Information Security Policy: PCI DSS and Control Requirements

Information Security Policy Document Control

• This document is a draft of an information security policy for a company.

• The policy is based on the Payment Card Industry Data Security Standard (PCI DSS).

• The policy sets out high-level objectives for information security.

• Personnel must refer to other procedures and standards to determine how to meet the policy objectives.

• The policy applies to people, processes, and IT systems within the company.

• The primary goal of information security is to protect information assets.

• Breaches in information security can have serious consequences, including disclosure of personal information and financial losses.

• Individual actions and behaviors of personnel are critical to protecting information assets.

• Personnel must understand their responsibilities for protecting information and attend information security training.

• Line managers are responsible for ensuring their personnel attend training and have access to policies and procedures.

• Senior management is responsible for information security within the company and must approve exceptions to the policy.

• The policy includes requirements for network security, system builds, data security, anti-virus, patching, vulnerability management, software development, change management, access control, physical security, system logging, network testing, and monitoring tools.PCI DSS Requirements and Glossary of Terms Summary

• Requirement 9: Unique ID assigned to each person with computer access

• Requirement 10: Physical access to cardholder data must be restricted

• Requirement 11: Tracking and monitoring of all access to network resources and cardholder data

• Requirement 12: Regular testing of security systems and processes

• Annex A: Glossary of Terms provided, including definitions for PCI DSS and Insecure Services

• Insecure Services: Services that transmit data in an unencrypted format or are susceptible to known attacks

• Public Network: Any network not managed by the entity and can be monitored or intercepted by others

• DMZ: Demilitarized Zone, a subnet that exposes an organization's external-facing services to an untrusted network

• Inbound Traffic: Traffic flowing into the organization from outside via routers or firewalls

• Outbound Traffic: Traffic flowing out of the organization from inside via routers or firewalls

• Sensitive Authentication Data (SAD): Data used in relation to payment cards, including full magnetic stripe data, PINs, and more

• Cardholder Data (CHD): Data used in relation to payment cards, including the primary account number, cardholder name, and expiration date