PCI Compliance Requirements

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements that apply to any company that accepts credit cards as a form of payment. These companies must store, process, and transmit cardholder data with a PCI-compliant hosting provider.

To comply with the PCI security requirements, organizations must:

• Use firewalls. Firewalls block foreign or unknown entities from accessing private data and are often the first line of defense against hackers.
• Update passwords. Equipment like routers, modems, and point of sale systems often come out of the box with generic passwords that are vulnerable to unauthorized access. To be PCI-compliant, you must track all devices and software that require a password or other security feature to access and follow best practices (e.g., changing the password) to mitigate against threats.
• Encrypt cardholder data. Card data must be encrypted with certain algorithms, and the encryption keys themselves must be encrypted. Primary account numbers must be regularly maintained and scanned to ensure there is no unencrypted data.
• Encrypt transmitted data. Cardholder data that is transmitted to payment processors, central data centers from local stores, etc. must be encrypted in transmission. Account numbers must never be sent to unknown locations.
• Use anti-virus software. Anti-virus software is required for all devices that interact with or store primary account numbers. Where it cannot be directly installed, anti-virus measures must still be implemented.
• Maintain and update software. Firewalls, anti-virus software, and other software should be routinely updated to include the latest security patches to eliminate vulnerabilities. The software on devices that interact with or store cardholder data must be properly maintained.
• Restrict data access. Cardholder data should not be accessible to anyone who does not require it. The roles that do need cardholder data must be documented and maintained.
• Use unique identification. Individuals who have access to cardholder data must have their own credentials and identification to reduce vulnerabilities and allow for a quicker response time if data is compromised.
• Physically secure data. Cardholder data must be kept in a physically secure location.
• Maintain access logs. All access attempts to cardholder data and primary account numbers must be logged. You must document how data flows in your organization and how often access is needed.
• Perform regular vulnerability testing. Proactively identify things that may malfunction, go out of date, or suffer from human error by regularly scanning and testing for security vulnerabilities.
• Document your policies. Have a written set of policies and procedures that addresses information security for all personnel.

Enhance Data Center Physical Security with DCIM Software

Modern data center managers use Data Center Infrastructure Management (DCIM) software to protect their assets and data from security threats and intrusions.

DCIM software enables you to:

• Manage door locks and card access control. Track when doors are opened through contact closure sensors and know when access attempts are made, by whom, and if attempts successful with card access assignments.
• Perform bulk device configuration and firmware updates. Make changes to the configuration of intelligent rack PDUs in bulk to quickly improve security protections. When a manufacturer delivers a new firmware version, you can roll it out to all supported devices simultaneously.
• Use granular, role-based permissions. Maintain permissions and prevent unauthorized changes by assigning different roles to users and user groups at granular levels. Role-based permissions can easily be documented to demonstrate compliance with regulatory policies.
• Monitor surveillance feeds. Multiple IP and USB camera feeds can be viewed on an HTML5 dashboard simultaneously to remotely monitor multiple areas or sites.
• Alert, audit, and report on your security. Track when cabinet doors are opened or if access attempts are made with real-time notifications to quickly identify unauthorized personnel and act accordingly. Audit logs and security reports help with forensic analysis and clue you in to suspicious trends so you can investigate further.

Want to see how Sunbird’s world-leading DCIM software makes it easy for you to secure your data center and be PCI-compliant? Get your free test drive now.