99 Controls That Security Practitioners Need to Address PCI-DSS Compliance
Anything that touches anything else that touches cardholder data is part of your state of security and must be included in your security program. The following blog discusses the importance of PCI compliance, how… with clouds forming… visibility and secure control can get lost, and what you can do about it.
What is PCI and PCI-DSS?
PCI stands for Payment Card Industry. It’s an association developing best practices and regulatory measures for and among organizations handling credit card information.
PCI-DSS (Payment Card Industry Data Security Standard) is a collection of security controls that businesses and government agencies that collect credit card data are required to implement. Founded in 2004, PCI-DSS consists of 12 general requirements and associated sub-controls. Any organization that processes any type of payment card (debit or credit) must meet these requirements or face fines and possible termination of the rights to process payment cards. If an organization does not receive payment card information, but is responsible for storing or transmitting such data, it can still be held accountable under the PCI-DSS requirements.
How PCI Compliance?
A continuous and consistent state of compliance with data security standards and laws is challenging for many organizations. Discipline to PCI requires comprehensive, continuous visibility into system settings, configuration and security control implementations. It also requires proactive and continuous system monitoring to ensure systems remain compliant without lapses.
PCI-DSS requires quick and easy assessment of system security posture and control compliance at any time and rule sets to perform compliance checks. Detailed reports are needed to assist in compliance efforts and Assessment and Authorization (A&A) activities. Inevitably, automation is required.
Complicating matters are the rules of sovereignty and international privacy laws, and how much cloud providers are responsible when you share your data with them. Who’s responsible for a breach, when it’s at a connection point between your organization and a cloud provider’s? Who owns responsibility or is it shared? PCI and Center for Internet Security (CIS) controls are a great start in meeting these requirements and quandaries, but you need extra data protection for financial information, which is a lucrative target for thieves.
Comprehensive PCI DSS Compliance Enforcement and Automation
Read the white paper that explores some of the 99 PCI-DSS requirements that can be met with the aid of Atomic OSSEC and Atomic Protector.
- Install and maintain a firewall configuration to protect cardholder data.
- Stop using vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Develop and maintain secure systems and applications, and more.
- Ensure compliance in the cloud, the data center and in hybrid environments with Atomicorp.
Read the PCI Compliance whitepaper.
PCI Compliance in the Cloud – A Toolkit for Security and Compliance Practitioners
Many organizations believe that if their networks are secure, then they’re PCI compliant – and vice versa. But that’s a false belief, particularly for organizations moving to the cloud. To truly protect your systems and minimize compliance risk, your organization needs to take specific measures to meet or exceed PCI requirements in the cloud, whether you’re deploying virtual machines containers or even serverless applications.
Organizations may try to ease their regulatory burden by shifting their environment to a PCI DSS-compliant cloud provider. They think that if the provider is compliant, then its customers must be as well. But that’s also not the case — your organization still has to use the cloud service in a compliant manner, and you have to protect your own workload and data.
The Atomicorp PCI compliance toolkit will help you understand and address PCI implications for key aspects of your cloud and hybrid infrastructure.
Get a free PCI compliance toolkit.
About Atomicorp
Atomicorp provides detection, protection and compliance. It was founded in 2015 to solve the critical problem faced by the modern enterprise: i.e., How do you ensure security and compliance when workloads are continuously deployed across multiple cloud and data center environments. We knew the only answer was a lightweight, DevOps-friendly platform that could automate a wide range of functional requirements. We also knew that OSSEC was the ideal foundation on which to build this solution.
Today, we help hundreds of customers around the world to meet their most critical security and compliance requirements efficiently and cost effectively.