My Merchant Account Blog

My Merchant Account Blog

You can now contact us at 888-928-5280 ext 822

New Posts will be coming soon - we are in the process of updating the blog

Maintain a Vulnerability Management Program

Friday, December 05, 2008
There are two requirements in this third core of PCI DSS (Maintain a Vulnerability Management Program):
  • Use and regularly update anti-virus software or programs
  • Develop and maintain secure systems and applications
In this core, it helps to know your vulnerabilities / weaknesses and how you can fix them before problems will occur.

Use and Regularly Update Anti-Virus Software or Programs

Anti-virus programs should be installed on each computer that uses your mail server and should be updated consistently.  The anti-virus program should be able to generate logs for you to review to ensure the updates have been applied and if any potential threats were received.  The logs should also be able to tell you what happened to these threats. 

The anti-virus program should also protect your systems of any other malicious software, including spyware, malware, adware.

Develop and Maintain Secure Systems and Applications

Hackers are consistently attempting to find vulnerabilities in software and components.  Security patches should be installed as soon as possible, but no later than one month of its release.  You should subscribe to a service that will inform you of any potential vulnerabilities, like the Multi-State Information Sharing and Analysis Center (MS-ISAC) or CERT.

Development, testing, and production environments should be completely separate since the staging environment is sometimes less secure than the production environment.  Personnel duties should be separated as well to limit the access to cardholder data.  When testing, PANs should not be used.  Some electronic payment gateways will allow you to replicate the transaction process using test credit card numbers.  When you are ready to go live, all test data and custom application accounts / usernames / passwords should be removed.

Change of Record

Change control procedures should be regimented and documented.  These procedures should include:
  • Documentation of impact
  • Management sign-off by appropriate parties
  • Testing of operational functionality
  • Back-out procedures
Without the proper change controls in place, a breach could potential occur.  This breach could inadvertently happen based on the employee's experience or background.  Background checks should be adequate to prevent untrustworthy or untrained individuals access to software code.

Secure Coding Guidelines

Software applications and code should be built based on the industry's best practice of secure coding - consider the guidelines at the Open Web Application Security Project (OWASP) or CERT Secure Coding Standards.  Data should be validated before being sent to the web application.  Error handling should also be reviewed.  For example, a username and password is entered into your web application.  An error message is produced saying "incorrect password".  This lets the hacker to assume he now has a username to gain access, and he should focus on a password.  Using more generic error messages like "data could not be verified" would be better.

DeliciousDigg This PostNewsvineRedditTechnorati

Comments

Name
URL
Email
Email address is not published
Remember Me
Comments

Search My Merchant Account Blog


My Merchant Account Blog Categories
My Merchant Account Blog Archives
My Merchant Account Blog Recent Entries


RSS Feed for My Merchant Account Blog

About My Merchant Account Blog



My Merchant Account Blog SiteMap

Submit my blog Startups

Retail Merchant Accounts

Get a Retail Merchant Account with a 1.65% discount rate.  No leases - free terminal.  No monthly minimum and no termination fee!

Twitter - My Merchant BlogFacebook - My Merchant Account BlogLinked In - Merchant Accounts

Merchant Account
Resources Directory

Check out the new
Merchant Account Resources Directory
Feel Free to submit you link!

My Merchant Account Blog SiteMap
Publishers

If you would like to publish a unique article on My Merchant Account Blog, please contact us.

Documents

© 2005 - 2025 - Merchant Account Forums - Contact Us for Permission to Display Our Complete Posts on Your Website

Feeds Available · Merchant Accounts Reviewed · Sitemap · Merchant Account Information