PCI DSS
Feb 15th, 2007 by Jesper Kråkhede
Are you using credit cards at your website or in some other parts of your business? PCI DSS stands for Payment Card Industry Data Security Standard and is a rather technical approach how you should protect your information. The fees and fines if you loose the credit cards are really high.
How should you proceed with a PCI DSS certification? First you should contact an auditer to get a first audit of your business. This auditer should be your reference during the whole process. Next is to either read a lot about security from all aspects or bring in knowledgeble consultants in the area to help you understand PCI DSS in according to your business. The auditer should give you the category they think you belong to.
The things that has to be made in the first part are:
* Finding the data.
* Finding where it flows.
* Finding all the hiding places in logs, temp files etc.
* Deciding where data should recide if needed at all.
* Do risk assesments regarding this.
* Start solving all the problems.
* Make a new audit.
I will not lie to you. Becoming PCI DSS compliant could be very costly. But in the same time you get a higher security all together in your systems. I have worked quite a long time with this compliance and even if the data is more or less the same the interpretations of PCI DSS within every organization is different every time. One way to solve a problem is not always the same. It all depends on how you use the data and how you trust your employees.