Running head: PCIDSS AND GLBA COMPLIANCE LAW

PCIDSS and GLBA Compliance Law

Name
Institution

PCIDSS AND GLBA COMPLIANCE LAW

Abstract
This paper covers the basics of PCIDSS and GLBA compliance regulations, to whom they
apply. The paper documents some applicable industry regulations, audit frameworks and controls
for the compliance. Best practices are also given and introduce some security controls and
processes for PCI DSS requirements such as building and maintaining a secure network, having
in place a vulnerability management program and Information Security Policy as well as
implementing strong access control measures.
The PCI Data Security Standard (PCI DSS)

PCI DSS is the international data security standard utilized by the

payment card brands for all parties that process, store or transmit cardholder
data. It comprises of steps that correspond to security best practices.
The aim of the PCI DSS is to safeguard cardholder data when its being
processed, stored or transmitted. It follows that the security controls and
processes needed by PCI DSS are important for protecting cardholder
account data that includes the primary account number (PAN) printed on the
front of a payment card. Service providers and merchants engaged in
payment card processing activities must never store any sensitive
authentication data. This sensitive data may include data that is printed on a
card or stored on a cards magnetic stripe or chip as well as the personal
identification numbers (PINs) keyed in by the cardholder (Chuvakin, Spangenberg,
& Williams, 2010).

PCIDSS AND GLBA COMPLIANCE LAW

Table 1 PCI Security Practices and Requirements (PCI Security Standard

Council, 2008).
Security practice

PCI DSS Requirements

Goals
Create and Maintain a
Secure Network

Deploy and maintain a firewall configuration to safeguard

cardholder data.
Avoid using vendor-supplied defaults for system login credentials
such as passwords and other security parameters.

Safeguard Cardholder
Data

Protect cardholder data in storage

Encrypt cardholder data on both open and public networks during
transmission

Have a Vulnerability
Management Program

Utilize and periodically update anti-virus programs

Create and maintain secure systems and applications

Deploy Strong Access

Control Measures

Place restrictions on access to cardholder data to only those persons

whose job needs such access.
Allocate a unique ID to every individual with computer access
Place restrictions on physical access to cardholder data

Periodically Monitor
and Test Networks

Track and monitor each access to both network resources and

cardholder data

Have an Information

Periodically test all security systems and processes

Have and exercise a policy that covers information security for all

Security Policy

employees (personnel)

Create and maintain a secure network by:

PCIDSS AND GLBA COMPLIANCE LAW

a) Deploying and maintaining a firewall configuration to safeguard cardholder data.

Establish firewall and router configuration standards that identify all connections to
cardholder data, the various technical settings for each implementation; and specify a review of
configuration rule sets at least twice per year.
Create firewall and router configurations that limit all traffic from untrusted networks and
hosts, except the protocols required for the cardholder data platform.
Ban any direct public access to the Internet and the system components in the cardholder data
platform.
Deploy personal firewall software on any portable devices with direct internet connectivity
that is utilized to access the organizations network.
b) Avoid using vendor-supplied defaults for system login credentials such as passwords and
other security parameters.
Always change the vendor-supplied defaults prior to the system deployment on the network
including wireless devices that are connected to the cardholder data platform or are utilized to
transmit cardholder data.
Use strong cryptography to encrypt all non-console administrative access like as web-based
management tools.
Shared hosting providers must safeguard each entitys hosted platform and cardholder data
Safeguard Cardholder Data through

PCIDSS AND GLBA COMPLIANCE LAW

a) Encrypt cardholder data on both open and public networks during transmission
Use of strong cryptography and security protocols such as SSL, SSH, and
IPSec to protect sensitive cardholder data during transmission over open and
public networks such as the Internet. Data transmission on wireless
technologies such as GSM and GPRS must utilize industry best practices so
as to realize robust encryption for authentication as well as transmission
processes.
b) Protect cardholder data in storage
Restrict the cardholder data storage and retention time to that needed
for business, legal, and regulatory function, as documented in the data
retention policy. Remove unnecessary stored data at least every four
months.
Financial institutions must not store sensitive authentication data after
authorization except in scenarios where they may store sensitive
authentication data if there exists a business justification, and the data is
securely stored
These institutions must provide masked Primary Account Number (PAN)
when the card is displayed; PCIDSS requires that only the first six and last
four digits may be displayed. This is not applicable for authorized personnel
with a genuine business need to view the full PAN.

