Preparing for PCI-DSSv3

Anyone who (indirectly) handles card-holder data must be compliant by the end of this year, and have procedures in place that they can demonstrate to an external auditor or PCI assesor, or they risk large fines and penalties.

The main points are:

1. You must install and maintain a firewall(s) that protect all cardholder data and prevent any direct inbound connections to your production network.
2. All vendor-supplied/default passwords must be (regularly) changed and a procedure put in place to audity and control this activity.
3. All cardholder data must be encrypted and protected at rest.
4. All cardholder data must be transmitted in encrypted form particularly when it is uses public or shared networks.
5. All systems must be protected against malware and viruses, and the protection software must be regularly updated
6. All systems and applications must be hardened in order to limit access
7. All access to cardholder data should be restricted to those that actually need it for their job and that information should be limited to enable them to carry-out that function
8. Strict access-control and authentication must be in place in order to limit and record all (attempted) access to system components or applications
9. All physical access to cardholder data must be restricted.
10. All (attempted) accessto cardholder data or systems must be recorded.
11. System and processes should be regularly tested to ensure continuous compliance.
12. There must be an adequate security policy in place which covers both physical components and the people using them.

These rules affect you whether you have local hardware or rely on a third-party to provide resources in the cloud.

I have spent the past four years creating an AIX scanning solution which tests more than 1000 aspects of your AIX system build and configugration, and produces a detailed HTML report which can be used to quickly audit your systems and to identify ommisions, misconfigurations, and mistakes.