PCI Compliance: Implementing Effective PCI Data Security Standards

Everyone who is a stakeholder has the responsibility of ensuring Payment Card Industry (PCI) data is protected from unwanted disclosure, modification, or destruction of data in a system, from the end user, to the retailer, to the credit card company. But moreover, when an incident occurs, the organization that is storing the PCI data is the one held accountable. Upper management is held accountable for the security of PCI data. Most of us are familiar with the types of incidents that can occur on a daily basis. These include but are not limited to:
The vulnerabilities or misconfigurations that might lead to a system compromise affecting the overall confidentiality, integrity and availability of the system and data.
The viruses, worms, Trojan horse programs, keystroke loggers, rootkits, logic bombs, spam relays, and remote control bots that can degrade system resources and capture confidential data.
The detection or discovery of unauthorized users or users with elevated privileges in excess of what is required to perform a specific duty (principle of least privilege).
The loss of computing devices.
There are certain steps that must be taken when one of the before mentioned events does occur that will your organization get back to normal quicker. In this chapter we ll briefly discuss whose responsibility it is to protect PCI data, Incident Response Teams (IRT), forensics, notifications, liabilities and business continuity, and disaster recovery.
A good security policy sets the stage for the entire organization and establishes...