A friend of mine who is an attorney was showing me his website. His blog was all about credit card fraud. I wrote a quick article for him about PCI Governance. It seems that every few years we hear about a major credit card hack. This year November 12, 2011 USPS notified 5400 store customers their data was inadvertently revealed.. November 18, 2011 members of Honolulu’s APEC host committee that their personal information had been stolen. These members didn’t even know until they failed a security clearance. As an IT Consultant in Seattle I was surprised to find out that September 13, 2001 17 Nordstrom customers had been hacked.
As a system administrator I really didn’t have much understanding about what was really going on. I knew that someone had made a mistake. Most systems administrator aren’t aware of the rule and liabilities around storing credit card and other information.
The Payment Card Industry (PCI) Data Security Standard (PCIDSS) and PCI Compliance Checklist is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standards are created to provide organizations that process card payments ways and methods to prevent credit card fraud through increased internal controls around data and its exposure to compromise and theft.
Many organizations that get into trouble get a new credit card system and fail to comply with the standards. Failure to live by the standards could mean that VISA and MasterCard won’t process your company’s credit transactions.
Here is a summary of rules that IT professionals should know…
Regularly monitor and test networks/systems that have payment card data.
Install and keep up-to-date, a firewall that protects cardholder data stored within company systems.
Every employee with computer access should be assigned a unique ID and use a robust password (e.g., mix of letters, numbers, and symbols), which is changed frequently (every 45-60 days).
Restrict physical access to company systems and records with cardholder data to only those employees with a business “need-to-know.”
Encrypt cardholder data if transmitting it over wireless or open, public networks.
Use and regularly update anti-virus software.
Have secure company systems and applications (e.g., good and frequent process to update all computers with necessary patches, process for identifying system/application vulnerabilities, etc.).
Ensure any e-commerce payment solutions are tested to prevent programming vulnerabilities like SQL injection.
If you outsource the handling of cardholder data to a third party service provider, verify that they have validated PCI DSS compliance and are listed on Visa’s website at
Don’t store magnetic stripe cardholder data or the CVV2 code (the three digit value on the back of Visa cards) after authorization.
Don’t use vendor-supplied or default system passwords or common/weak passwords.
Don’t store cardholder data in any systems in clear text.
Don’t leave remote access applications in an “always on” mode.
I wanted to share this information with other administrators. Often management isn’t tracking these issues and hasn’t shared this information with the system administrators. Small businesses often aren’t auditing their own systems and so the business gets in trouble if there is a CVI audit.
Check out this site for more information… PCI Security Standards
Confidentiality is one of the three original pillars of IT security. Protecting your customers and their credit should be a high priority for every IT Consultant