Payment Card Industry Data Security Standard Compliance Planning Guide (1)

Introduction

The guidelines for data security standards compliance for the payment card industry are designed to help organizations meet the requirements of the Payment Card Industry Data Security Standard (pci dss. Specifically, this compass is intended for traders who accept payment cards, financial institutions that process payment card transactions, and service providers-third-party companies that provide payment card processing or data storage services. IT solutions for these groups must meet all pci dss requirements. This guide is intended to further strengthen regulatory compliance planning-IT introduces a framework-based approach to creating IT controls to help you comply with various regulations and standards. This Guide also describes Microsoft products and technical solutions that you can use to implement a series of IT controls that help meet pci dss requirements and fulfill other regulatory obligations that your organization may assume.

NOTE: If your organization provides services including ATM services, Microsoft will provide an applicable architecture and security guide for software, systems, and networks that support ATM. For more information, see the Microsoft banking industry center download page on the MSDN website.

This Guide does not contain comprehensive information about how each organization complies with pci dss. For answers to specific compliance questions related to your organization, consult your lawyers or reviewers.

The introduction to this Guide includes the following parts:

• Abstract. This section provides a broad overview of pci dss requirements and the main objectives of the planning guide. This section also discusses the knowledge that IT administrators need to learn when starting to solve pci dss compliance requirements.

• Target readers of this Guide. This section describes the target readers, the purpose and scope of the Guide, and precautions and disclaimers related to the limitations of the Guide.

• What is the Payment Card Industry Data Security Standard? This section provides an overview of pci dss and its requirements.

• Plan pci dss compliance. This section describes how to use the Framework to meet pci dss requirements. This method includes creating various IT controls and how to use them together, and why they are important components that your organization can use to help meet pci dss requirements and fulfill other regulatory compliance obligations.

• Pci dss audit process. This section provides an overview of the pci dss audit process that auditors use to evaluate the organization's compliance with pci dss requirements.

As this White Paper is complementary to the Planning Guide for compliance with regulations, when you plan a complete solution that meets all regulatory requirements applicable to your organization, you should also refer to this guide.

Summary

If your organization processes, stores, or transmits cardholder information, your business requirements must comply with the Payment Card Industry Data Security Standard (pci dss ). The requirements defined in these standards are defined by the PCI Security Standards Board to provide an acceptable minimum level of security for cardholders who use the services of your organization.

Three problems make the situation complex. The first problem is that compliance with pci dss may affect the entire Organization. Therefore, it is important to coordinate compliance among departments and to have pci dss compliance policies within an organization. The second complex problem is that your organization may need to comply with multiple sets of regulations, each of which sets a different set of requirements. Therefore, it is not surprising that many companies find it difficult to understand how to correctly respond to these different regulatory requirements and use cost-effective processes and processes to maintain compliance with regulations. The third complex problem is that, like many other regulations, pci dss only mentions IT control, while IT Administrators determine exactly what to implement and maintain compliance with regulations, the guidance provided is very limited.

The Payment Card Industry Data Security Standards Compliance Planning Guide targets IT administrators who are responsible for meeting pci dss requirements. This guide aims to help IT managers learn how to address the many IT control requirements that their organization applies, including pci dss compliance requirements. To achieve this, this Guide provides information about the solutions you can use during this process.

For a more comprehensive discussion about how to comply with multiple regulatory standards, see the compliance planning guide.

Important this planning guide does not provide legal advice. This Guide provides only factual and technical information on compliance with relevant regulations. Do not rely solely on the opinions provided in this guide on how to meet regulatory requirements. For specific questions, consult your lawyers or reviewers.

Target readers of this Article

Pci dss Compliance Guide is intended for individuals responsible for ensuring secure and reliable collection, processing, transmission and storage of cardholder data and protecting the privacy of cardholders. The target readers of this Guide include IT administrators who hold the following positions in the Organization:

• The Chief Information Officer (CIO) is responsible for the deployment and operation of systems and IT-related processes.

• The Chief Information Security Officer (CISO) is responsible for the overall information security plan and compliance with information security policies.

• The Chief Financial Officer (CFO) is responsible for the entire control environment of its organization.

• The chief confidentiality Officer (CPO) is responsible for implementing policies related to personal information management, including policies supporting compliance with confidentiality and data protection laws.

• Technical decision makers are responsible for identifying appropriate technical solutions to solve specific business problems.

• The IT Operations Manager runs the systems and processes that execute the pci dss compliance plan.

• IT Security architects design IT control and security systems to provide appropriate security levels to meet the business needs of their organizations.

• IT infrastructure Architect: designs IT security and control infrastructure that supports IT security architects.

• Consultants and partners recommend or implement best confidentiality and security practices to help customers achieve pci dss compliance goals.

In addition, this Guide may be of great value to the following persons:

• Risk/compliance lead, responsible for organizing the overall risk management that meets the requirements of pci dss.

• The IT audit manager reviews the IT system to reduce the workload of internal and external IT reviewers.