Search in ISMS Guides


Thursday, July 26, 2007

12 key requirements Detail

Build and maintain a secure network
• Requirement 1: Install and maintain a
firewall configuration to protect
cardholder data
• Requirement 2: Do not use vendorsupplied
defaults for system passwords
and other security parameters

Protect cardholder data
• Requirement 3: Protect stored cardholder
• Requirement 4: Encrypt transmission
of cardholder data across open, public

Maintain a vulnerability management program
• Requirement 5: Use and regularly update antivirus
• Requirement 6: Develop and maintain secure
systems and applications

Implement strong access control measures
• Requirement 7: Restrict access to cardholder data
by business need-to-know
• Requirement 8: Assign a unique ID to each person
with computer access
• Requirement 9: Restrict physical access to
cardholder data

Regularly monitor and test networks
• Requirement 10: Track and monitor all access to
network resources and cardholder data
• Requirement 11: Regularly test security systems
and processes

Maintain an information security policy
• Requirement 12: Maintain a policy that addresses
information security
In order to fully comply with the standard, every
organisation that the standard applies to must
implement all of the controls to the target
environment and annually audit the effectiveness of
the controls in place.

PCI validation requirements & ISO 27001
compliance requirements

Both ISO 27001 and PCI require the organisation to
ensure that a formal validation and compliance
(audit) structure is in place and that validation
requirements (including self audits and vulnerability
scans) are undertaken on a regular basis and results
are fed into a management system for ongoing
review and improvement (e.g. PCI validation
requirements are based on number of transactions -
the more transactions an organisation handles, the
greater the quantity and detail of audits that are

The number of validation audits includes:
Annual on-site security audits - MasterCard and
Visa require the largest merchants (level 1) and
service providers (levels 1 and 2) to have a yearly
on-site compliance assessment performed by a
certified third-party auditor, which is similar to an
ISO 27001 certification programme

PCI annual self-assessment questionnaire - In
lieu of an on-site audit, smaller merchants and
service providers are required to complete a
self-assessment questionnaire to document their
security status. Again this is similar to ISO 27001,
as there should be a formal structure of scheduled
audits that enables early identification of ‘weak
spots’ and should feed into an existing ‘enterprise
risk structure’ that enables the organisation to fulfil
corporate governance guidance requirements, such
as Basel II, SOX, Combined Code, Revised Guidance,

Quarterly external network scans - All merchants
and service providers are required to have external
network security scans performed quarterly by a
certified third-party vendor. Scan requirements are
rigorous: all 65,535 ports must be scanned, all
vulnerabilities detected of level 3-5 severity must
be remedied, and two reports must be issued a
technical report that details all vulnerabilities
detected with solutions for remediation, and an
executive summary report with a PCI approved
compliance statement suitable for submission to
acquiring banks for validation.
One important thing to note is that PCI have created
security audit procedures (a tick box / checklist
document) that provides information on the
requirements for technical PCI compliance and also
provides details on the expected content that should
form part of the annual submission report - the
‘report for compliance or executive summary report’.
To assist service providers or merchants in this
compliance process an ‘accreditation’ scheme has
been established. This has been designed to allow
pre-approved PCI security and audit organisations to
offer ‘Qualified Security Assessor’ (i.e. Auditor of
system) services or Approved Security Vendor (i.e.
Penetration tester), or both.
These services will appeal to the many service
providers or merchants that need to comply on all
levels with PCI DSS, but ultimately, every service
provider or merchant will have the option of who
they choose to work with to verify they meet all the
technical requirements of PCI DSS.

PCI DSS Validation Enforcement Table
While PCI DSS non-compliance penalties also vary
among major credit card networks, they can be
substantial and perhaps more worryingly, they can
represent a major embarrassment or worse, lead to
reputation damage, which is difficult to quantify.
Participating companies can be barred from
processing credit card transactions, higher
processing fees can be applied, and in the event of a
serious security breach, fines of up to £250,000 can
be levied for each instance of non- compliance.
Since compliance validation requirements and
enforcement measures are subject to change,
merchants and service providers need to
closely monitor the requirements of all
card networks in which they participate.

PCI and ISO 27001 - the comparisons

In contrast to the PCI framework, the
ISO 27001 standard is more flexible in
terms of scope, controls, compliance and
enforcement. As an internationally
recognised security standard, ISO 27001
is designed to apply to a wide variety of
organisations across numerous
industries. It is regarded as the de-facto
information security standard by many
organisations where information security
is a strict requirement; although
compliance is voluntary. Many
organisations that choose to certify to
the standard often do so for purposes of
due diligence or partner confidence.
When properly applied ISO 27001 is
based around a flow of information,
which makes up what the standard
defines as a system. The organisation
defines the systems to be certified and
sets up an Information Security
Management System (ISMS) around the
relevant area of business, which is then
defined as the scope.
Subsequently the organisation fully
documents the scope, creates a detailed
asset inventory and performs a formal
risk assessment on those assets. The
results of the risk assessment lead the
organisation to the control clauses of the
standard and they choose those that best
address the risks to the environment.
The selected controls are then
documented in its Statement of
Applicability (SOA) and mapped back to
the risk assessment.

Back To Using ISO 27001 for PCI DSS Compliance Frist Page

No comments: