Payment
Card Industry (PCI) Data Security Audit Program
It is estimated that the cost of a credit card
security breach is between $90 and $305 per compromised record. While
the threshold for PCI compliance is only a minimum standard, businesses
recognize that failure to meet PCI requirementscan lead to both
financial penalties and long-term damage to customer trust and brand
equity.
PCI requirements maintain that companies shall encrypt data at rest,
which is a challenging and expensive endeavor for most retailers to
undertake. (see also PCI
Compliance Kit)
The PCI DSS security requirements apply to all “system components.” A system component is defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (internet) applications.
This program is specific to the required annual PCI audit. Included in the standard audit program are two policies (one paragraph long) which need to be implemented to meet PCI DSS security requirements. The policies are for "Sensitive Data" and "Record Management (Retention and Disposition)" --the ones provided in the standard package are shorthand versions of the full polices contained in other Janco products which are available individually or in the premium and gold versions of the PCI Audit program.
The table below shows what is included in each of the three versions of the PCI Audit Program:
