Along with the ball dropping, New Resolutions and parades, 2010 also ushers in the annual PCI DSS certification inspection. If you're a store owner, I'm sure you're familiar with the acronym PCI DSS (Payment Card Industry Data Security Standard). However, you may not be privy to the process that hosting companies have to go through in order to attain it. I'm not going to get into the history of the program, but I do want to shed some light on the process so that it will not seem so mysterious. In the age of the internet, we hear so many acronyms and all we know about them is that we must have them for our sites.
"I don't know what SEO, ROI, or PCI is, but I MUST HAVE THEM!"
We are currently involved in the inspection and certification stage of compliance and I'm going to document the entire process for everyone. Our president is deep in the heart of our data center with a certified inspector and they are going through every cable, connector, and line of code to verify our compliance for 2010.
To recap, the core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
I did an in depth look at each of these requirements last year, which you can read here.