3 Replies Latest reply on Mar 27, 2007 7:37 PM by John van Ommen

    PCI Data Security Compliance Templates

      Is anything in the works for the Payment Car Industry (PCI) Compliance. Are there going to be any downloadable templates like CIS, SOX etc....



        • 1. Re: PCI Data Security Compliance Templates

          We need this too.

          • 2. Re: PCI Data Security Compliance Templates

            Certified CIS templates are available in the Knowledge Base under Toolkits. If you are on version 7 this link should be what you need.



            • 3. Re: PCI Data Security Compliance Templates

              It looks like BladeLogic could automate pieces of the Payment Card Industry Compliance standards. Some parts of it require physical security however. I'm basing that on the following information:


              " 1) Build and Maintain a Secure Network—In the first section of the Standard, it is required that all parties 1) Install and maintain a firewall configuration to protect data and 2) Do not use vendor-supplied defaults for system passwords and other security parameters. In order for firewalls to be effective, all communication from untrusted networks or hosts must be blocked, preventing external sources from interfacing with internal ones.


              2) Protect Cardholder Data—The section that is paramount to the goal of the Standard requires that merchants and service providers 1) Protect stored data and 2) Encrypt transmission of cardholder data and sensitive information across public networks. The most fundamental concept of this section is the need for secure storage and session protection. An effective solution will provide a comprehensive environment to securely store sensitive data, featuring strong firewall, strong authentication, session encryption, storage encryption, extensive auditing, access control, dual control and other security measures to ensure the security and confidentiality of data.


              3) Maintain a Vulnerability Management Program—The section requires that compliers 1) Use and regularly update anti-virus software and 2) Develop and maintain secure systems and applications. All applications, as well as the network itself, should be protected by an anti-virus solution. Additionally, it is important to ensure the organization has patch management solutions for existing applications and develops best practices for home grown applications.


              4) Implement Strong Access Control Measures—The fourth part of the Standard states that all affected parties must 1) Restrict access to data by business "need to know", 2) Assign a unique ID to each person with computer access and 3) Restrict physical access to cardholder data. Ensuring that users have access only to the level of data that they need is an important step in preventing data theft, particularly internal data theft. A good solution would store data in a highly departmentalized manner, allowing only authenticated users access to data based on their level of authorization. Every user should be assigned an individual account that easily allows them to access the data they need, while restricting them from accessing additional information, such as cardholder data.


              5) Regularly Monitor and Test Networks—This section requires that companies 1) Track and monitor all access to network resources and cardholder data and 2) Regularly test security systems and processes. Creating an audit trail is one of the most effective tools to assess who had access to data if a security breach was to occur.


              The optimum solution guarantees individual logging, while also recording every successful and unsuccessful event, such as login, data access and administrative activities. Additionally, these audit trails should also be stored in a safe manner and be encrypted and signed and unable to be altered manually. Another key feature to look for is the solution’s ability to maintain an audit trail for a predefined period of time, making it impossible to delete the log before the retention period expires.


              To meet the second requirement of this section, a comapny must regularly test, check and re-check all of its security solutions to ensure that everything is working correctly all the time.


              6) Maintain an Information Security Policy—The sixth section requires that merchants and service providers 1) Maintain a policy that addresses information security. The onus for this portion of the Standard falls squarely on the organization’s IT department and management team to create, define and enforce an information security policy throughout the organization. The policy should address all sections of the Standard and set rules and regulations for users, as well as penalties for non-compliance."