Payment Card Industry

About This Presentation

Title:

Payment Card Industry

Description:

Telnet. 2500. LANplex. 3COM. Admin. admin. admin. Multi ... Telnet. 7000. CellPlex. 3COM. Privileges. PASSWORD. Username. Access Type. Version. Model. Vendor ... – PowerPoint PPT presentation

Number of Views:321

Avg rating:3.0/5.0

Slides: 25

Provided by: hum65

Category:

more less

Transcript and Presenter's Notes

Title: Payment Card Industry

1
Payment Card Industry Data Security Standard
What does it mean and how to build systems to
comply with them
Eddie Humphries IT Audit Manager
2
Contents

Background
What it is
Merchant Levels
The Requirements

3
What is PCI DSS?
The PCI DSS is a multifaceted security standard
that includes requirements for security
management, policies, procedures, network
architecture, software design and other critical
protective measures.
4
6 Categories with 12 Requirements

Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall
configuration to protect cardholder data
Requirement 2 Do not use vendor-supplied
defaults for system passwords and other security
parameters
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
Requirement 4 Encrypt transmission of cardholder
data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update
anti-virus software
Requirement 6 Develop and maintain secure
systems and applications

5
6 Categories with 12 Requirements (cont)

Implement Strong Access Control Measures
Requirement 7 Restrict access to cardholder data
by business need-to-know
Requirement 8 Assign a unique ID to each person
with computer access
Requirement 9 Restrict physical access to
cardholder data
Regularly Monitor and Test Networks
Requirement 10 Track and monitor all access to
network resources and cardholder data
Requirement 11 Regularly test security systems
and processes
Maintain an Information Security Policy
Requirement 12 Maintain a policy that addresses
information security

6
Merchant Levels
Level 1 Merchants with more than 6,000,000
transactions per year. Other merchants in Level 1
will be merchants whose security has been
violated and data compromised and merchants which
another credit card company have classified as
Level 1. Level 2 Merchants with 150,000 to
6,000,000 transactions per year. Level
3 Merchants with 20,000 to 150,000 transactions
per year. Level 4 Merchants with less than
20,000 transactions per year
7
Merchant Levels What you MUST do
Level 1 Comply with all 12 PCI DSS
requirements Complete a successful quarterly scan
using an approved scanning vendor (ASV) Be
externally audited by a Qualified Security
Assessor (QSA) Level 2 - 4 Comply with all 12
requirements PCI DSS requirements Complete a
successful quarterly scan using a ASV Submit an
annual Self Assessment Form to the acquiring
bank.
8
Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall
configuration to protect cardholder data

Formal process for Firewall changes
Network diagram showing connections to card
holder data
Quarterly review of firewall and router rule sets
Obtain and inspect the firewall configuration
standards and other documentation to verify that
the standards are complete.

Standards and documentation for rules and
connections
Restricting inbound and outbound traffic to that
which is necessary for the cardholder data
environment
Denying all other inbound and outbound traffic
not specifically allowed

9
Changes to Network Strategy
10
Changes to Network Strategy
11
Build and Maintain a Secure Network
Requirement 2 Do not use vendor-supplied
defaults for system passwords and other security
parameters

Check to ensure that vendor defaults have been
removed or inhibited.

12
Protect Cardholder Data
Requirement 3 Protect stored cardholder data

A data retention and disposal policy exists and
is followed
Cardholder data that is prohibited from being
stored or prohibited after authorisation is not
kept
Encryption, truncation or masking of the PAN is
performed appropriately
Logical access to the unencrypted PAN is
controlled adequately
Encryption keys are protected
A key management process exists
Encryption keys are of adequate strength

13
Protect Cardholder Data
Requirement 4 Encrypt transmission of cardholder
data across open, public networks

Cryptography and security protocols
Wireless network transmission
Email transmission

14
Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update
anti-virus software

Anti-virus is used
Anti-virus software is up to date
Anti-virus software generates audit logs

15
Maintain a Vulnerability Management Program
Requirement 6 Develop and maintain secure
systems and applications

Patches are up to date.
Process to identify new vulnerabilities
Patches are tested before updating
Change control process exists
Coding is secure
Web facing applications are protected

16
Implement Strong Access Control Measures
Requirement 7 Restrict access to cardholder data
by business need-to-know

Access is restricted to authorised personnel.

17
Implement Strong Access Control Measures
Requirement 8 Assign a unique ID to each person
with computer access

Access is controlled by unique user-ID and
password
Remote connections are controlled by two-factor
authentication
User-ID and password management is compliant with
best practice standards (e.g. ISO27001)

18
Implement Strong Access Control Measures
Requirement 9 Restrict physical access to
cardholder data

Physical access control exist to site and
facilities
Visible identification of employees, contractors
and visitors
Visitor log maintained
Secured storage and arrangements for confidential
paperwork, media, backup tapes, etc
Destruction of information

19
Regularly Monitor and Test Networks
Requirement 10 Track and monitor all access to
network resources and cardholder data