pci和pci
Originally posted here: https://blog.hackedu.com/how-to-go-beyond-pci-compliance-to-secure-your-organization-part-1-introduction
最初发布在这里: https : //blog.hackedu.com/how-to-go-beyond-pci-compliance-to-secure-your-organization-part-1-introduction
介绍 (Introduction)
In 2000, the number of websites skyrocketed to 17 million, with more than 400 million internet users. Shortly after, a quickly increasing number of online stores came online. However, retailers weren’t the only ones who saw the potential of making money online, but fraudsters as well.
2000年,网站数量猛增到1700万 ,互联网用户超过4亿。 不久之后,在线商店数量Swift增加。 但是,零售商并不是唯一看到在线赚钱潜力的人,还有骗子。
As online financial fraud began to rise, the leading credit card companies tried to introduce new security standards for their merchants in order to protect cardholder data. The first company to do so was VISA, with its Cardholder Information Security Program (CISP) released in 2001. Others, such as American Express and Mastercard, followed this initiative and created their own security standards.
随着在线金融欺诈活动开始增多,领先的信用卡公司试图为商户引入新的安全标准,以保护持卡人数据。 第一家这样做的公司是VISA,其持卡人信息安全计划(CISP)于2001年发布。其他公司,例如美国运通卡和万事达卡,都遵循了这一倡议,并制定了自己的安全标准。
However, the rate of online financial fraud was increasing and merchants were struggling to achieve compliance, confused by all of the different security standards. For these reasons, credit card providers convened to create a unified security standard, Payment Card Industry Data Security Standard (PCI DSS).
但是,在线金融欺诈的发生率正在增加,并且商家正努力实现合规性,这被所有不同的安全标准所迷惑。 由于这些原因,信用卡提供商召集了一个统一的安全标准,即支付卡行业数据安全标准(PCI DSS)。
In this post, we’ll explore what the Payment Card Industry Data Security Standard (PCI DSS) is, why is it important, what the consequences are of being non-compliant, and also why being PCI compliant is not enough. In the next several posts in this series, we will discuss the payment workflow and how to go beyond PCI compliance to secure your organization.
在本文中,我们将探讨什么是支付卡行业数据安全标准(PCI DSS),为何如此重要,不遵从后果如何,以及为什么不遵从PCI是不够的。 在本系列的下几篇文章中,我们将讨论支付工作流程以及如何超越PCI合规性来保护您的组织。
什么是PCI DSS (What is PCI DSS)
PCI DSS was introduced in 2004 as a collective effort of several major credit card companies to reduce online financial fraud. It provides a comprehensive set of best practices regarding how sensitive data should be stored and guidance to minimize the risks of a data breach.
PCI DSS于2004年推出,是几家主要信用卡公司共同努力减少在线金融欺诈的一项努力。 它提供了有关应如何存储敏感数据的全面最佳实践集,并提供了将数据泄露风险降至最低的指南。
Simply put, PCI DSS states that an organization should never store credit card information in their database or Point of Sale (POS) terminal after a transaction has occurred unless it’s necessary to meet the needs of the business. Instead, they should use a third party credit card vault and tokenization provider.
简而言之,PCI DSS指出,除非有必要满足业务需求,否则组织绝不应该在交易发生后将信用卡信息存储在数据库或销售点(POS)终端中。 相反,他们应该使用第三方信用卡保险库和令牌化提供程序。
The standard consists of 12 requirements that cover logging and monitoring, vulnerability scans, risk assessment, physical security, access control policy, and a few other security-related best practices. For a company to be PCI compliant, it must prove that its systems and infrastructure meets all requirements.
该标准包含12个要求,涵盖日志记录和监视,漏洞扫描,风险评估,物理安全,访问控制策略以及其他一些与安全相关的最佳实践。 为了使公司符合PCI,必须证明其系统和基础架构满足所有要求。
PCI DSS适用于谁? (Who is PCI DSS for?)
Any organization that processes, stores, or transmits credit card data must comply with these standards, regardless of its legal structure. This includes governmental agencies, large enterprises, and even small retailers that use e-commerce solutions such as Shopify to outsource all cardholder data functions. The level of PCI compliance can be measured through a verified self-report, an accredited third-party audit, or an onsite/remote network scan.
任何处理,存储或传输信用卡数据的组织,无论其法律结构如何,都必须遵守这些标准。 这包括使用Shopify等电子商务解决方案将所有持卡人数据功能外包的政府机构,大型企业,甚至小型零售商。 可通过经过验证的自我报告,经过认证的第三方审核或现场/远程网络扫描来衡量PCI遵从性水平。
While PCI compliance is not enforced by law in most U.S states except Nevada, the standard is still mandatory, and the major credit card companies behind PCI can sanction non-compliant merchants. The penalty can be a fine of $5,000 to $100,000 per month or even the suspension of merchant privileges, depending on the size of the business and the nature of non-compliance.
尽管除内华达州外,大多数美国州都没有法律强制执行PCI合规性,但该标准仍然是强制性的,PCI背后的主要信用卡公司可以制裁不合规的商家。 罚款额度可能为每月$ 5,000到$ 100,000,甚至是暂停商家特权,具体取决于企业规模和违规性质。
为什么仅仅遵守是不够的? (Why being compliant is not enough?)
One of the most devastating data breaches in history was the Target Corporation breach. In 2013, 40 million credit and debit card numbers and 70 million records of personal information were stolen. The costs related to this incident were estimated at $252 million. Ironically, Target was validated as PCI compliant 2 months before the breach.
历史上最具破坏性的数据泄露事件之一是Target Corporation泄露事件。 2013年,有4000万张信用卡和借记卡卡号以及7000万条个人信息记录被盗。 与此事件相关的成本估计为2.52亿美元。 具有讽刺意味的是,在违规发生前两个月,Target被确认为符合PCI标准。
But how is it possible for a fully compliant company to get breached?
但是,完全合规的公司怎么可能遭到违反?
First, it is crucial to understand that PCI DSS is a bare minimum standard to meet, as the PCI Council itself affirms. While compliance can enhance the overall security of an organization, its defined purpose is to help companies protect their customers’ sensitive information. Therefore, being compliant does not guarantee that a company can’t be hacked.
首先,至关重要的是要了解PCI DSS是要满足的最低标准,正如PCI委员会本身所肯定的那样。 虽然合规性可以增强组织的整体安全性,但其定义的目的是帮助公司保护其客户的敏感信息。 因此,合规并不能保证公司不会被黑客入侵。
Secondly, there is a false misconception that PCI compliance is a one-time event. Keep in mind that hackers continue to improve their skills and techniques, so new threats are continuously emerging. As long as there is a profit to be made, the pace of financial data attacks will not slow down. Only addressing PCI compliance for an annual assessment poses a number of significant risks and enhances the illusion of security. Instead, companies must be proactive in keeping their systems secure, and they should implement PCI compliance as a continuous process to be considered daily.
其次,有一个错误的误解,认为PCI合规性是一次性事件。 请记住,黑客继续提高其技能和技巧,因此不断出现新的威胁。 只要能获利,金融数据攻击的速度就不会减慢。 仅解决PCI合规性以进行年度评估会带来许多重大风险,并增强安全感。 取而代之的是,公司必须积极主动地确保其系统的安全性,并且他们应该将PCI遵从性作为一个连续的过程加以实施,每天都应予以考虑。
Moreover, in the case of a data breach, the credit card providers are empowered to sanction the company with a fine up to $90 per each cardholder data compromise, even if the company may be 100% PCI compliant.
此外,在数据泄露的情况下,即使公司100%符合PCI标准,信用卡提供商也有权对每位持卡人的数据泄露行为处以最高90美元的罚款。
Besides financial losses, a data breach can result in bad publicity for the affected company, reputation damage, lawsuits from affected customers, and in some cases, it can even lead to bankruptcy.
除了财务损失外,数据泄露还可能导致对受影响公司的不良宣传,声誉受损,来自受影响客户的诉讼,在某些情况下,甚至可能导致破产。
Considering the various penalties associated with a data breach, going beyond PCI compliance, and ensuring the best cybersecurity practices are in place must be a top priority for companies that deal with sensitive information. Simply meeting a minimum standard is not enough to protect an organization and its customers. The process of securing sensitive information involves both in-depth security and compliance.
考虑到与数据泄露相关的各种惩罚,超越PCI合规性,并确保采取最佳的网络安全措施,对于处理敏感信息的公司而言,必须是头等大事。 仅满足最低标准不足以保护组织及其客户。 保护敏感信息的过程涉及深入的安全性和合规性。
Read more here: https://blog.hackedu.com/how-to-go-beyond-pci-compliance-to-secure-your-organization-part-1-introduction
在此处阅读更多信息: https : //blog.hackedu.com/how-to-go-beyond-pci-compliance-to-secure-your-organization-part-1-introduction
To read the follow up posts please sign up or watch this space: https://blog.hackedu.com
要阅读后续帖子,请注册或观看此空间:https://blog.hackedu.com
pci和pci
314
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
