Firewall Wizards mailing list archives

Credit card transaction security

From: Bill Stout <Bill.Stout () AristaSoft com>
Date: Tue, 7 Sep 1999 15:08:47 -0700


Question:

Are there minimum security standards for companies who store and exchange
bulk credit card transactions with Credit card processing bureaus(over the
Internet)?  Has anyone established such standards?

What it means to me is:

  o  Some auditable strength or 'certified' firewall
  o  Some auditable standardized 'hardening' of OSs; servers, routers,
gateways, etc.
  o  Enterprise-wide IDS system of some specific metrics
  o  Hardware or software VPN with some predetermined bit-level strength
(ex; 56/112/128-bit encryption)
  o  OS and network security audit tools of some particular configuration
  o  Network partitioning from unrelated systems
  o  Some upgraded standard of physical security to consoles, terminals,
etc., such as card keys, possibly biometrics.
  o  'Bank teller' background checks on IT staff
  o  Regularly scheduled self-audits and audit log analysis
  o  Data storage and backup tape storage of some auditable 
  o  Third-party security audit

Any thoughts on this?  Institutions I previously worked with only had
internally defined standards, and did not follow 'industry' standards.  

Bill Stout

Current thread:

Credit card transaction security Bill Stout (Sep 07)
- <Possible follow-ups>
- Re: Credit card transaction security Rick Smith (Sep 08)
- RE: Credit card transaction security sean . kelly (Sep 09)