Welcome!

Microservices Expo Authors: Pat Romanski, Elizabeth White, Liz McMillan, Carmen Gonzalez, Gerardo A Dada

Related Topics: Cloud Security, Industrial IoT, Microservices Expo, API Journal, Agile Computing, Release Management

Cloud Security: Article

What Are the Basics of PCI DSS?

Why is it so important to businesses today?

First, PCI DSS stands for Payment Card Industry Data Security Standard. It started out as a series of five separate programs, namely: American Express Data Security Operating Policy, Discover Information and Compliance, JCB Data Security Program, MasterCard Site Data Protection and Visa Card Information Security Program.

While each program was unique and came from different (in some cases, competing) brands, the overall aim was the same throughout: to ensure merchants meet minimum levels of security in storing, processing and transmitting cardholder data in order to better protect card issuers.

The five separate but similar policies were eventually collated in 2004 when the PCI DSS was created. Soon afterward, each company aligned their own policies to correlate with that of the new industry standard.

Updates
Since its creation in 2004, the PCI DSS policy has undergone numerous updates in order to keep on top of recent developments, whilst improving clarity and flexibility. One of the largest of these updates came in 2009 when the PCI DSS was amended to deal with wireless transactions. This brought about the recommendation for all firms to use a Wireless Intrusion Prevention System to remain PCI DSS-compliant in the new marketplace.

Another sizeable update came in 2010 regarding call centre work. Often in call centre work, customers are asked to read out their card information, including the CVV code, to the person on the other end. Furthermore, the majority of calls are recorded for security and training purposes, meaning that others in the call centre can gain access to the recordings without needing to undergo security clearance. This made the process of 'skimming' details incredibly easy.

This practice leads to revisions into procedure for call centre recordings. Now, call centres are not permitted to store recordings that include the three-digit CVV number if they can be queried.

Requirements
When in operation, PCI DSS is aimed at providing 12 requirements to cover six main control objectives. The first objective is to build and maintain a secure network. To ensure compliance, businesses need to install and maintain a firewall to protect cardholder data. They must also not use vendor-supplied defaults for their security measures (such as using 'password', the business name or '0000' as a passwords or codes).

Secondly, in order to protect cardholder data, businesses must protect any information they have stored on system and ensure that any data that is transmitted across open, public networks is comprehensively encrypted.

The third control objective is to maintain a vulnerability management programme. To attain compliance, businesses must use and maintain anti-virus software on all their systems that may otherwise be affected by malware. This must be kept up-to-date at all times to guarantee protection against even the newest threats. Businesses must also develop and maintain secure systems and applications across the network.

To implement strong access control measures (the fourth objective), businesses must restrict access to cardholder data by business on a need-to-know basis. They must then assign each different computer user with a unique ID so usage can be tracked back to each individual. Firms must also restrict physical access to cardholder data.

The fifth objective tasks firms with regularly monitoring and testing their networks. To ensure compliance here, businesses must track and monitor all access to network resources and cardholder data, as well as regularly test their security systems/processes.

Lastly, businesses must ensure they maintain a policy that addresses information security.

Keeping up to date with PCI DSS can be a large undertaking for a brand, but high-profile cases of firms that have seen their security breached - as well as the fall-out that came afterwards - shows just how important it is to stick closely to the best practice guidelines.

More Stories By Dominic Monkhouse

Dominic Monkhouse joined PEER 1 Hosting as managing director of the company's new UK operations in January, 2009, bringing more than 14 years of IT industry experience to the team. He is the key executive responsible for building and growing PEER 1 Hosting's expansion into Europe. In his role as managing director, Dominic is responsible for sales, marketing and service delivery across PEER 1 Hosting's UK business and ensuring overall customer satisfaction. His role is integral to the company's continued commitment to customer service.

Before joining PEER 1 Hosting, Dominic served as managing director of IT Lab, where he was able to quickly transform the company into the fastest growing IT service provider in the UK SME market. Prior to IT Lab, he was managing director of Rackspace, which grew from a staff of four to 150 under his guidance.

Dominic has a Bachelor of Science in Agricultural and Food Marketing from Newcastle University and a MBA from Sheffield Business School in the UK. He frequently participates in public speaking events on the topic of creating great places to work and achieving continuous client satisfaction. He also is involved as a judge of the Sunday Times Customer Experience Awards.

