络信息安全学习和考试相关资料以及交流讨论,可加入QQ群: 173456730

01-ch01.indd 81 14/04/16 11:42 AM

You might also like