Using InstantSecurityPolicy.com to achieve PCI Compliance
By purchasing the Gold Security Package, you will receive an invaluable tool in your PCI Data Security Standard (DSS) compliance efforts. The Gold Package was designed to help businesses of all sizes comply with demanding security standards and regulations. Below you will find an overview of the PCI standard, mapping each requirement to the policy that covers that requirement.
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
✓ Covered by Network Security Policy, Section 4.3 Firewalls
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
✓ Covered by the Network Security Policy, section 4.1.3 Password Change Requirements
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
✓ This broad requirement is covered by various policies in multiple places, including the Network Security Policy, which covers general network security issues, as well as the Data Classification and Confidential Data Policies.
Requirement 4: Encrypt transmission of cardholder data across open, public networks
✓ Covered by the Confidential Data Policy, section 4.1.2 Transmission of Confidential Data.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
✓ Covered by the Network Security Policy, section 4.11 Antivirus/Anti-Malware.
Requirement 6: Develop and maintain secure systems and applications
✓ Covered by the Network Security Policy in various places, including: section 4.5 Network Servers, section 4.7 Security Testing, section 4.11 Antivirus/Anti-Malware, section 4.12 Software Use Policy.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
✓ Covered by Confidential Data Policy, section 4.2 Use of Confidential Data.
Requirement 8: Assign a unique ID to each person with computer access
✓ Covered by the Network Access and Authentication Policy, section 4.1 Account Setup and section 4.2 Account Use.
Requirement 9: Restrict physical access to cardholder data
✓ Covered by the Confidential Data Policy, section 4.1.1 Storage of Confidential Data, and the Physical Security Policy, section 4.4 Physical Data Security.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
✓ Covered by the Acceptable Use Policy, section 4.12 Monitoring and Privacy, and the Network Security Policy, section 4.6 Intrusion Detection/Intrusion Prevention.
Requirement 11: Regularly test security systems and processes
✓ Covered by the Network Security Policy, section 4.7.1 Internal Security Testing and 4.7.2 External Security Testing.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
✓ Covered simply by purchasing, implementing, and maintaining the Gold Security Package.
The Gold Security Package goes well above and beyond what is required for PCI Compliance. You can view the details of the Gold package here.
Please note that the information above maps the PCI requirements to the InstantSecurityPolicy.com policies that cover the requirement. As with any regulation, the procedures you put into place to enforce your policies are critical to your compliance.
We recommend that as you answer the questionnaire, you keep these 12 requirements in mind and answer the questions accordingly.
The above information is based on interpretation by an experienced policy professional and is believed to be correct. Please note, however, that InstantSecurityPolicy.com is not in the business in dispensing legal advice and thus any policies generated should be reviewed for applicability to your specific situation.
