Compliance


               Over the past decade, the regulatory environment governing
               information security has grown increasingly complex. Organizations
               may find themselves subject to a wide variety of laws (many of which

               were outlined earlier in this chapter) and regulations imposed by
               regulatory agencies or contractual obligations.






                   Payment Card Industry Data Security Standard



                  The Payment Card Industry Data Security Standard (PCI DSS) is
                  an excellent example of a compliance requirement that is not
                  dictated by law but by contractual obligation. PCI DSS governs the
                  security of credit card information and is enforced through the
                  terms of a merchant agreement between a business that accepts
                  credit cards and the bank that processes the business’s

                  transactions.

                  PCI DSS has 12 main requirements.

                      Install and maintain a firewall configuration to protect
                      cardholder data.

                      Do not use vendor-supplied defaults for system passwords and
                      other security parameters.

                      Protect stored cardholder data.

                      Encrypt transmission of cardholder data across open, public
                      networks.


                      Protect all systems against malware and regularly update
                      antivirus software or programs.

                      Develop and maintain secure systems and applications.

                      Restrict access to cardholder data by business need-to-know.

                      Identify and authenticate access to system components.