PCI DSSPayment Card Industry - Data Security Standard


There are more and more standards concerned in raising information security and companys security in general. One of them is PCI DSS (Payment Card Industry Data Security Standard) defined by the Payment Card Industry Security Standards Council (Visa, American Express, MasterCard…). The standard was created to help prevent credit card fraud through increased data control. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.

PCI DSS standard consists of twelve security requirements distributed in six control points according to following table:

PCI DSS control objective PCI DSS Requirements SQL Server 2008 functionality
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data N/A
  2. Do not use vendor-supplied defaults for system passwords and other security parameters Built-in
Protect Cardholder Data 3. Protect stored cardholder data TDE & EKM
  4. Encrypt transmission of cardholder data across open, public networks SSL & Extended Protection feature
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware N/A
  6. Develop and maintain secure systems and applications N/A
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know Role based access
  8. Assign a unique ID to each person with computer access Windows authentication
  9. Restrict physical access to cardholder data N/A
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data SQL Auditing
  11. Regularly test security systems and processes N/A
Maintain an Information Security Policy 12. Maintain a policy that addresses information security N/A

Microsoft SQL Server 2008 (R2) brings new functionalities:
• SQL Server Auditing (server and database level)
• TDE (Transparent Data Encryption)
• EKM (Extensible Key Management)
Microsoft SQL server, with the right implementation of the mentioned functionalities, will protect your data according to PCI DSS standard or other security standards.

Safenet (http://www.safenet-inc.com/) family of products LUNA HSM and DataSecure gives extra value to SQL functionalities and provide:
• External key management
• FIPS 140-2 Level 3 standard
• Column level encryption (DataSecure)

IT Sistemi consulting and system integration services will help you in process of PCI DSS certification and increase your company’s security.