PCIDSS AND GLBA COMPLIANCE LAW

Financial institutions must provide mechanisms that render PAN unreadable

anywhere it is stored. I.e. on portable digital devices, backup media devices,
in logs, and data transmitted from or stored on wireless networks. The
technology solutions for this requirement may involve the use of robust oneway hash functions of the whole PAN, truncation and index tokens with
securely stored pads (strong cryptography).
Financial institutions must protect any keys utilized for encryption of
cardholder data from disclosure and misuse.
They must fully document and implement all necessary key management
processes and procedures for cryptographic keys utilized for encryption of
cardholder data.
Utilize and periodically update anti-virus programs
Deploy anti-virus software programs on all systems infected by malicious
software (especially personal computers and servers) and make sure that all
anti-virus mechanisms are updated, actively running, and providing audit
logs.
Deploy Strong Access Control Measures
Put in place restrictions on access to cardholder data to only those
persons whose job needs such access. Restrict access to system components
and cardholder data to business need to know and establish an access

PCIDSS AND GLBA COMPLIANCE LAW

control system for systems components with many users that limit access
depending on a users business need, and is set by default to restrict all
except when specifically enabled (Virtue, 2009).

An overview of PCI Requirements (PCI Security Standard Council, 2008).

GLBA (Gramm-Leach-Bliley)
GLBA compliance law addresses the financial services industry such as insurance,
securities, banking, and encompasses parties like credit reporting agencies, ATM operators,
couriers, and tax preparers. It was built to enhance consumer financial services. It
comprises of series of rules and guidelines laid down by several federal
agencies for implementation. The compliance law assures people that the

PCIDSS AND GLBA COMPLIANCE LAW

confidentiality and privacy of financial data electronically gathered,

maintained, utilized, or transmitted is secure particularly when the financial
data is directly associated with an individual (Garcia, Carpenter, & Murphy, 2011).
Key Technologies and Techniques requirements
The following approaches apply to GLBA compliance.
Confidentiality: All customer data must be kept confidential to deter unauthorized persons
from accessing a customer's account. Software developers must use strong encryption and
hashing techniques and guarantee the procedures utilized to handle encryption, decryption, and
Logins are industry approved (strictly, there should be no use of custom cryptographic routines).
Ensure those encryption procedures are modular so as to lower maintenance cost (they can be
replaced with minimal expense). Also, do not depend on untrusted encryption libraries since they
may lack cryptographic strength, or may have vulnerabilities that compromise the cipher keys.
Integrity: Records must not be modifiable by unauthorized entities. Software developers
need to incorporate the principles of least privilege and implement error handling to reduce the
risk of privilege escalation. All sensitive data must use an integrity checking mechanism such as
a digital signature to minimize the risk of data tampering.
Auditing and Logging. All actions that may be needed to be traced should be documented.
Ensure that all logging information is backed up regularly to guarantee that auditing information
is not lost due to system failure.
Key IT Requirements.

PCIDSS AND GLBA COMPLIANCE LAW

Financial services institutions must have a formal security policy. Create a formal policy
that identifies and detects the valid warning signs of identity theft, such as unusual
account activity, fraud alerts on a client report or attempted utilization of suspicious
account application documents. Ensure that this policy describes appropriate responses
that would deter and mitigate the crime and incorporate a process for updating the policy.
Also, ensure the policy is managed by the senior employees of the financial institution or

creditor (Speed, 2012).

Financial services institutions must provide a procedure for FTC reviews or audits.
Financial services institutions must establish a baseline i.e. a risk assessment and a

vulnerability scan
Financial institutions must monitor and report on all access to files, folders, and databases

that hold consumer financial information.

Financial services institutions must notify any client if their information has been

compromised.
Financial service providers must assign a security program coordinator.
Financial services institutions must provide oversight for contracted service provider

organizations
Financial institutions must establish personel security awareness and training program. IT
Security Awareness Training is needed for all personnel of financial service providers
(FSPs) under the GLB Act, which encompasses all companies engaged in commercial

activities.
Financial services institutions must establish policies for data processing, transmission,

storage, and disposal.

Financial service providers must have appropriate mechanisms to detect, prevent, and
respond, to threats, attacks and intrusions.

PCIDSS AND GLBA COMPLIANCE LAW

10

Work cited
Chuvakin, A., Spangenberg, W., & Williams, B. (2010). PCI compliance. Amsterdam: Syngress.
Garcia, N., Carpenter, D., & Murphy, M. (2011). Banks, securities and the Volcker rule. New
York: Nova Science Publishers.
PCI Security Standard Council (2008). PCI DSS Quick Reference Guide. Retrieved 15 July 2016,
from https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
Speed, T. (2012). Asset protection through security awareness. Boca Raton, FL: CRC Press.
Thaw, D. (2011). Characterizing, Classifying, and Understanding Information Security Laws
and Regulations. Berkeley, CA.
Virtue, T. (2009). Payment card industry data security standard handbook. Hoboken, N.J.: John
Wiley & Sons.