[LINK] Banks 'oblivious' to credit card compliance mandate

Roger Clarke Roger.Clarke at xamax.com.au
Fri Sep 22 14:17:19 AEST 2006 

At 13:40 +1000 22/9/06, Bernard Robertson-Dunn wrote:
>Banks 'oblivious' to credit card compliance mandate
>Darren Pauli
>Computerworld
>22/09/2006 12:01:02
>http://www.computerworld.com.au/index.php/id;1280136952;fp;16;fpid;0
>Widespread confusion in Australia's banking industry about new 
>compliance measures has led to five breaches of the Payment Card 
>Industry (PCI) data security standard.
...

The requirements (outline below) seems to be vanilla, mainstream 
*industry* standards, rather than some super-set developed 
specifically for EFT/POS.  It would be an indictment on industry as a 
whole, let alone the financial services segment of it, if these 
basics aren't being complied with.

(Okay, if there are some highly specific prescriptions deeper down in 
the document, I'd qualify my remarks;  but the whole thing seems to 
be subject to the appropriate 'risk-based' criterion, so highly 
specific prescriptions are probably thin on the ground).


http://www.visa-asia.com/ap/center/merchants/riskmgmt/includes/uploads/ap_pci_data_security_standard_1.pdf

Payment Card Industry Data Security Standard 
Version 1.0 December 15, 2004 1

Build and Maintain a Secure Network
Rqmt 1: Install and maintain a firewall configuration to protect data
Rqmt 2: Do not use vendor-supplied defaults for system passwords and other
security parameters

Protect Cardholder Data
Rqmt 3: Protect stored data
Rqmt 4: Encrypt transmission of cardholder data and sensitive information
across public networks

Maintain a Vulnerability Management Program
Rqmt 5: Use and regularly update anti-virus software
Rqmt 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures
Rqmt 7: Restrict access to data by business need-to-know
Rqmt 8: Assign a unique ID to each person with computer access
Rqmt 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks
Rqmt 10: Track and monitor all access to network resources and cardholder
data
Rqmt 11: Regularly test security systems and processes.

Maintain an Information Security Policy
Rqmt 12: Maintain a policy that addresses information security

Note that these Payment Card Industry (PCI) Data Security 
Requirements apply to all Members, merchants, and service providers 
that store, process or transmit cardholder data. Additionally, these 
security requirements apply to all "system components" which is 
defined as any network component,
server, or application included in, or connected to, the cardholder 
data environment. Network components, include, but are not limited 
to, firewalls, switches, routers, wireless access points, network 
appliances, and other security appliances. Servers include, but are 
not limited to, web, database, authentication, DNS, mail, proxy, and 
NTP. Applications include all purchased and custom applications, 
including internal and external (web) applications.

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list