About BWise

Blog

PCI Compliance with BWise

June 1, 2011 by
Filed under: General, Governance, Risk and Compliance

Lately we have been talking about Payment Card Industry (PCI) Compliance to a lot of our clients. This industry has specific regulation to which it needs to comply, in particular the PCI Data Security Standard. This standard is mandatory for any company that stores, processes, or transmits payment cardholder data. Recent fails by large and known merchants to securely handle credit card processing has spiked the interest.


Cyber-crime is increasing. Opportunities exist to actually make a lot of money in credit card fraud. Who used to be foolish hackers boasting their hacking skills, have now grouped together or are recruited by organized crime. According to consumers, data breaches at third parties such as retailers are the number one source of credit card fraud (according to Gartner, May 2008). There is a serious threat and the PCI DSS is a good standard to adhere to. To start protecting our data!

The PCI Standard addresses the whole 'eco-system' of retail payments from retail payments devices, applications, card processing infrastructure and any organization that executes related operations. To do this, it contains three related components:
  • PCI Data Security Standard: Security Controls and Processes for protecting cardholder data;
  • Payment Application Data Security Standard: Standard for software developers that sell commercial applications for accepting and processing payment cards;
  • PIN Entry Device Security Requirements: For manufacturers of payment card devices used at point of sale.
For now, let's focus on the core of the PCI DSS which is the first component. The PCI DSS describes several goals that each has requirements. Some examples:
  • Goal: Build and maintain a secure network
  • Requirement: Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.

Programs
Some of these requirements are high-level and others are more concrete. Next to these requirements set out by the PCI organization (the 'manager' of the PCI DSS), the major card brands have also incorporated PCI DSS requirements into technical requirements for compliance. These can differ by card brand and financial institution and their processes of verifying compliance can also be different. If you need to adhere to the PCI DSS it makes sense to document an elaborate program that describes how the goals are covered, by what processes, controls and how this all maps to the technical requirements from different card brands.

Security Assessments
One of the goals set out in the PCI DSS states: 'Regularly monitor and test networks' and this describes two requirements: Track and monitor all access to network resources and cardholder data; and regularly test security systems and processes. There are some very specific tools in the market to help you to do exactly this. These are advanced systems of which we do not pretend to have the knowledge or expertise on how to maintain it. It does however make sense for us to 'interface' with systems that can do so and inter-relate the results from those applications to an 'asset' list in BWise that is directly tied back to the Programs and it's goals for continuous monitoring.

Security assessments can be done only by Qualified Security Assessors or Approved Scanning Vendors, each only tackling a part of the requirements. Their approach is similar to an audit (whether supported by tools or not) which can also rely on internal processes, walk troughs and existing documentation.

Self-Assessment
Some of the card brands allow the merchant to support their compliance by performing self-assessments by completing questionnaires, a technique very similar and often used in other areas of compliance.

Technology or processes
As with most compliance and regulation, the PCI DSS relies on both technologies (virus scanners need to be deployed to all systems) and processes (Ensure that all anti-virus mechanisms are current, actively running, etc.).

The BWise GRC Suite is perfectly capable of integrating different systems and correlates them to one Program for PCI compliance. It allows easy monitoring, central reporting, and integration with other compliance programs running in your organization.

Tags: BWise, Risk, GRC, Compliance

More Information

What is GRC?

Read the definition of Governance, Risk and Compliance


Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2015. 


Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.


Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up