PCI DSS

Vulnerabilities are constantly found by malicious individuals and researchers, and new software is introduced to them. System components, processes, and custom applications should be periodically reviewed to ensure an evolving environment continues to represent security controls.

Logging systems and monitoring user behaviors are important to prevent, identify or mitigate the effect of a data compromise. The availability of logs in all environments makes it possible to monitor, warn and evaluate thoroughly when something goes wrong.

Any physical access to data or systems that house cardholder data provides individuals with the ability to access devices or data, and delete systems or hardcopies, which should be limited appropriately.

Assigning each person with access to a unique identity (ID) ensures that each individual has specific accountability for their actions. When such accountability is in place, critical data and system activities are carried out by established and approved users and procedures and can be tracked accordingly.

To ensuring that critical data can only be accessed by authorized personnel, it is important to have systems and processes to place to limit access based on the need to learn and the job responsibilities.

Unscrupulous people are exploiting bugs to gain privileged access to programs. Many of these bugs are addressed by the manufacturer's security patches, which must be implemented by the device-running organizations.

Malicious software, commonly referred to as "malware" including worms, viruses and trojans, reaches the network during a number of business-approved activities, including employee email and Internet usage, mobile phones, and storage devices, resulting in system vulnerabilities being exploited.

Sensitive information that is easily accessible to malicious individuals must be encrypted during transmission over networks.