Information Security Policy vs. PCI DSS Standards

Information Security Policy Document Control Title Summary

• The document outlines the Information Security Policy for a company, including roles, responsibilities, and specific security measures.

• The policy is based on the Payment Card Industry Data Security Standard (PCI DSS) and sets high-level objectives for data security.

• It emphasizes the importance of protecting information assets and outlines potential consequences of breaches in information security.

• The policy assigns responsibilities to personnel, line managers, and senior management for ensuring compliance with the policy.

• Specific network security measures are detailed, including firewall management, documentation, architecture, configuration, and wireless network security.

• System builds and configuration standards are addressed, emphasizing the removal of default settings and secure management services.

• Data security measures are outlined, including requirements for data storage, transmission, and encryption of sensitive information.

• Anti-virus configuration, patching, vulnerability management, and software development standards are included in the policy.

• Access control, physical security, system logging, network testing, and monitoring tools are detailed to ensure comprehensive security measures.

• The policy includes a declaration for users to acknowledge their understanding and compliance with the Information Security Policy.

• It also highlights specific PCI requirements related to firewall configuration, password security, data encryption, anti-virus software, secure systems, access restrictions, and monitoring.

• The policy provides a comprehensive framework for information security, outlining specific measures and responsibilities to ensure compliance with industry standards and best practices.PCI DSS and Network Security Summary

• PCI DSS (Payment Card Industry Data Security Standard) is a standard developed by the PCI Security Standards Council for entities that store, process, or transmit cardholder data.

• Requirements 9-12 of PCI DSS include assigning unique IDs to individuals with computer access, restricting physical access to cardholder data, tracking and monitoring all access to network resources and cardholder data, and regularly testing security systems and processes.

• Annex A contains a glossary of terms, including definitions for "Insecure service" (unencrypted or vulnerable data transmission services) and "Public network" (unmanaged and interceptable networks).

• The DMZ (Demilitarized Zone) is a subnet that exposes an organization's external-facing services to an untrusted network, such as the Internet.

• Inbound and outbound traffic refer to data flowing into and out of an organization via routers or firewalls.

• Sensitive Authentication Data (SAD) includes full magnetic stripe data, CAV2/CVC2/CVV2/CID, PINs/PIN blocks, and the Primary Account Number (PAN) used in relation to payment cards.

• Cardholder data (CHD) includes the Primary Account Number (PAN), Cardholder Name, Expiration Date, and Service Code related to payment cards.