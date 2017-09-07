The Payment Card Industry Data Security Standard (PCI DSS) was first published on December 15, 2001, with the supportof all five major credit card brands. It is designed to safeguard payment systems and protect cardholder data from theft.

Compliance with PCI DSS is mandatory for all entities that store, process or transmit cardholder data and is measured by independent audits performed by a Qualified Security Assessor (QSA) on an annual basis

Thestandard consists of hundreds of technical and operational controls which aregrouped into 6 major control objectives:

1. Build and maintain a secure network and systems

· Implement firewall(s) to control access between internal and untrusted networks to ensure systems handling cardholder data are protected from unauthorised access.

· Ensure systems have been hardened to minimum security requirements – hackers are known to use vendor default passwords and settings to compromise systems.

2. Protect cardholder data

· Using encryption, masking or hashing to protect stored cardholder data, will make data unreadable to intruders if they circumvent other security controls.

· Encrypt sensitive information during transmission, using VPNS, or TLS certificates and ensuring that older, less secure encryption methods have been disabled.

3. Maintain a vulnerability management program

· Malware, including viruses, worms and Trojans can enter networks during day to day activities, such as email or internet use. Implementing anti-virus solutions can help to protect systems from malicious software threats.

· Ensuring systems are kept up to date will help to prevent security vulnerabilities from being exploited, and use secure development processes to protect against vulnerabilities like SQL injection and cross site scripting.

4. Implement strong access control measures

· Ensure critical data can only be accessed by authorised personnel bydefining access requirements by role or job function and using the principle of least privilege to limit access to what is necessary to perform those responsibilities.

· Ensure that unique identification is used to ensure that each individual is accountable for their actions, and that any activity can be traced to known and authorised users.

· Restrict physical access to cardholder data to prevent unauthorised users from being able to physically access systems storing or processing cardholder data.

5. Regularly monitor and test networks

· Implement logging and monitoring to generate audit trails which track user activities and help to detect any malicious actions(determining the cause of a compromise can be difficult or even impossible without system activity logs).

· Regularly test security of systems and processes, using vulnerability scans and penetration tests to ensure that existing security controls remain effective.

6. Maintain an information security policy

· An organisation’s information security policy and sets the roadmap for implementing security measures through an Information Security Management System (ISMS) and informs personnel what is expected of them.

· This includes an annual risk assessment which identifies critical assets and the threats and vulnerabilities which can affect them, and allows resources to be allocated to implement controls to mitigate the likelihood or potential impact of the threat.

Using PCI DSS as a framework for GDPR compliance

The controls to protect cardholderdata for PCI DSS compliancehave been selected by information security experts to provide the best possible protection to cardholder data. These same controls can be used to protect personal data by organisations who need to comply with the General Data Protection Regulation (GDPR), coming into force across the European Union onMay 25, 2018.

The GDPR applies to all data controllers and processors that are handling personal data of individuals residing in the European Union, and is intended to strengthen data protection for individuals and simplify regulation across the EU by having a single set of rules that apply across all member states.

“Third party suppliers are often found to be the weakest link during cyber security risk assessments, and by working with PCI DSS compliant organisations they can be confident that cyber security compliance procedures are firmly in place.”

Many organisations are rightly concerned about their preparations to comply with GDPR – a data breach occurring as a result of non‑compliance can result in fines up to €20,000,000 or 4% of global turnover.”

– Karl Mendez, Managing Director at CWCS Managed Hosting

The GDPR sets out updated requirements for handling Subject Access Requests, new rules around consent and requirements for data breaches to be reported to the appropriate member states national regulators. The United Kingdom’s Information Commissioner’s Office has published a 12 step guideto help organisations prepare for the GDPR.