For sites that do ANYTHING with credit cards...
In July of 2010, the Payment Card Industry (PCI) will be rolling out their newest version of the Data Security Standard (DSS) with its corresponding fangs and fines. If you've not reviewed this PCI-DSS document lately, allow me to highly recommend it. There's some stuff in here that's going to be somewhat of a PITA for us SB+ types, such as:
8.5.11 Use passwords containing both numeric and alphabetic characters
8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used
8.5.13 Limit repeated access attempts by locking out the user ID and not more than six attempts
8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID
8.5.15 If a session has been idle for more than 15 minutes, require the user to re-enter the password to reactivate the terminal
While these are all good ideas, this caught my eye because SB+ will help us with NONE of that.
Overall, the PCI-DSS makes a lot of sense, but having just finished reading this document cover to cover I can't help but think that all of the "document this and that" requirements smack more of CYA than any real protection. The parts that provide real protection are pretty straightforward and common sense, with the exception that if you even think about a credit card, you better have a firewall and SSL connection to your brain. (Yes, of course I'm exaggerating.) Seriously, though,
if you have any single individual in your organization that can have access to any customer credit card information, every scrap of technology and information in your organization is subject to these rules and therefore it's important to get as informed as possible before the hammer drops in July.
The specification can be downloaded here:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
