PCI-DSS adherence is becoming more and more important, since the adoption of eCommerce by ePayment. It is not complex but it could become a mess if not properly addressed. The proposed simple model forgive a way to figure out Where(to which component) to Apply What (which requirement) and help IT people to easily lead compliance.
The IT treating the Cardholder data should be described as structured in 9 Components, arranged in 3x3 quadrant Area-Scope. The 12 requirements should be applied to the 9 components.
Let’s look at the areas:
- Environments: logical areas defined by the characteristics of resident data. There should be a physical edge, issued by req. 9 “Restrict Physical Access”. The 3 environments are: Inside, Outside, Privilege
- Technologies: IT functions/devices for treating cardholder data. The 3 technologies are: PCI-DB, Sys/App, Desktop
- Communication: access interfaces to-from Inside environment. The 3 communications are: DB Comms, Int-Ext Comms, Sys Comms
Let’s look at the scopes:
- Core: internal elements, for elaborating data. The 3 core items are: Inside, PCI-DB, DB Comms
- Interface: front-end elements, for presenting data. The 3 interface items are: Outside, Sys/App, Int-Ext Comms
- Management: privileged elements, for managing data. The 3 privileged items are: Privilege, DeskTop, Sys Comms
Here the 3x3 quadrant with the requirements to apply to:
Core |
Interface |
Management |
|
Environment |
Inside: 1-12 |
Outside: 9, 12 |
Privilege: 5 |
Technology |
PCI-DB: 3 |
Sys/App: 2, 6, 11 |
Desktop: 5 |
Communication |
DB Comms: 7 |
Int-Ext Comms: 1, 4, 10 |
Sys Comms: 8 |