April 7th, 2014 by Elma Jane
Payment processors share an inherent responsibility to keep their systems secure. It requires a system of governance that includes a broad array of policies, procedures, planning activities, responsibilities, practices and resources for implementing and maintaining a secure system and network operating environment.
To help organizations identify the best payment processors, a recent white paper from i2c outlines the various governance and security best practices processors should use. And it all starts from the top.
Good governance calls for establishing internal audit, compliance, and information security groups within the organization that have separate reporting channels to upper management and/or a board-level audit committee, the report notes. This organizational structure ensures that all security and operational-related risks are appropriately addressed and that all internal processes and practices remain in compliance with the organization’s defined policies and procedures, which in turn should align with applicable external security standards, regulatory laws and payment systems operating rules.
Resource Dedication
Payment processors also need to dedicate proper resources to the task of understanding, and complying with all applicable government, industry, association, legal and regulatory requirements that are relevant to each of their operating regions, according to the paper. Such applicable requirements need to be carefully identified, documented, applied, and updated on a regular basis.
Payment processors’ compliance activities need to cover not only the applicable government, industry, association operating rules and legal/regulatory requirements pertaining to their operations, but they also need to understand and comply with the applicable rules and regulatory requirements pertaining to their client partners. Let say you process customer data on behalf of a partner whose data is governed by a given regulatory rule, then you as their third-party provider must also apply those regulatory rules when handling their data.
Policies and procedures should be developed and put into practice that ensure the payment processor remains in compliance with these various requirements.
Risk Management
Risk management should be incorporated into every payment processors’ system of governance. It provides a framework for identifying and addressing risks within the organization and provides a process for regular operational review and improvement, according to the report. An effective risk management process should adopt an appropriate risk management methodology to identify, evaluate, mitigate and monitor risks pertaining to critical business assets and operations.
Security best practices also call for a defense-in-depth strategy to ensure the protection of information assets and overall risk reduction. A defense-in-depth approach ensures that the failure of any one control does not lead to successful penetration. By providing multiple layers of protection, the controls collectively ensure the confidentiality, integrity, and availability of critical system assets and data.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: availability, confidentiality, defense-in-depth, information security, internal audit, layers of protection, network operating, payment processors, risk reduction, secure system, security best practices, system assets and data, system operating rules, systems secure
February 13th, 2014 by Elma Jane
Core Elements of PCI’s Data Security Standard
This organization provides an international platform for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. It is impossible to be involved in the credit card processing industry and not be aware of the PCI Security Standards Council.
As such it is important to be aware of the core elements of the PCI’s Data Security Standard (DSS).
The following are the current fundamental principles and requirements:
Build and Maintain a Secure Network
Requirement a. Install and maintain a firewall configuration to protect cardholder data
Requirement b. Do not use vendor-supplied defaults for system passwords and other security parameters
Implement Strong Access Control Measures
Requirement c. Restrict access to cardholder data by business need-to-know
Requirement d. Assign a unique ID to each person with computer access
Requirement e. Restrict physical access to cardholder data
Maintain a Vulnerability Management Program
Requirement f. Use and regularly update anti-virus software
Requirement g. Develop and maintain secure systems and applications
Maintain an Information Security Policy
Requirement h. Maintain a policy that addresses information security
Protect Cardholder Data
Requirement i. Protect stored cardholder data
Requirement j. Encrypt transmission of cardholder data across open, public networks
Regularly Monitor and Test Networks
Requirement k. Track and monitor all access to network resources and cardholder data
Requirement l. Regularly test security systems and processes
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Payment Card Industry PCI Security Tagged with: account data protection, cardholder data, credit card processing, information security, open public networks, PCI Data Security Standard, secure network, secure systems and applications, security standards council, security systems and processes, vulnerability management
