Retail PCI Compliance

Regularly Monitor and Test Networks

Network security is critical to protecting cardholder data. The use of networks allows cardholder data to be transmitted between payment applications, storage media and on to the third-party processor or acquiring bank. Vulnerabilities pop up all the time and a business should be prepared to regularly monitor and test its networks to identify vulnerabilities and fix them should they occur.

Requirement #10: Track and monitor all access to network resources and cardholder data
This requirement includes the specifics needed for logging, monitoring and penetration testing. Establishing a process for logging is one of the most important activities a business can do in the event of a security breach. This provides the data needed to determine who did what, when it happened and what actions need to be taken to fix it. PCI DSS requires that you log the following:

All access to cardholder data
All actions taken by an administrator
All access to logs
All invalid login attempts
All identification and authentication mechanisms
All creations or deletions of system-level objects

For each of these events, information needs to be stored that includes the user name, event type, timestamp, success/failure status, origination of the event and the identity of affected system, resource or data. This information needs to also be retained for at least one year

Requirement #11: Regularly test security systems and processes
The PCI DSS requires a business to regularly test security controls and processes to systematically find any vulnerabilities and fix them. Testing should be done every 90 days to help identify any changes in the systems.

Scan for any rogue wireless access points using a wireless analyzer, wireless intrusion detection service or a intrusion prevention service (IDS/IPS) at least quarterly
Conduct both internal and external vulnerability scans on at least a quarterly basis – an Approved Scanning Vendor is required to perform external scans
Perform both internal and external penetration testing annually or after any significant change to infrastructure or applications – a penetration test is a controlled attack on your cardholder data environment

Retail Data Security Home - Contact Us
PCI Compliance 101 Data Security Milestones What Can You Do Today? Life Cycle of a Data Security Breach Data Security e-Newsletter Additional Resources

< Back to PCI Compliance Retail PCI Compliance Regularly Monitor and Test Networks Network security is critical to protecting cardholder data. The use of networks allows cardholder data to be transmitted between payment applications, storage media and on to the third-party processor or acquiring bank. Vulnerabilities pop up all the time and a business should be prepared to regularly monitor and test its networks to identify vulnerabilities and fix them should they occur. Requirement #10: Track and monitor all access to network resources and cardholder data This requirement includes the specifics needed for logging, monitoring and penetration testing. Establishing a process for logging is one of the most important activities a business can do in the event of a security breach. This provides the data needed to determine who did what, when it happened and what actions need to be taken to fix it. PCI DSS requires that you log the following: All access to cardholder data All actions taken by an administrator All access to logs All invalid login attempts All identification and authentication mechanisms All creations or deletions of system-level objects For each of these events, information needs to be stored that includes the user name, event type, timestamp, success/failure status, origination of the event and the identity of affected system, resource or data. This information needs to also be retained for at least one year Requirement #11: Regularly test security systems and processes The PCI DSS requires a business to regularly test security controls and processes to systematically find any vulnerabilities and fix them. Testing should be done every 90 days to help identify any changes in the systems. Scan for any rogue wireless access points using a wireless analyzer, wireless intrusion detection service or a intrusion prevention service (IDS/IPS) at least quarterly Conduct both internal and external vulnerability scans on at least a quarterly basis – an Approved Scanning Vendor is required to perform external scans Perform both internal and external penetration testing annually or after any significant change to infrastructure or applications – a penetration test is a controlled attack on your cardholder data environment

© 2011 Radiant Systems, Inc. All Rights Reserved. Powered by CounterPoint Retail Point of Sale.