The Fifth and Sixth Requirements to Becoming PCI DSS Compliant

The Payment Card Industry Data Security Standard (PCI DSS), the set of requirements that are mandated by the five major credit card companies, was designed to be a measure against which merchants can judge the level of security they have around consumers' sensitive credit card data.

As the world of business advances in our modern age, security becomes more and more important. And if you want to see real, long-term success then the resources you dedicate to developing strong security measures today could be exactly what will ensure your continued success.

The fifth and sixth requirements to become PCI DSS compliant revolve around maintaining a vulnerability management program. In normal terms, what this means is that you must always be on the lookout for things that could damage your system or things that could lead to a security breach.

Requirement number five states that you must use and regularly update anti-virus software or programs. Not every problem for a merchant originates with a flesh and blood hacker. If a virus or other form of malicious software gets on your system it can do significant damage - crashing your system or creating waves of new vulnerabilities.

Anti-virus systems must be installed on a ll computers in the network. Begin PCI DSS compliant means that you're trying to stop all avenues of attack, especially because most often a virus gets in through the most innocuous paths, like an employee's email activities.

Your anti-virus software must be installed on all personal computers and servers, and it must be regularly updated. There's always a new virus out there, and you have to guard against all possibilities. And this includes other forms of malicious software such as spyware and adware.

The sixth requirement to become PCI DSS compliant says that you must develop and maintain secure systems and applications. This refers to the tendency for security vulnerabilities to appear in systems or software. These are often targeted by hackers, unscrupulous employees and viruses. All of your systems, then, must have all the updates and patches required to close those security holes.

First of all, you must guard against hackers and all other attacks by installing all necessary patches. These updates, if released by the vendor, must be installed within one month of that release. The reason should be obvious. They've found a security problem and are doing everything they can to fix it. And if they know about the problem, there's a good chance someone in the hacker community knows about it too.

Along those lines, you should also have a plan in place to identify or receive alerts about those newly discovered security vulnerabilities. You can't defend yourself unless you know what you need to defend against.

When you develop your own security applications you should always adhere to the best practices as defined by your industry. Information security should be included in all your developmental plans and decisions. It is, after all, much easier to build it into the beginning than try to add it later. And, when it's already in place, becoming PCI DSS compliant will be much easier.

This step includes testing all software configuration changes, separating development, testing and production environments, and the associated duties with them. Once all this is done you also have to make sure that you remove all these data and accounts before production or the systems become active. This also applies to custom application accounts, user names, and passwords before applications go live or are released to customers.

When you change your systems or configurations there are a few things you must remember to do. This includes documenting the impact, testing operational functionality, and leaving a back-out procedure in case something goes wrong.

All of these precautions, it should be noted, also apply to web applications. Even more so, since these are likely to be high priority targets.

Becoming PCI DSS compliant is not a simple, over-night process, but as can be seen from these requirements, it does have the best interests of your customers in mind. And when you take care of you customers, they will continue to take care of you.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about becoming PCI DSS compliant, or the importance of data security, visit Braintree Payment Solutions.