10 Things You Should Know About PCI Compliance

Up-to-Date Network Map Requirement 1.1.2 asks for a current network diagram with all connections to cardholder data, including any wireless networks. This is essential for managing any network and will significantly decrease the time needed to l

Sync Router Config Files Requirement 1.3.6 specifies that a routers running configuration should match its startup configuration. This means that if a router power cycles for some reason, it will come back up in a working state as last configu

Reduce the Attack Surface Requirement 2.2.4 mandates that all unnecessary functionality be removed from systems. Dumping unneeded scripts, drivers, features and subsystems is a classic first step in securing a system and almost always mea

Minimize Cardholder Data Storage Requirement 3.1 makes it the rule to store only minimal cardholder data. This not only reduces storage costs, but also minimizes the risks associated with storing sensitive data, such as having to disclose data

Document System and Software Changes Requirement 6.4 and its progeny mandate the use of a documented change control system to assess change impact, implementing management control over changes and following testing procedures to make sure operati

Develop Secure Web Apps Requirement 6.5 calls for developers to use OWASP (Open Web Application Security Project) guidelines to prevent common coding errors. Secure coding practices can be a co-factor leading to more thoughtfully written applicat

Spindle, Staple and Mutilate Requirement 9.10 specifies that media containing cardholder data should be destroyed when no longer needed for business or legal reasons. The operational gains include greatly reduced liability and the paring away

At the Tone, the Time Will Be… Requirement 10.4 simply states that IT managers must, Synchronize all critical system clocks and times. Correct and centrally managed time services are essential to a well-run network. Implementing a

Keep an Eye on the Shop Requirement 11.5 asks that a file integrity monitoring system be deployed to alert IT staff when unauthorized modifications are made to critical system or content files. Preventing unauthorized changes increases the likeli

Acceptable Use Requirement 12.3.5 asks for the creation of a policy on acceptable use of technology. Notifying users of what is considered acceptable use makes it clear that unacceptable, and often risky, uses are prohibited. This promotes a heal

• 10 More Stupid Things Smart IT People Still Do
• Eight Top Security