תקן pci למומחי בסיסי נתונים-PCI DSS for Database Professionals
דף הבית  >>  >>  הרשם  |  התחבר
מאמרים

תקן pci למומחי בסיסי נתונים-PCI DSS for Database Professionals 

מאת    [ 05/12/2010 ]
מילים במאמר: 526   [ נצפה 2022 פעמים ]

 
 
The Payment Card Industry Data Security Standard (PCI DSS) sets forth the security requirements for organizations that store, process and/or transmit credit or debit card transactions. These requirements stem from a series of significant security incidents affecting databases of consumer credit information over the past decade.

What does PCI DSS mean to you as a database professional? If you review the PCI DSS standard, you’ll find seventeen pages packed with detailed requirements for securing cardholder information. If your organization processes transactions, it’s a good idea to review the entire standard and ensure you’re meeting all of those requirements. That said, I’ll highlight a few salient points that pertain directly to database professionals.

    • Place the database in an internal network zone, segregated from the DMZ. PCI requires that you place your database server on your internal network and that you deny attempts to directly access the database from untrusted networks. Additionally, you must use private IP addresses for the database server.
    • Change vendor-supplied default passwords. You must ensure that your database uses strong passwords for all user accounts and that you change the passwords for any default accounts supplied by your database vendor.
    • Encrypt all non-console administrative access. You’re required to use encryption technology (e.g. VPN, SSL, ssh) to encrypt any administrative connections to the database. This reduces the risk of an eavesdropper obtaining administrative credentials to the database.
    • Keep cardholder data storage to a minimum. You should never store cardholder data that you no longer need. If you don’t need to store it, don’t. If you’re finished with it, purge it from your database. In all cases, you may never store data from the card’s magnetic stripe or the three digit security code on the back of the card.
    • Encrypt card numbers that you do store. If your business requirements dictate that you store card numbers, you must encrypt them using a strong encryption algorithm. Furthermore, you must use sound key management practices to limit access to the encryption keys.
    • Ensure that you patch your database regularly. A recent study revealed that many DBAs seldom, if ever apply security patches. PCI requires that you apply security updates within one month of their release.
    • Develop web applications securely. Granted, DBAs seldom have control over the code written by developers, but it's important that we act as security evangelists, educating developers about the risk posed by database attacks such as SQL injection.
    • Practice secure user management. In addition to the controls you'd expect, such as requiring individual user accounts with strong passwords, you also need to manage database roles and rights in a fashion that limits access to those with a need to know.
    • Log everything. PCI requires that you record the name of the user, type of event, timestamp, and other technical information about any individual user access to cardholder data, administrator actions and failed authentication attempts.
This article provides only a high-level overview of the PCI DSS requirements most applicable to database administrators. I encourage you to review the entire standard and discuss it with other IT and business professionals in your organization.

Benjamin Baruch - Senior Security Consultant | CISSP, QSA, CCSE, MCSEBB@nsapIT.comPhone :1599-599-596Mobile :+972-50-260-7456Fax :+972-3-647-9731International callers(USA&CANADA): +1 315-608-6534St atidim, building 6, Tel-aviv, zip 61580 pob 58067, Israelwww.nsapIT.com*Please consider the environment before printing this email.

מאמרים נוספים שעשויים לעניין אותך:

שליחת המאמר שלח לחבר  הדפסת המאמר הדפסת המאמר  קישור ישיר למאמר קישור ישיר למאמר  דווח מאמר בעייתי דווח על מאמר בעייתי  כתוב לכותב המאמר פניה לכותב המאמר  פרסום המאמר פרסום המאמר 

©2017
כל הזכויות שמורות

מורנו'ס - שיווק באינטרנט

אודותינו
שאלות נפוצות
יצירת קשר
יתרונות לכותבי מאמרים
מדיניות פרטיות
רשימת כותבים
כותבים מומחים
עלינו בעיתונות
מאמרים חדשים
פרסם אצלנו
לכותבי מאמרים: פתיחת חשבון חינם
כניסה למערכת
יתרונות לכותבי מאמרים
תנאי השירות
הנחיות עריכה
לבעלי אתרים:



מדיה חברתית:
חלון מאמרים לאתרך
תנאי שימוש במאמרים
ערוצי מאמרים ב-RSS Recent articles RSS


מאמרים בפייסבוק מאמרים בטוויטר מאמרים ביוטיוב