abilities and develop timely security
patches and upgrades.
Establish policies and procedures.
Codify limits to the storage and
retention time of PCI data and document an IT security policy and incident response plan.
Facilitate secure network implementation. The payment application shouldn't hinder your ability to
implement it into a secure network
environment. Nor should it interfere
with use of network address translation, port address translation, traffic
filtering network devices, antivirus
protection or encryption.
Don't store cardholder data on
Internet-facing systems. The payment application shouldn't require
that the database and web servers be on the same server or in the
DMZ (perimeter network) with the
web server.
86
V I N E YARD & WINERY MANAGEMENT
|
Facilitate secure remote access
to the cardholder environment.
Access should be authenticated
using a two-factor mechanism, such
as RADIUS or TACACS, with hardware tokens.
Encrypt sensitive traffic over
public networks. Use encryption
techniques (such as Secure Socket
Layer) when transmitting sensitive
data over the Internet.
Of course, given that the risks
associated with not fully complying with the PCI DSS are high, it
might be wise to retain a qualified
security assessor (QSA), authorized by the PCI DSS governing
body, to assess and validate your
compliance.
QSAs can provide many services, including a report on PCI DSS
compliance or an attestation on
compliance for a higher level of
assurance; external network secu-
Sept - Oct 2013
rity scanning; penetration testing to
assess vulnerabilities exposed to
attack by hackers; self-assessment
questionnaire assistance that helps
internal audit staff assess systems
and correct deficiencies; and remediation services that help fix known
problems or security breaches.
You can find more information
on the PCI DSS on the PCI Council's website (www.pcisecuritystandards.org) or by talking with
your card processor or bank.
Troy Hawes is a manager at Moss
Adams LLP, one of only 309 companies in the world to be certified as a
QSA. Hawes provides IT consulting
and audit services to a wide range
of clients in the retail and hospitality industries. You can reach him
at (206) 302-6529 or troy.hawes@
mossadams.com.
Comments? Please e-mail us at
feedback@vwmmedia.com.
w w w. v w m m e d i a . c o m