Search in ISMS Guides


Thursday, July 26, 2007

Using ISO 27001 for PCI DSS Compliance Frist Page (2)

PCI, as it is almost universally known,
was originally developed by MasterCard
and Visa through an alignment of
security requirements contained in the
MasterCard Site Data Protection Plan
(SDP) and two Visa programs, the
Cardholder Information Security Plan
(CISP) and the international Account
Information Security (AIS). In September
of 2006, a group of five leading payment
brands including American Express,
Discover Financial Services, JCB,
MasterCard Worldwide and Visa
International jointly announced
formation of the PCI Security Standards
Council, an independent council
established to manage ongoing evolution
of the PCI standard. Concurrent with the
announcement, the council released
version 1.1 of the PCI standard. Since
then it has rapidly become the ‘de-facto’
standard within the card industry for
both merchant and service provider.
While the newly-established PCI Security
Standards Council manages the
underlying data security standard,
compliance requirements are set
independently by individual payment
card brands. While requirements vary
between card networks, MasterCard’s
Site Data Protection Plan and Visa’s
Cardholder Information Security Program
are representative. They stipulate
separate compliance validation
requirements for merchants and service
providers, which vary depending on the
size of the company and its transaction /
business throughout.
PCI DSS is based on established best
practice for securing data (such as
ISO 27001) and applies to any parties
involved with the transfer or processing
of credit card data.
Its purpose is to ensure that confidential
cardholder account data is always secure
and comprises 12 key requirements:

1.Build and maintain a secure network
2.Protect cardholder data
3.Maintain a vulnerability management program
4.Implement strong access control measures
5.Regularly monitor and test networks
6.Maintain an information security policy
7.PCI validation requirements & ISO 27001 compliance requirements
8.Annual on-site security audits
9.PCI annual self-assessment questionnaire
10.Quarterly external network scans
11.PCI DSS Validation Enforcement Table
12.PCI and ISO 27001 - the comparisons

See 12 key requirements Detail

Back To Using ISO 27001 for PCI DSS Compliance Frist Page

No comments: