Most, if not all, mid-sized organizations engage in some format of e-commerce via proprietary electronic data interchange (EDI) or the Internet. Moreover, there are many different types of e-commerce activities, including online advertising, email marketing, information publishing, and product/service exchange. Very few e-commerce activities do not require some form of a financial transaction and even fewer do not involve third-party services provided via payment card. The four major payment card providers are American Express, Discover Financial Services, Mastercard Worldwide, and Visa International. These four organizations and JCB Co., Ltd., a global technology company, formed the PCI Security Standards Council in 2004.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of policies and procedures that were created by the council for the purpose of protecting cardholders from misuse of their personal information and strengthening the security of credit, debit transactions. This standard is globally accepted and recognized as a core baseline for building e-commerce infrastructure systems. A major benefit of the standard is that it facilitates a standardized approach to communicating consistent data security measures.
The PCI-DSS consists of business and service-level requirements for security management, network architecture, software design and other mission-critical areas. The primary objective of the PCI-DSS is to help organizations protect customer account data and prevent fraud.
Real estate brokerages that are planning to design and develop an e-commerce system should become familiar with the PCI-DSS and understand its requirements. This understanding will help determine strategies for in-house development or outsourcing payment services. Note that payment card systems produce valuable operational data that is used for decision support and customer relationship management. If an organization decides to outsource their payment card system, they need to consider the consequences of data storage and integration with other tactical and strategic systems.
The primary objectives of the standard are to help organizations develop a policy for implementing security measures and to protect cardholder data. The policy provides a baseline for various security-related processes including building and maintaining secure computer networks, implementing strong authentication and authorization processes, and controlling technical and organizational vulnerabilities.
Below is a high-level overview of the most interesting PCI-DSS requirements.
1. Install and maintain firewall configurations to protect cardholder data –
Multiple firewalls should be integrated with business, data processing, and reporting applications. A firewall allows an organization to maintain secured applications while providing services to external clients that are located outside of the organization’s internal networks. A key aspect is to design the firewall configurations around the database management systems that are storing cardholder data. Moreover, cardholder data should never be stored on a computer that connects to the Internet. Firewalls must be designed to protect internal resources and secure remote access to applications as well.
2. Do not use vendor-supplied defaults for system passwords and other security parameters -
Vendor-supplied default settings, including security passwords present significant security risks and should be removed from the system. This includes database management systems that store transactional data, server software that host web servers and any infrastructure servers connected to the system. Another important related step is to develop a scheduled password change process. It is important to consistently change passwords and to use “strong” combinations that use numbers, letters and characters.
3. Track and monitor all access to network resources and cardholder data -
[7152008:6:56:00]
Copyright 2008. Software Leadership, Inc. All Rights Reserved.
Comments(0)