Tag: pci dss

Assigning each person with access to a unique identity (ID) ensures that each individual has specific accountability for their actions. When such accountability is in place, critical data and system activities are carried out by established and approved users and procedures and can be tracked accordingly.

To ensuring that critical data can only be accessed by authorized personnel, it is important to have systems and processes to place to limit access based on the need to learn and the job responsibilities.

Unscrupulous people are exploiting bugs to gain privileged access to programs. Many of these bugs are addressed by the manufacturer's security patches, which must be implemented by the device-running organizations.

Malicious software, commonly referred to as "malware" including worms, viruses and trojans, reaches the network during a number of business-approved activities, including employee email and Internet usage, mobile phones, and storage devices, resulting in system vulnerabilities being exploited.

Sensitive information that is easily accessible to malicious individuals must be encrypted during transmission over networks.

Security mechanisms like encryption, truncation, masking, and hashing are critical components of data protection for cardholders. If an attacker circumvents other security checks and gains access to encrypted data without the correct cryptographic keys, the data will be unreadable and unusable to that individual.

External and internal malicious individuals often use default vendor passwords and other default vendor settings to compromise their systems. These passwords and settings are well known to hacker groups and can be easily accessed through public information.

Firewalls are devices that control computer traffic between an entity's internal network and untrusted external networks, as well as traffic to and from more sensitive areas within an entity's internal trusted networks.