Академический Документы
Профессиональный Документы
Культура Документы
Abstract
This paper covers the basics of PCIDSS and GLBA compliance regulations, to whom they
apply. The paper documents some applicable industry regulations, audit frameworks and controls
for the compliance. Best practices are also given and introduce some security controls and
processes for PCI DSS requirements such as building and maintaining a secure network, having
in place a vulnerability management program and Information Security Policy as well as
implementing strong access control measures.
The PCI Data Security Standard (PCI DSS)
Goals
Create and Maintain a
Secure Network
Safeguard Cardholder
Data
Have a Vulnerability
Management Program
Periodically Monitor
and Test Networks
Have an Information
Security Policy
employees (personnel)
a) Encrypt cardholder data on both open and public networks during transmission
Use of strong cryptography and security protocols such as SSL, SSH, and
IPSec to protect sensitive cardholder data during transmission over open and
public networks such as the Internet. Data transmission on wireless
technologies such as GSM and GPRS must utilize industry best practices so
as to realize robust encryption for authentication as well as transmission
processes.
b) Protect cardholder data in storage
Restrict the cardholder data storage and retention time to that needed
for business, legal, and regulatory function, as documented in the data
retention policy. Remove unnecessary stored data at least every four
months.
Financial institutions must not store sensitive authentication data after
authorization except in scenarios where they may store sensitive
authentication data if there exists a business justification, and the data is
securely stored
These institutions must provide masked Primary Account Number (PAN)
when the card is displayed; PCIDSS requires that only the first six and last
four digits may be displayed. This is not applicable for authorized personnel
with a genuine business need to view the full PAN.
control system for systems components with many users that limit access
depending on a users business need, and is set by default to restrict all
except when specifically enabled (Virtue, 2009).
GLBA (Gramm-Leach-Bliley)
GLBA compliance law addresses the financial services industry such as insurance,
securities, banking, and encompasses parties like credit reporting agencies, ATM operators,
couriers, and tax preparers. It was built to enhance consumer financial services. It
comprises of series of rules and guidelines laid down by several federal
agencies for implementation. The compliance law assures people that the
Financial services institutions must have a formal security policy. Create a formal policy
that identifies and detects the valid warning signs of identity theft, such as unusual
account activity, fraud alerts on a client report or attempted utilization of suspicious
account application documents. Ensure that this policy describes appropriate responses
that would deter and mitigate the crime and incorporate a process for updating the policy.
Also, ensure the policy is managed by the senior employees of the financial institution or
vulnerability scan
Financial institutions must monitor and report on all access to files, folders, and databases
compromised.
Financial service providers must assign a security program coordinator.
Financial services institutions must provide oversight for contracted service provider
organizations
Financial institutions must establish personel security awareness and training program. IT
Security Awareness Training is needed for all personnel of financial service providers
(FSPs) under the GLB Act, which encompasses all companies engaged in commercial
activities.
Financial services institutions must establish policies for data processing, transmission,
Work cited
Chuvakin, A., Spangenberg, W., & Williams, B. (2010). PCI compliance. Amsterdam: Syngress.
Garcia, N., Carpenter, D., & Murphy, M. (2011). Banks, securities and the Volcker rule. New
York: Nova Science Publishers.
PCI Security Standard Council (2008). PCI DSS Quick Reference Guide. Retrieved 15 July 2016,
from https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
Speed, T. (2012). Asset protection through security awareness. Boca Raton, FL: CRC Press.
Thaw, D. (2011). Characterizing, Classifying, and Understanding Information Security Laws
and Regulations. Berkeley, CA.
Virtue, T. (2009). Payment card industry data security standard handbook. Hoboken, N.J.: John
Wiley & Sons.