PCI DSS

1. Installed and running on every laptop, desktop, and server at system boot. The software should be password-protected so that users cannot disable or uninstall the application. It may sound trivial, but users and administrators disable antivirus software all the time because it slows down their system. Therefore, password-protecting the administrative functions of the software has become a necessary evil.

2. The solution should also provide real-time scanning. Most of us are familiar with static scanning.That is when your desktop automatically starts a weekly scan of your hard drive or when you execute a manual scan of files on your system. Real-time scanning scans all files that the operating system uses before it is fully opened.

3. The antivirus solution must be kept up-to-date with the latest signatures. New malware is being released daily. If your antivirus solution is not current, the users and data are at risk. Auditors will check the signature time stamps to make sure they have been updated.

[Tony Bradley, PCI Compliance]

The Payment Card Industry (PCI) Data Security Standard was created by the leading credit card companies to ensure customer data is safeguarded. The PCI-DSS regulation has specific requirements related to log data centralization, archiving, monitoring and reporting for security and audit purposes.

LogRhythm enables organizations to meet over 15 specific PCI-DSS requirements throughout Sections 1, 5, 10 & 11 of the PCI data security standard. Additionally, LogRhythm automates numerous time consuming tasks necessary to comply with these burdensome requirements. To that end, LogRhythm provides a host of packaged reports designed specifically to meet PCI-DSS requirements. These reports can be scheduled to be run at regular intervals and even be automatically delivered to appropriate individuals within your organizaition.

Get the facts you need to know about log management and analysis compliance requirements for PCI-DSS and how LogRhythm can help.
More

The Payment Card Industry Data Security Standard and GFI Software. Since companies are constantly at risk of losing sensitive cardholder data, which could result in fines, legal action and bad publicity, achieving compliance with the PCI DSS should be high on the agenda of companies who store, transmit or process credit card data. Furthermore, PCI DSS compliance needs to be achieved by December, 2007 – this is the deadline posed by credit card companies. Organizations that fail to comply face fines of up to $500,000 if the data is lost or stolen and risk not being allowed to handle cardholder data.

GFI PCI Suite
GFI Software offers organizations who need to become PCI DSS compliant one holistic solution – the GFI PCI Suite. The GFI PCI Suite combines two award-winning solutions:

- GFI EventsManager, a complete event log management solution and
- GFI LANguard Network Security Scanner (N.S.S.), a complete network vulnerability management solution that includes vulnerability scanning, patch management and network auditing.

Download Page

The PCI DSS version 1.1, a set of comprehensive requirements for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

Download Page

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

If you are a Chief Financial Officer (CFO) or a comptroller, you are probably asking the question:“Why would I need to spend the money on PCI?” Good question— there are fines! Unfortunately, the fine schedules are not well defined.Your company’s contract with the acquiring bank probably has a clause in it that any fines from the card brand will be “passed through” to you.With all compliance deadlines passed, the fines could start tomorrow. Visa USA has announced that it will start fining acquirers (which will pass on the costs to the merchant) between $5,000 and $25,000 per month if their Level 1 merchants have not demonstrated compliance by September 30, 2007, and Level 2 merchants have not demonstrated compliance by December 31, 2007. In addition, the fines of $10,000 per month may already be assessed today for prohibited data storage by Level 1 or Level 2 merchant

What is certain is that you will be fined up to $500,000 if non-compliant and compromised. Believe it or not, if compromised, this will be the least of your concerns. Civil liabilities will dwarf the fines from the card brands. Some estimates place the cost of compromise at $80 per account. Some companies that have been compromised have been forced to close their doors. According to PCI Co and the Ponemon Institute study, the per capita cost of a data breach has gone up more than 30 percent in the past year.