CHECKLIST: PCI/ISO COMPLIANCEBy Melbourne IT Enterprise Services

/ BROCHURE /

MELBOURNE IT ENTERPRISE SERVICES 2

CHECKLIST: PCI/ISO COMPLIANCE

If your business handles credit card transactions then you’ve probably heard of the Payment Card Industry data security standard or PCI, as well as Information Security

Management (ISO). These terms are being mentioned more frequently as major corporate data breaches of international retailers and financial institutions place

millions of card records in the hands of cybercriminals. As a significant and growing problem, the PCI/ISO standards are designed to prepare businesses and institutions

with an online presence to protect themselves from the attentions of hackers.

PCI/ISO compliance should be a priority for any business looking to protect itself from data breaches

along with any potential legal action that could result from such incidents. In addition, being able to

actively demonstrate to your customers that you are doing everything possible to keep their personal

and financial data secure will improve customer relations and protect against significant reputational

losses which often cannot be measured in terms of dollars.

HOW SHOULD THESE CHECKLISTS BE USED?For online retailers and service providers looking to deliver their product and process credit card

transactions, there are a number of considerations regarding regulatory certification and maintaining

compliance with the regulatory standards of various initiatives. This checklist highlights the different

requirements businesses need to account for when looking to maintain compliance with The

Payment Card Industry Data Security Standard and the ISO Code of Practice for Information Security

Management (ISO 27001/27002).

Use this checklist to provide a high level summary of your status of against the key aspects of regulatory

compliance and identify where compliance management service providers can help fill the identified

gaps that can streamline the process through pre-certification and the reduction of validation

requirements.

MELBOURNE IT ENTERPRISE SERVICES 3

PCI DSS CHECKLISTThe Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements

designed to ensure that all companies that process, store or transmit credit card information maintain a secure operational environment. The following requirements

need to be taken into account for PCI DSS compliance:

Do you have an installed firewall solution

to protect cardholder data?

Do you routinely use anti-virus software

solutions which are regularly patched

and updated to ensure optimal

efficiency?

Do you have personalised system

passwords and other security

parameters rather than vendor-supplied

defaults?

Can you develop and maintain secure

systems and applications with hardened

and securely written code?

Can you restrict physical access to

cardholder data? I.e.: Can you limit

physical access to authorised personnel

through the use of tangible security

measures?

Can you properly identify and

authenticate access to system

components?

Are you able to efficiently track and

monitor all access to network resources

and cardholder data?

Can you restrict cardholder data to a

“need to know” basis?

Can you adequately protect stored

cardholder data?

Do you encrypt the transmission of

cardholder details across open, public

networks?

MELBOURNE IT ENTERPRISE SERVICES 4

Do you regularly test security systems

and processes to ensure optimal

effectiveness?

Do you maintain a policy that addresses

all pertinent information security issues

for all personnel?

Are you aware of the many benefits of

PCI DSS compliance, including increased

levels of consumer and business partner

trust?

Are you aware that the PCI standards of

compliance still apply to your business

even if you only accept credit card

payments over the phone?

Are you aware of the steep fines

which can be levied against banks and

businesses for non-compliance?

Do you know your “merchant level”

(ranging from 1 through to 4 depending

on the volume of annual credit card

transactions carried out by your

organisation) and the subsequent

effect of your merchant level on your

compliance requirements?

Did you know that being PCI DSS

compliant will help you become

better prepared for complying with

recently introduced regulations as well

as regulations proposed for future

implementation?

PCI DSS CHECKLIST

MELBOURNE IT ENTERPRISE SERVICES 5

ISO CHECKLISTThis comprehensive set of security standards provides the guiding principles for

improving information security management within any given organisation. It covers best practice relating to every part of information security from implementation through

to ongoing maintenance. While there are hundreds of potential controls outlined and suggested, the following checklist addresses the main points regarding ISO compliance:

Does your organisation maintain a clear,

well-defined and easily understandable

security policy which employees can

adhere to?

Is the organisation’s security of

information handled by a dedicated

team with an appointed departmental

head responsible for updating and

maintaining the security policy?

Is the head of information security

also responsible for security asset

management with clearly defined

protocols for their access and

operation?

Does your organisation’s security

policy comprehensively cover

human resources security? Are

employees properly instructed in all

ongoing security protocols including

communication and ethics?

Does your organisation’s security policy

account for physical and environmental

security where access to security

hardware is properly restricted to

authorised personnel?

Has your organisation made a thorough

assessment of potential security risks

which could affect it, along with the

likelihood of occurrence and estimated

potential impact of each threat?

Does this assessment take into account

the organisation’s overall business

strategy and objectives?

Does this assessment take into account

the legal, statutory, regulatory and

contractual requirements that an

organisation, its trading partners,

contractors and service providers have

to satisfy?

MELBOURNE IT ENTERPRISE SERVICES 6

SOURCES

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

https://www.pcicomplianceguide.org/pci-faqs-2/#1

https://www.iso.org/obp/ui/#iso:std:54533:en

ABOUT MELBOURNE IT

Melbourne IT Enterprise Services designs, builds and manages cloud solutions for Australia’s leading enterprises. Its

expert staff help solve business challenges and build cultures that enable organisations to use technology investments

efficiently and improve long-term value. With more than 15 years’ experience in delivering managed outcomes to Australian

enterprises, Melbourne IT has been long associated with enabling success. Its certified cloud, consulting, and security

experts repeatedly deliver results. This is why many of the brands you already know and trust, rely on Melbourne IT.

THE RIGHT SOLUTION IS MELBOURNE ITmelbourneitenterprise.com.au

1800 664 222 corporate.sales@melbourneit.com.au