My Merchant Account Blog

My Merchant Account Blog

You can now contact us at 888-928-5280 ext 822

New Posts will be coming soon - we are in the process of updating the blog

Regularly Monitor and Test Networks

Sunday, December 07, 2008
The fifth core of Payment Card Industry Data Security Standard (PCI DSS) consists of two requirements:
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes

Track and Monitor All Access to Network Resources and Cardholder Data

We have said it in the past few posts, but it bears saying again.  Audit trail history should be retained for at least one.  These logs should provide the company with a
  • Unique User Identification
  • Type of Event
  • Date and Time
  • Origination of Event
  • Success or Failure Indication
  • Identity / Name of Affected Data, System Components, Resources
These logs should be secure and unable to be altered by anyone and have limited viewing.  Times on all systems should be synchronized.  Logs should be reviewed daily for unknown events.  It sometimes takes days or weeks before a breach is reported by a cardholder.

Regularly Test Security Systems and Processes

Systems should be scanned to discover potential vulnerabilities.  A vulnerability scan is an automated tool run against external and internal access points and servers on the network that will help identify ports and vulnerabilities that could be exploited by hackers.  If any vulnerabilities are detected, steps should be taken to fix them immediately.  Network intrusion detection systems should also be in place.

Approved Scanning Vendor

Most merchants will be required to do have a quarterly scan completed by an Approved Scanning Vendor (ASV). Approved Scanning Vendors (ASV) can complete the quarterly scan for your company.  Only choose a vendor that is listed Approved Scanning Vendors web page.  Otherwise, you might compromise your data or the scan will not be accepted by the council.  The scan requirements are quite rigid - all 65,535 ports will be scanned.  Any vulnerability that is rated between three to five must be fixed.  You will also get two reports:
  • An executive summary report with a PCI approved compliance statement suitable for submission to acquiring banks for validation
  • A technical report that details all vulnerabilities detected with solutions
Selecting a PCI Network Security Testing Service
While there are a number of Approved Scanning Vendors listed, there are three critical things to look for when choosing a company:
  1. Accuracy:  False positives can increase the activities and costs that are associated with these false positives (and even false positives).  You do not want the company to generate a large number of false positives / false negatives that will increase the amount of time you have to work through each issue.
  2. Efficient Vulnerability Remediation Process:  The company should offer technical support to fix each issue found.
  3. Automated Report Preparation and On-Line Filing:  This will reduce your work and time you spend on getting PCI compliance if the company offers automatic preparation and electronically filing.

Qualified Security Assessor

Large merchants that are considered Level One (or merchants that have had a data breach) are required to have an on-site security audit performed by a Qualified Security Assessor (QSV).  These vendors are authorized to perform the annual audits. QSAs are companies that assist organizations in reviewing the security of its payments transaction systems and have trained personnel and processes to assess and validate compliance with PCI DSS.

DeliciousDigg This PostNewsvineRedditTechnorati

Comments

Name
URL
Email
Email address is not published
Remember Me
Comments

Search My Merchant Account Blog


My Merchant Account Blog Categories
My Merchant Account Blog Archives
My Merchant Account Blog Recent Entries


RSS Feed for My Merchant Account Blog

About My Merchant Account Blog



My Merchant Account Blog SiteMap

Submit my blog Startups

Internet Merchant Account

Get an Internet Merchant Account with a 2.09% discount rate.  No monthly minimum - free electronic payment gateway.  No termination fee and no yearly contracts!

Twitter - My Merchant BlogFacebook - My Merchant Account BlogLinked In - Merchant Accounts

Merchant Account
Resources Directory

Check out the new
Merchant Account Resources Directory
Feel Free to submit you link!

My Merchant Account Blog SiteMap
Publishers

If you would like to publish a unique article on My Merchant Account Blog, please contact us.

Documents

© 2005 - 2025 - Merchant Account Forums - Contact Us for Permission to Display Our Complete Posts on Your Website

Feeds Available · Merchant Accounts Reviewed · Sitemap · Merchant Account Information