From a business perspective it makes perfect sense. If you hold cardholder data those companies responsible for the cards (Visa, Mastercard et al) need to know that you're holding the data securely. By being compliant, both your customers and the banks can trust your company. Additionally, you show you're staying within the law. PCI compliance stipulates you cannot store all the card data. You can store credit card type, card number, cardholder name, start and expiry dates. You cannot, however, store the 3 digit code on the back of the card.
The amount of work you will need to do in order to become PCI compliant depends on your network infrastructure topology and security standards and policies already in place. If you need to accept payments via your site, you can use paypal or set up a merchant account and get an SSL certificate for secure online transactions.
If you need to hold credit card data you need to ensure the presentation layer (GUI) and data layer (database) are separated by a firewall. Your presentation layer also needs to be separated from the rest of your network by firewall. Credit card data stored in the database must be encrypted as do the passwords of users who may have access and ultimately be able to view the card details in clear text. Authentication should also be complex. The recommendation is a username, strong password and a security token (think RSA).
In order to do the above in a secure and logical fashion, this author recommends the use of VLANs for logical separation of various functional aspects of the network. Additionally by employing a DMZ and some intelligent routing, you can continue to update and patch your servers anti-virus and OS.
All traffic in and out of your network should be monitored. This may be done using a proxy server. My choice would be Squid as it's open source (and free, fast and reliable). My client has favoured Microsoft's ISA server (simple integration with the domain and fully supported). Both will do the jobs required.
Finally (for this post at least), your network requires a serious amount of logging. Should your network security be breached and credit card details be stolen, forensic data analysts will need to pore over your logs (dull for them and very costly for you). They should be able to trace all user activity - login time, folders opened and closed etc and timestamps for everything. Along with this you require network intrusion detection tools.
No comments:
Post a Comment