Objective 3: Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Objective 4: Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Objective 5: Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Objective 6: Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Source: PCI Security Standards Council
The Gramm-Leach-Bliley Act (GLB) Act of 1999
What it covers: Also known as the Financial Modernization Act of 1999, the GLB Act includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, the Safeguards Rule and pretexting provisions.
Who is affected: Financial institutions (banks, securities firms, insurance companies), as well as companies providing financial products and services to consumers (including lending, brokering or servicing any type of consumer loan; transferring or safeguarding money; preparing individual tax returns; providing financial advice or credit counseling; providing residential real estate settlement services; collecting consumer debts).
Link to the law: The Privacy of Consumer Financial Information rule within GLB: http://www.ftc.gov/os/2000/05/65fr33645.pdf
Laws and rules pertaining to GLB: http://www.ftc.gov/privacy/privacyinitiatives/financial_rule_lr.html
Key requirements/provisions: The privacy requirements of GLB include three principal parts:
The Financial Privacy Rule: Requires financial institutions to give customers privacy notices that explain its information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information.