{"id":59,"date":"2007-08-01T04:31:00","date_gmt":"2007-08-01T04:31:00","guid":{"rendered":"http:\/\/mayanktrivedi.net\/technotes\/2007\/08\/01\/pci-dss-challenges-and-considerations\/"},"modified":"2022-04-06T20:23:49","modified_gmt":"2022-04-06T20:23:49","slug":"pci-dss-challenges-and-considerations","status":"publish","type":"post","link":"http:\/\/mayanktrivedi.net\/technotes\/2007\/08\/01\/pci-dss-challenges-and-considerations\/","title":{"rendered":"PCI-DSS Challenges and Considerations"},"content":{"rendered":"<div>\n<p style=\"margin-left: 0in;\"><span style=\";font-family:Verdana;font-size:85%;color:navy;\"   ><span style=\";font-size:10;color:navy;\"  >With PCI-DSS fast approaching its deadline for the compliance adherence, most of the organizations are putting their act together to meet the compliance requirements.  But there lies a challenge to look for the right approach therein. The consultants\/implementers\/maintainers are often dwindling about what approach to take in this area.  Various vendors are pitching for their products and many are claiming to achieve the same through technical deployments.  But following questions stand by with us &#8211; <o:p><\/o:p><\/span><\/span><\/p>\n<ul>\n<li><!--[if !supportLists]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Will technological deployment only help achieve the results as required and desired? <o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Will it not be a piecemeal approach to plug the issues with what we see as the right requirement for each of the areas as stated above?<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Will we be able to work towards integrating these distinct products and technologies together to achieve the required output?<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">What effect changes in the architecture and infrastructure would have on the other Compliances as ISO 27001, SOX etc.<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<\/ul>\n<p style=\"margin-left: 0in;\"><span style=\";font-family:Verdana;font-size:85%;color:navy;\"   ><span style=\";font-size:10;color:navy;\"  >There are many such other questions that would always be hovering around in our minds for us to answer and act upon.  However, whatever the approach be the steps to PCI-DSS compliance must focus on the following \u2013 <o:p><\/o:p><\/span><\/span><\/p>\n<ul>\n<li><!--[if !supportLists]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Highly Sensitive Payment Card Information stored in business databases<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Identification of all systems within the organization where Payment Card Information is stored <o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Legacy systems not supporting the PCI DSS requirements for encryption<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Access to payment card information to large no. of business users<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Log Management and Monitoring<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Data Classification and Handling<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Access Management on various systems and devices <o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Information Security Policies and Procedures<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Periodic vulnerability assessment and penetration testing<o:p><\/o:p><\/span><\/span><\/span><\/li>\n<li><!--[if !supportLists]--><span style=\";font-family:Wingdings;font-size:78%;color:navy;\"   ><span style=\";font-family:Wingdings;font-size:9;color:navy;\"   lang=\"EN-IN\" ><span style=\"\"><span style=\";font-family:Times New Roman;font-size:78%;\"  ><span style=\"\">     <\/span><\/span><\/span><\/span><\/span><!--[endif]--><span dir=\"ltr\"><span style=\"color:navy;\"><span style=\"color:navy;\">Segregation of Duties among Production, Development and Testing Teams<\/span><\/span><\/span><span style=\"color:navy;\"><span  lang=\"EN-IN\" style=\"color:navy;\"><o:p><\/o:p><\/span><\/span><\/li>\n<\/ul>\n<p><span style=\";font-family:Arial;font-size:85%;\"  ><span style=\";font-family:Arial;font-size:10;\"  lang=\"EN-IN\" ><o:p> <\/o:p><\/span><\/span><\/p>\n<p><span style=\";font-family:Arial;font-size:85%;\"  ><span style=\";font-family:Arial;font-size:10;\"  lang=\"EN-IN\" ><o:p> <\/o:p><\/span><\/span><\/p>\n<p><span style=\";font-family:Arial;font-size:85%;\"  ><span style=\";font-family:Arial;font-size:10;\"  lang=\"EN-IN\" ><o:p> <\/o:p><\/span><\/span><\/p>\n<p><st1:personname st=\"on\"><strong><b><span style=\";font-family:Monotype Corsiva;font-size:180%;color:maroon;\"   ><span style=\"\" lang=\"EN-IN\">Mayank Trivedi<\/span><\/span><\/b><\/strong><\/st1:personname><span style=\"font-family:Arial;\"><span  lang=\"EN-IN\" style=\"font-family:Arial;\"><o:p><\/o:p><\/span><\/span><\/p>\n<p><span style=\";font-family:Times New Roman;font-size:85%;\"  ><span lang=\"EN-IN\"  style=\"font-size:10;\"><o:p> <\/o:p><\/span><\/span><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>With PCI-DSS fast approaching its deadline for the compliance adherence, most of the organizations are putting their act together to meet the compliance requirements. But there lies a challenge to look for the right approach therein. The consultants\/implementers\/maintainers are often dwindling about what approach to take in this area. Various vendors are pitching for their &hellip;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71,14,70],"tags":[],"class_list":["post-59","post","type-post","status-publish","format-standard","hentry","category-pci-dss-challenges","category-pci-dss-compliance","category-pci-dss-considerations","entry entry-center"],"_links":{"self":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/59","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/comments?post=59"}],"version-history":[{"count":1,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/59\/revisions"}],"predecessor-version":[{"id":200,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/posts\/59\/revisions\/200"}],"wp:attachment":[{"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/media?parent=59"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/categories?post=59"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/mayanktrivedi.net\/technotes\/wp-json\/wp\/v2\/tags?post=59"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}