The Payment Card Industry (primarily the card schemes; Visa and Mastercard) are now taking steps to ensure merchants and service providers become compliant with PCI DSS. Put simply, if you are not a bank (or a card scheme) and either have credit card numbers passing through or stored on your IT systems then you will need to become compliant with PCI DSS or face financial penalties. If you are discovered to have had a breach of security resulting in loss of card numbers then the fines can be devastating to even a fairly large organisation.

Zednax has recently worked with Nottingham based Medoc, to help them achieve PCI DSS Compliance at Level 1 as a Service Provider. Zednax has provided a full code review and modification service to ensure that Medoc's web applications are fully compliant with the Open Web Application Security Project (OWASP) guidelines. Zednax has also provided services to Medoc to help with securing and administering Linux to match PCI DSS requirements.

Some key features of the guidelines for web applications are:

• Having a documented and traceable development process with peer review of work.
• Your applications must be resistant to cross-site scripting and injection attacksAll incoming data (form parameters etc.) must be carefully checked.
• Web applications should be designed not to 'leak' information on their design and architecture in error and debugging messages.

Some key aspects of general IT security for PCI DSS are:

• Traceable change management procedures.
• Firewalled corporate networks with intrusion detection and system integrity checking.
• Additional steps must be taken when storing card numbers - in particular the numbers must be encrypted and the encryption keys themselves kept separate from the data and encrypted.

Zednax has the technical skills and experience to help you implement all aspects of the standard. Even where your business requires the service of an external auditor, Zednax can still provide the technical expertise to implement the auditor's advice.

In mid-2008 there will be an additional requirement under PCI DSS to have either a web application firewall or your organisation's code reviewed by an external company with experience in reviewing web applications for PCI DSS and OWASP guidelines compliance.

Additionally with the recent non-credit card related data losses by a number of large organisations, any organisation storing information on individuals must carefully consider how this is done and ensure that they are 'taking appropriate steps to secure personal data' to ensure they comply with the Data Protection Act.

Whilst there is undeniably a cost involved in implementing IT systems with high security in mind, the cost of a data loss both in financial penalties and reputation should not be underestimated. Not only can Zednax help you to mitigate risk, but also a large number of the techniques and changes that Zednax can help introduce can make your application development and IT management more efficient and therefore cost effective.