2022 US Payment Card Industry (PCI) Data Security Audit Program: PCI Standard, Sarbanes-Oxley Sections 103a, 302, 404, 409, 801a and 802 for Security and Retention of Data Compliant


Dublin, Dec. 07, 2022 (GLOBE NEWSWIRE) -- The "Payment Card Industry (PCI) Data Security Audit Program - Platinum Edition" report has been added to ResearchAndMarkets.com's offering.

PCI-DSS Audit Program needs constant updating - It is estimated that the cost of a credit card security breach is between $90 and $305 per compromised record. While the threshold for PCI compliance is only a minimum standard, businesses recognize that failure to meet PCI requirements can lead to both financial penalties and long-term damage to customer trust and brand equity.

PCI requirements maintain that companies shall encrypt data at rest, which is a challenging and expensive endeavor for most retailers to undertake. (see also PCI Compliance Kit)

The PCI DSS security requirements apply to all "system components. " A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data.

Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications.

This program is specific to the required annual PCI audit. Included in the standard audit program are two policies (one paragraph long) which need to be implemented to meet PCI DSS security requirements. The policies are for "Sensitive Data" and "Record Management (Retention and Disposition)" --the ones provided in the standard package are shorthand versions of the full policies contained in other Janco products which are available individually or in the premium and gold versions of the PCI Audit program.

PCI Audit Program Platinum Edition - Save 30%

  • PCI Audit Program comes in PDF and WORD .docx formats. The Audit program includes a brief policy statement for Sensitive Information and Record Management (Retention and Destruction). The Audit Program complies with the PCI standard, Sarbanes-Oxley Sections 103a, 302, 404, 409, 801a and 802 for security and retention of data, systems and reports.
  • Sensitive Information Policy Template comes in WORD .docx format and is 34 pages in length and complies with Sarbanes Oxley Section 404, ISO 27000 (17799),and HIPAA.
  • Backup and Backup Retention Policy Template comes in WORD .docx format
  • Security Manual Template come is WORD .docx format and is over 230 pages in length. This template include both the Business & IT Impact Questionnaire and the Threat & Vulnerability Assessment Tool (both address Sarbanes Oxley compliance)
  • Security Audit Program comes in Excel and PDF formats. The Audit Program is IS0 27001, ISO 27002, Sarbanes Oxley, PCI-DSS, and HIPAA compliant. It meets Massachusetts, New York, and California requirements.
  • Disaster Recovery Business Continuity Program comes in WORD .docx and PDF formats. The Audit Program is IS0 17799, Sarbanes Oxley, PCI-DSS, and HIPAA compliant.

Key Topics Covered:

Policy - Sensitive Information Policy - Credit Card, Social Security, Employee, and Customer Data

Policy - Record Management, Retention, and Disposition Policy

PCI DSS Applicability Information

Scope of Assessment for Compliance with PCI DSS Requirements

Instructions and Content for Report on Compliance

Revalidation of Open Items

Build and Maintain a Secure Network

  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect Cardholder Data

  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

  • Requirement 5: Use and regularly update anti-virus software or programs
  • Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

  • Requirement 10: Track and monitor all access to network resources and cardholder data.
  • Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

  • Requirement 12: Maintain a policy that addresses information security for employees and contractors

Appendix A: PCI DSS Applicability for Hosting Providers (with Testing Procedures)

  • Requirement A.1: Hosting providers protect cardholder data environment

Appendix B - Compensating Controls

  • Compensating Controls - General
  • Compensating Controls for Requirement 3.4

Appendix C: Compensating Controls Completed Example/Worksheet

  • Compensating Controls Worksheet

What's New

For more information about this report visit https://www.researchandmarkets.com/r/zczztj

 

Contact Data