Question

YieldMore Company’s senior management has recently decided to accept credit card payments from YieldMore customers both from store locations and online transactions. This decision makes meeting PCI DSS objectives and requirements a necessary consideration in order to validate compliance for enforcement organizations.

As an IT professional of the company, you should make recommendations to IT management to implement best practices of PCI DSS.

Tasks

You are asked to identify appropriate best practices of PCI DSS specific to the company’s IT environment.

1. Identify the touch points between the objectives and requirements of PCI DSS and YieldMore’s IT environment.
2. Determine appropriate best practices to implement when taking steps to meet PCI DSS objectives and requirements.
3. Justify your reasoning for each identified best practice.

Answer 1

The Payment Card Industry Data Security Standard (PCI DSS) is nothing but a set of security requirements that helps businesses to protect their payment systems from unauthorized access.

Here are our five best practices for PCI DSS;

1. Data transparency

The data must only be stored in specific or known locations. And with limited access to protect credit card information. Data Loss Prevention solutions such as Endpoint Protector are used for this purpose

2. Security

The two main ways data can be protected on the move are tokenization and encryption. Tokenization is a method that generates an alternate ID for a card number which can then be used for transactions. Thereby we can reduce the risk of disclosure of card information.

Encryption is a method of converting the data into another form which changes the entire meaning of the data

3. Restrict access rights

By using PCI DSS we can restrict the access of information from unauthorized access and thereby protect our data from disclosure.

4. Document and log everything

PCI DSS document everything underlines the need for organizations to keep records of all its security policies and procedures, its risk assessments, and security incidents.

The requirement of PCI DSS are;

1. Install and maintain a firewall configuration

2. Configure passwords and settings for the system

3. Protect stored cardholder data from authorized access

4. Encrypt transmission of cardholder data by using any one of the encryption methods.

5. Use and regularly update anti-virus software or programs and check whether it is working or not

6. Regularly update and patch systems

7. Restrict access to cardholder data by business need to know

8. Assign a unique ID to each person with computer access

9. Implement logging and log management for future reference

Objectives

1. Build and maintain a secure network

2. Protect cardholder data

3. Maintain a vulnerability management program

4. Regularly monitor and test networks

5. Maintain an information security policy

UPVOTE PLS if you find this useful