/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

Transcription

1 / BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE By Melbourne IT Enterprise Services

2 CHECKLIST: PCI/ISO COMPLIANCE If your business handles credit card transactions then you ve probably heard of the Payment Card Industry data security standard or PCI, as well as Information Security Management (ISO). These terms are being mentioned more frequently as major corporate data breaches of international retailers and financial institutions place millions of card records in the hands of cybercriminals. As a significant and growing problem, the PCI/ISO standards are designed to prepare businesses and institutions with an online presence to protect themselves from the attentions of hackers. PCI/ISO compliance should be a priority for any business looking to protect itself from data breaches along with any potential legal action that could result from such incidents. In addition, being able to actively demonstrate to your customers that you are doing everything possible to keep their personal and financial data secure will improve customer relations and protect against significant reputational losses which often cannot be measured in terms of dollars. HOW SHOULD THESE CHECKLISTS BE USED? For online retailers and service providers looking to deliver their product and process credit card transactions, there are a number of considerations regarding regulatory certification and maintaining compliance with the regulatory standards of various initiatives. This checklist highlights the different requirements businesses need to account for when looking to maintain compliance with The Payment Card Industry Data Security Standard and the ISO Code of Practice for Information Security Management (ISO 27001/27002). Use this checklist to provide a high level summary of your status of against the key aspects of regulatory compliance and identify where compliance management service providers can help fill the identified gaps that can streamline the process through pre-certification and the reduction of validation requirements. MELBOURNE IT ENTERPRISE SERVICES 2

3 PCI DSS CHECKLIST The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure operational environment. The following requirements need to be taken into account for PCI DSS compliance: Do you have an installed firewall solution to protect cardholder data? Can you develop and maintain secure systems and applications with hardened and securely written code? Do you have personalised system passwords and other security parameters rather than vendor-supplied defaults? Can you restrict cardholder data to a need to know basis? Can you adequately protect stored cardholder data? Can you properly identify and authenticate access to system components? Do you encrypt the transmission of cardholder details across open, public networks? Can you restrict physical access to cardholder data? I.e.: Can you limit physical access to authorised personnel through the use of tangible security measures? Do you routinely use anti-virus software solutions which are regularly patched and updated to ensure optimal efficiency? Are you able to efficiently track and monitor all access to network resources and cardholder data? MELBOURNE IT ENTERPRISE SERVICES 3

4 PCI DSS CHECKLIST Do you regularly test security systems and processes to ensure optimal effectiveness? Are you aware of the many benefits of PCI DSS compliance, including increased levels of consumer and business partner trust? Do you maintain a policy that addresses all pertinent information security issues for all personnel? Are you aware of the steep fines which can be levied against banks and businesses for non-compliance? Do you know your merchant level (ranging from 1 through to 4 depending on the volume of annual credit card transactions carried out by your organisation) and the subsequent effect of your merchant level on your compliance requirements? Are you aware that the PCI standards of compliance still apply to your business even if you only accept credit card payments over the phone? Did you know that being PCI DSS compliant will help you become better prepared for complying with recently introduced regulations as well as regulations proposed for future implementation? MELBOURNE IT ENTERPRISE SERVICES 4

5 ISO CHECKLIST This comprehensive set of security standards provides the guiding principles for improving information security management within any given organisation. It covers best practice relating to every part of information security from implementation through to ongoing maintenance. While there are hundreds of potential controls outlined and suggested, the following checklist addresses the main points regarding ISO compliance: Does your organisation maintain a clear, well-defined and easily understandable security policy which employees can adhere to? Does your organisation s security policy account for physical and environmental security where access to security hardware is properly restricted to authorised personnel? Is the organisation s security of information handled by a dedicated team with an appointed departmental head responsible for updating and maintaining the security policy? Has your organisation made a thorough assessment of potential security risks which could affect it, along with the likelihood of occurrence and estimated potential impact of each threat? Is the head of information security also responsible for security asset management with clearly defined protocols for their access and operation? Does this assessment take into account the organisation s overall business strategy and objectives? Does your organisation s security policy comprehensively cover human resources security? Are employees properly instructed in all ongoing security protocols including communication and ethics? Does this assessment take into account the legal, statutory, regulatory and contractual requirements that an organisation, its trading partners, contractors and service providers have to satisfy? MELBOURNE IT ENTERPRISE SERVICES 5

6 SOURCES ABOUT MELBOURNE IT Melbourne IT Enterprise Services designs, builds and manages cloud solutions for Australia s leading enterprises. Its expert staff help solve business challenges and build cultures that enable organisations to use technology investments efficiently and improve long-term value. With more than 15 years experience in delivering managed outcomes to Australian enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security experts repeatedly deliver results. This is why many of the brands you already know and trust, rely on Melbourne IT. THE RIGHT SOLUTION IS MELBOURNE IT melbourneitenterprise.com.au corporate.sales@melbourneit.com.au MELBOURNE IT ENTERPRISE SERVICES 6