{"id":94,"date":"2016-10-09T07:36:59","date_gmt":"2016-10-09T13:36:59","guid":{"rendered":"http:\/\/pcmdx.net\/blog\/?p=94"},"modified":"2016-10-09T07:43:47","modified_gmt":"2016-10-09T13:43:47","slug":"pci-compliance-an-ongoing-process","status":"publish","type":"post","link":"http:\/\/pcmdx.net\/blog\/2016\/10\/09\/pci-compliance-an-ongoing-process\/","title":{"rendered":"PCI Compliance &#8211; An Ongoing Process"},"content":{"rendered":"<p>Recently Computer World published what&#8217;s most likely the <a href=\"http:\/\/www.computerworld.com\/article\/3126187\/retail-it\/the-ultimate-unanswerable-question-are-we-pci-compliant.html\" target=\"_blank\">very best article dealing with PCI Compliance<\/a>. \u00a0Not so much what it entails to <em>be<\/em> compliant, but what it takes to <em>remain<\/em> compliant.<\/p>\n<p>http:\/\/www.computerworld.com\/article\/3126187\/retail-it\/the-ultimate-unanswerable-question-are-we-pci-compliant.html<\/p>\n<p>&nbsp;<\/p>\n<p>The issue with PCI compliance is that the business network and the business environment is constantly changing and evolving. \u00a0There are <a href=\"http:\/\/searchsecurity.techtarget.com\/definition\/PCI-DSS-12-requirements\" target=\"_blank\">12 requirements in\u00a0the PCI DSS<\/a>. \u00a0In order to be compliant, all of these must be current all of the time. \u00a0Some remain static, meaning they don&#8217;t change.<\/p>\n<p>Let&#8217;s take requirement No. 1:\u00a0<strong>Install and maintain a firewall configuration to protect cardholder data<\/strong>. <a href=\"http:\/\/pcmdx.net\/blog\/wp-content\/uploads\/2016\/10\/firewall-156010_640.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-99 alignright\" src=\"http:\/\/pcmdx.net\/blog\/wp-content\/uploads\/2016\/10\/firewall-156010_640.jpg\" alt=\"firewall-156010_640\" width=\"320\" height=\"160\" srcset=\"http:\/\/pcmdx.net\/blog\/wp-content\/uploads\/2016\/10\/firewall-156010_640.jpg 320w, http:\/\/pcmdx.net\/blog\/wp-content\/uploads\/2016\/10\/firewall-156010_640-300x150.jpg 300w\" sizes=\"auto, (max-width: 320px) 100vw, 320px\" \/><\/a>\u00a0Your PCI specialist installs and configures a firewall. \u00a0Once it has been configured properly, you&#8217;ve met the first requirement, right? \u00a0Well, sort of. \u00a0Assuming the firmware is current, and nothing changes in the network environment, the answer would be Yes, you&#8217;ve met the requirement.<\/p>\n<p>Let&#8217;s go down to requirement No. 11: \u00a0<strong>Regularly test security systems and processes. \u00a0<\/strong>Inside this requirement is 11.1, which requires that a hardware inventory be kept up to date of all devices on the &#8220;protected&#8221; or POS network. \u00a0This is the network that handles all credit card transactions (your guest wi-fi, or any other network should <strong>NEVER<\/strong> be on the same sub-net as your POS traffic). \u00a0You just replaced or added a POS terminal. \u00a0Did you log it in the inventory, including the model and serial number? \u00a0If the answer is No, then you&#8217;re not compliant.<\/p>\n<p>On that very same replacement terminal, you need to make sure that you have met requirements 5 and 6:\u00a0<strong>Use and regularly update antivirus software;\u00a0Develop and maintain secure systems and applications. \u00a0<\/strong>If you&#8217;ve added a location on the network for this terminal, the network diagram also needs to be updated.<\/p>\n<p>Now let&#8217;s move on the the human factor in being compliant. \u00a0Each individual who handles credit cards must be trained in the methods of handling cards safely and securely, which is part of requirement 12: \u00a0<strong>Maintain a policy that addresses information security<\/strong>. \u00a0If you&#8217;ve hired a new employee, they must first be trained and sign-off acknowledging that they&#8217;ve been trained. \u00a0A copy of the signature page must go in their employee file.<\/p>\n<p>The article in Computer World makes some outstanding points. \u00a0First, \u00a0you&#8217;re only compliant on the date that you last checked and updated\u00a0(successfully) the requirements:<\/p>\n<p style=\"padding-left: 30px;\"><strong>The reason why compliance is tied to the date the assessment was wrapped is that, in theory, any change at all to anything on the network could make that merchant noncompliant. I get that. It makes sense. But what good is PCI compliance if a retailer never knows if it is compliant?\u00a0<\/strong><\/p>\n<p>This is where PCMDX comes in. \u00a0We take it off your shoulders and put it on ours. \u00a0We let you worry about the prime purpose of your business, and we take care of the things that we&#8217;re good at: \u00a0Keeping you compliant.<\/p>\n<p>Further more, as the article states, it&#8217;s the human factor that makes you (and keeps you) compliant:<\/p>\n<p style=\"padding-left: 30px;\"><strong>But it (software) can&#8217;t track PCI compliance \u2014 which is a human-dictated state \u2014 any more than it can declare a system &#8220;secure.&#8221;\u00a0<\/strong><\/p>\n<p><strong>PCMDX<\/strong> is the only company in our service area (Alabama, Mississippi, Western Tennessee, Florida Panhandle) that creates a plan for your company to become, and remain, PCI Compliant. \u00a0We will visit your site, examine your existing network, create a plan to make your network compliant, implement the plan, and then keep it maintained on a regular schedule.<\/p>\n<p><a href=\"http:\/\/pci.pcmdx.net\" target=\"_blank\">Contact us today<\/a> for a free, no-obligation consultation. \u00a0You&#8217;ll be glad you did.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently Computer World published what&#8217;s most likely the very best article dealing with PCI Compliance. \u00a0Not so much what it entails to be compliant, but what it takes to remain compliant. http:\/\/www.computerworld.com\/article\/3126187\/retail-it\/the-ultimate-unanswerable-question-are-we-pci-compliant.html &nbsp; The issue with PCI compliance is that the business network and the business environment is constantly changing and evolving. \u00a0There are 12 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":99,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,9,21,4,10],"tags":[44,13,23,24,31],"class_list":["post-94","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-computer-protection","category-network","category-pci-compliance","category-pcmdx","category-security","tag-firewall","tag-network-security","tag-pci-compliance","tag-pci-dss","tag-pcmdx"],"_links":{"self":[{"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":1,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"predecessor-version":[{"id":100,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/posts\/94\/revisions\/100"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/media\/99"}],"wp:attachment":[{"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/pcmdx.net\/blog\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}