@MicroservicesExpo Stories
Get deep visibility into the performance of your databases and expert advice for performance optimization and tuning. You can't get application performance without database performance. Give everyone on the team a comprehensive view of how every aspect of the system affects performance across SQL database operations, host server and OS, virtualization resources and storage I/O. Quickly find bottlenecks and troubleshoot complex problems.
Application transformation and DevOps practices are two sides of the same coin. Enterprises that want to capture value faster, need to deliver value faster – time value of money principle. To do that enterprises need to build cloud-native apps as microservices by empowering teams to build, ship, and run in production. In his session at @DevOpsSummit at 19th Cloud Expo, Neil Gehani, senior product manager at HPE, discussed what every business should plan for how to structure their teams to delive...
DevOps is being widely accepted (if not fully adopted) as essential in enterprise IT. But as Enterprise DevOps gains maturity, expands scope, and increases velocity, the need for data-driven decisions across teams becomes more acute. DevOps teams in any modern business must wrangle the ‘digital exhaust’ from the delivery toolchain, "pervasive" and "cognitive" computing, APIs and services, mobile devices and applications, the Internet of Things, and now even blockchain. In this power panel at @...
SYS-CON Events announced today that Dataloop.IO, an innovator in cloud IT-monitoring whose products help organizations save time and money, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Dataloop.IO is an emerging software company on the cutting edge of major IT-infrastructure trends including cloud computing and microservices. The company, founded in the UK but now based in San Fran...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
Today’s IT environments are increasingly heterogeneous, with Linux, Java, Oracle and MySQL considered nearly as common as traditional Windows environments. In many cases, these platforms have been integrated into an organization’s Windows-based IT department by way of an acquisition of a company that leverages one of those platforms. In other cases, the applications may have been part of the IT department for years, but managed by a separate department or singular administrator. Still, whether...
As we enter the final week before the 19th International Cloud Expo | @ThingsExpo in Santa Clara, CA, it's time for me to reflect on six big topics that will be important during the show. Hybrid Cloud: This general-purpose term seems to provide a comfort zone for many enterprise IT managers. It sounds reassuring to be able to work with one of the major public-cloud providers like AWS or Microsoft Azure while still maintaining an on-site presence.
I’m a huge fan of open source DevOps tools. I’m also a huge fan of scaling open source tools for the enterprise. But having talked with my fair share of companies over the years, one important thing I’ve learned is that you can’t scale your release process using open source tools alone. They simply require too much scripting and maintenance when used that way. Scripting may be fine for smaller organizations, but it’s not ok in an enterprise environment that includes many independent teams and to...
Between 2005 and 2020, data volumes will grow by a factor of 300 – enough data to stack CDs from the earth to the moon 162 times. This has come to be known as the ‘big data’ phenomenon. Unfortunately, traditional approaches to handling, storing and analyzing data aren’t adequate at this scale: they’re too costly, slow and physically cumbersome to keep up. Fortunately, in response a new breed of technology has emerged that is cheaper, faster and more scalable. Yet, in meeting these new needs they...
More and more companies are looking to microservices as an architectural pattern for breaking apart applications into more manageable pieces so that agile teams can deliver new features quicker and more effectively. What this pattern has done more than anything to date is spark organizational transformations, setting the foundation for future application development. In practice, however, there are a number of considerations to make that go beyond simply “build, ship, and run,” which changes how...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
SYS-CON Events has announced today that Roger Strukhoff has been named conference chair of Cloud Expo and @ThingsExpo 2017 New York. The 20th Cloud Expo and 7th @ThingsExpo will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "The Internet of Things brings trillions of dollars of opportunity to developers and enterprise IT, no matter how you measure it," stated Roger Strukhoff. "More importantly, it leverages the power of devices and the Internet to enable us all to im...
In IT, we sometimes coin terms for things before we know exactly what they are and how they’ll be used. The resulting terms may capture a common set of aspirations and goals – as “cloud” did broadly for on-demand, self-service, and flexible computing. But such a term can also lump together diverse and even competing practices, technologies, and priorities to the point where important distinctions are glossed over and lost.
Monitoring of Docker environments is challenging. Why? Because each container typically runs a single process, has its own environment, utilizes virtual networks, or has various methods of managing storage. Traditional monitoring solutions take metrics from each server and applications they run. These servers and applications running on them are typically very static, with very long uptimes. Docker deployments are different: a set of containers may run many applications, all sharing the resource...
Logs are continuous digital records of events generated by all components of your software stack – and they’re everywhere – your networks, servers, applications, containers and cloud infrastructure just to name a few. The data logs provide are like an X-ray for your IT infrastructure. Without logs, this lack of visibility creates operational challenges for managing modern applications that drive today’s digital businesses.
You have great SaaS business app ideas. You want to turn your idea quickly into a functional and engaging proof of concept. You need to be able to modify it to meet customers' needs, and you need to deliver a complete and secure SaaS application. How could you achieve all the above and yet avoid unforeseen IT requirements that add unnecessary cost and complexity? You also want your app to be responsive in any device at any time. In his session at 19th Cloud Expo, Mark Allen, General Manager of...
Financial Technology has become a topic of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 20th Cloud Expo at the Javits Center in New York, June 6-8, 2017, will find fresh new content in a new track called FinTech.
@DevOpsSummit taking place June 6-8, 2017 at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @DevOpsSummit at Cloud Expo New York Call for Papers is now open.
The 20th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held June 6-8, 2017, at the Javits Center in New York City, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Containers, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportunity. Submit your speaking proposal ...
"Dice has been around for the last 20 years. We have been helping tech professionals find new jobs and career opportunities," explained Manish Dixit, VP of Product and Engineering at Dice, in this SYS-CON.tv interview at 19th Cloud Expo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA.