PCI DSS: The Basics December 3, 2012 Tina Stewart | Vice President of Market Strategy More About This Author > The Payment Card Industry Data Security Standard, PCI DSS, remains one of the most challenging regulations with which companies must comply. Its Janus-faced qualities (some say it’s too prescriptive, while others complain that the standards are confusingly vague) make achieving and managing compliance difficult and time-consuming. The PCI DSS requires that all companies that store, process, or transmit cardholder data must comply with the standard. The standard consists of twelve top-level requirements, each with a series of sub-requirements that detail how to meet the objective of the standard. In total, that means that companies must ultimately comply with more than 250 separate requirements that range from firewall configuration, to application security, to physical security and to documentation, and a range of topics in between. Failure to comply can result in severe fines, fees, and penalties. Complying with the PCI DSS can be difficult for any number of reasons, not the least of which include industry requirements that cover policies, technologies and physical security. Working with companies and vendors that have deep experience in your industry, and in the PCI DSS, can help companies cost-effectively achieve and maintain compliance. While compliance is necessary, you can’t loose sight of the fact that most companies are not in the business of data protection. Using proven, transparent solutions can help companies maintain compliance, while focusing on their business. It’s important to remember that there are what we like to call “snake oil salesmen” out there, offering one-shot compliance remedies. While it is tempting to believe those promises, it is improbable that any one solution will solve all PCI problems. We know that compliance is stressful, but working with Vormetric can help companies meet at least three of the PCI DSS requirements. Here’s a quick snapshot of how Vormetric Data Security can help. Requirement Challenge Vormetric Solution #3: Protect Stored Data Cardholder Data should be rendered unreadable wherever it is stored Using policy-based encryption, Vormetric Encryption ensures that only authorized users and services can encrypt and decrypt the data with “beyond-industry-standard” AES 128-bit and 256-bit key length. #7: Restrict Access to Cardholder Data According to Business Need to Know Only users and resources that must access cardholder data in order to complete their job should have access to systems containing the data. Vormetric access control, in accordance with the PCI DSS, follows the least-privilege model, which denies any activity that has not been expressly permitted by an authorized user. #10: Track and Monitor All Access to Network Resources and Cardholder Data All organizations must track access to cardholder data, and to all systems and resources that can access cardholder data. The rich auditing capability of Vormetric Encryption enables the review of the file I/O activity of the tests performed on security systems. Our next few posts will offer some insights on the PCI DSS, based on our experience in developing solutions and working with companies moving towards compliance.