I am a standards-based person and prefer to adopt existing best practices. When I work in the roles of Product Manager or Architect on an ISV product, I will ask the question: “If there is a security breach and data is lost, would it have a more severe impact on the firm than the loss of corporate credit cards?” If the answer is yes, then I hand out
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedu...
(PCIDSS) and we proceed to identify what
does not apply.
What remains becomes part of the best practices recommendations for the product.
Many ISV products require SQL Server standard security or mixed security. These products are the primary focus of this set of posts. SQL Server logins are not rich in features. PCIDSS requirements are organized into four groups which I will address in subsequent posts: