Visa/Mastercard security requirements for small vendors.
Phil Windley
says that Visa and Mastercard are starting to crack down on small
merchants, requiring them to meet some sort of minimum information
security standards or lose the ability to accept Visa or Mastercard
purchases online. This is clearly a good thing.
He lists 12 basic requirements:
- Install and maintain a working firewall to protect data
- Keep security patches up-to-date
- Protect stored data
- Encrypt data sent across public networks
- Use and regularly update anti-virus software
- Restrict access by need to know�
- Assign unique ID to each person with computer access
- Don't use vendor-supplied defaults for passwords and security parameters
- Track all access to data by unique ID
- Regularly test security systems and processes
- Implement and maintain an information security policy
- Restrict physical access to data
The actual questionnaire
from Visa goes into a lot more detail (Do changes to the firewall need
authorization and are the changes logged?). A quick skim of the
questionnaire shows a bit of Windows bias (you cant pass unless you
have virus scanners on all your serversthats kind of weird in a Unix
environment), but it looks like a great step forward. Its nice to see someone in a position of influence raising the security baseline.
[*scottstuff*]