How CIS Controls Lead to PCI-DSS Compliance
PCI-DSS (Payment Card Industry Data Security Standard) is a collection of security controls that businesses and government agencies that collect credit card data are required to implement. Founded in 2004, PCI-DSS consists of 12 general requirements and associated sub-controls. Any organization that processes any type of payment card (debit or credit) must meet these requirements or face fines and possible termination of the rights to process payment cards. If an organization does not receive payment card information, but is responsible for storing or transmitting such data, it can still be held accountable under the PCI-DSS requirements.
PCI-DSS compliance represents a consistent state of compliance with data security standards and laws, which is a challenge for many organizations. It takes a lot of continuous time and effort toward objectives such as:
- Maintaining visibility and control into system settings
- Proactive and continuous system monitoring to ensure systems remain compliant
- Quick and anytime assessment of system security posture and control compliance
- Ongoing compliance with rules of sovereignty and international privacy laws
CIS Controls and Sub-Controls Mapping to PCI DSS
Center for Internet Security (CIS) is a community-driven, nonprofit organization, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. CIS controls are a great start in meeting PCI-DSS requirements and addressing compliance quandaries.
What do you have to do to be able to comply with PCI-DSS? CIS defines it as being able to do things like:
- Utilize an active discovery tool to identify devices connected to the organization’s network and update the hardware asset inventory.
- Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This includes all hardware assets, whether connected to the organization’s network or not.
- Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.
- Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or better basis to identify vulnerabilities.
- Be able to collect logs and prepare artifacts for audits, compliance and analysis.
- Get key prescriptive language governing going beyond commercial software vendor security defaults.
This is just a sample list. CIS controls are a great growing foundation for meeting many PCI-DSS requirements, but you’ll need extra protection for your customers’ financial information, which is a lucrative target for thieves. For a deeper understanding of how you can use CIS controls and Atomicorp to address PCI-DSS and other data security requirements, download the white paper and toolkit.
Read the whitepaper that explores the 99 PCI-DSS requirements that can be met with the aid of Atomicorp tools and experience. These capabilities include:
- Installing and maintaining a firewall configuration to protect cardholder data.
- Implementing strong access control measures – i.e., restrict access to cardholder data and authorized users.
- Second-guessing vendor-supplied defaults for system passwords and other security boundaries.
- Maintaining a vulnerability management program – i.e., regularly update anti-virus protections and maintain secure applications.
- Maintaining an information security policy – a policy to secure cardholder data and other information among authorized employees and contractors.
- Protecting ‘stored’ cardholder data.
- Encrypting transmission of cardholder data across open, public networks.
- Guarding against employee theft of data.
- Guarding against internet-based intrusions.
- Regularly monitoring and testing networks – monitor and track all access to network resources and cardholder data; routinely test processes and systems.
Take advantage of our free toolkit toward meeting PCI compliance requirements. The Atomicorp PCI compliance toolkit will help you understand and address PCI implications for key aspects of your cloud and hybrid infrastructure.
Get a free PCI compliance toolkit.
Sources:
https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
https://www.cisecurity.org/white-papers/cis-controls-and-sub-controls-mapping-to-pci-dss/