The PCI DSS ensures that organizations that accept or process payment transactions incorporate a set of operational and technical requirements help protect the safety of that data. The developed framework aims to payment data security breaches and fraud in entities that possess card holder data (CHD). This encompasses software developers and manufacturers of applications and devices used in those transactions.
The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 12 requirements structure for securing cardholder data that is stored, processed and/ or transmitted by merchants and other organizations.
|Build and Maintain a Secure Network and Systems||1. Install and maintain a firewall configuration to protect cardholder data||19|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters||10|
|Protect Cardholder Data||3. Protect stored cardholder data||19|
|4. Encrypt transmission of cardholder data across open, public networks||3|
|Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus software or programs||5|
|6. Develop and maintain secure systems and applications||25|
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need to know||8|
|8. Identify and authenticate access to system components||21|
|9. Restrict physical access to cardholder data||20|
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data||28|
|11. Regularly test security systems and processes||12|
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel||34|
System components include network devices (both wired and wireless), servers and applications. Virtualization components and subset of system components comprises of VMs, virtual switches/routers, appliances, applications/desktops, and hypervisors within PCI DSS.
Even if a cloud service provider environment is vetted for certain PCI DSS requirements, this validation does not automatically apply to the customer environments within that cloud service.
Tata Communications Ltd. is a Service Provider focusing Infrastructure as Service (IaaS) where
hardware and network infrastructure is assessed.
TCL does not directly store, transmit or process any cardholder data (CHD) and sensitive Authentication Data (SAD), however its customers may create / set up their own data environment which can be considered as CDE with required tool and configuration that can store, transmit or process cardholder data.
All processing, transmission, storage and protection of customer’s data including CHD is neither responsibility of the entity as the entity doesn’t have Authorization to access their customer premise nor provide PCIDSS required tools for customers to meet PCI DSS compliance.
Following services are covered as part of the infrastructure environment: