SlideShare a Scribd company logo

PCI DSS Scoping and Applicability

Download as PPTX, PDF
Manish Mahapatra, profile picture
Manish Mahapatra

The document discusses scoping and controls for PCI DSS compliance. It describes how applications, servers, networks, and desktops can fall within or outside the PCI DSS scope depending on whether they process, store, or transmit full payment card details. It provides examples of controls that should be implemented for in-scope systems, including password policies, encryption, logging, patching, and vulnerability scanning. Finally, it outlines steps an organization can take to accurately map their PCI DSS scope, such as using a card finder tool and analyzing where full card numbers are received and stored.

Technology
1 of 15
Downloaded 21 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Scoping and Controls for PCI DSS By Manish Mahapatra
By Manish Mahapatra PCI DSS and it’s applicability • Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system. • PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they drive the implementation of the standard across the globe. • Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
By Manish Mahapatra PCI DSS Scoping – Applications • This slide describes on how an Application come under the purview of PCI DSS • In-scope – If the application process, store or transmit the full card number at any point of time, then the application fall under the PCI DSS scope. ◦ Application can receive the card number as part of transaction processing, settlement process or as part of querying a transaction. • Out of scope – An application is out of scope, if it only receives the truncated card number. ◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked with ‘X’ or replaced with any character. ◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed, while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but the middle six needs to be truncated always. ◦ If the application receives the full 16-digit card number and then truncates it during storage, then the application comes under the PCI DSS scope.
By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes how Servers and Network falls under PCI DSS scope – • In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls under the PCI DSS scope. ◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN, comes under the purview of PCI DSS scope. ◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope. • In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes the measures for reducing the PCI DSS scope - • Scoping out – Using the following measures one can reduce the PCI DSS scope – ◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number) ◦ Deploy all the PCI scoped servers within the PCI V-LAN ◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and out-going traffic ◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI scoped servers from the jump server only ◦ Create dedicated V-LAN for the following segment – ◦ Support V-LAN for support serves like AV, Domain, NTP, etc.. ◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound and out-bound traffic.
By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4 previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and session time out of 15 minutes. ◦ User access control – ◦ Zero privilege or permission while creating a new user or role ◦ Option for giving permission for viewing full card number and permission for viewing full card number can be granted to a user and not to a role ◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm ◦ Audit trails – ◦ All successful and unsuccessful login attempts to the application ◦ All actions taken by the application administrator ◦ Any system object level changes made by the application
By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Encryption and Key Management – ◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128 bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number ◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the encryption keys ◦ Secure Code Review – ◦ For every major change to the application, Client needs to conduct a secure code review following the OWASP secure code review guide as reference. ◦ In-case of minor changes, then conduct the secure code review on an annual basis ◦ Application penetration testing following OWASP Testing Guide – ◦ If the application has a web interface or have web-service call, then web application penetration testing for the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
By Manish Mahapatra PCI DSS Controls – Servers • This slide describes the list of controls to be deployed on the Servers – ◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out for database and web servers as well. ◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for running a full system scan on a weekly basis. ◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes made to system configuration file and application configuration file ◦ Configure NTP – Server should be configured for time synchronization from a central NTP server ◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and pushing the same to a central log server ◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should not be restricted to just OS patches, but should cover application and application library patches as well ◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability assessment scan using either Nessus or Qualys Guard on a quarterly basis
By Manish Mahapatra PCI DSS Controls – Infrastructure • This slide describes the list of controls to be deployed at the infrastructure – ◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers ◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing traffic from the PCI scoped server segment ◦ Deploying a Centralized log server and log monitoring process – ◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a central log server ◦ A log monitoring solutions needs to be deployed for generating security alerts ◦ Deploying Centralized AV console and patch management system – The AV solution and patch management system needs to be a centralized solution
By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Change Management Process for making any changes at – ◦ For any Firewall rule change ◦ For any changes to the network component configuration ◦ For any changes to the server ◦ For any application level changes ◦ Hardening guidelines for hardening system and network components like – ◦ Hardening the server OS ◦ Hardening other application deployed in the server like data base, web server, etc. ◦ Hardening the network components
By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal application ◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis ◦ Process of conducting risk assessment on an annual basis for all process and environment handling card number ◦ Process for conducting internal information security awareness and training program on an annual basis ◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where the card number are getting captured ◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis ◦ An internal pen-test should be conducted on a bi-annual basis
By Manish Mahapatra PCI DSS Controls – Desktops • This slide describes the list of controls to be deployed for User Desktops which process card number ◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the finance or collection department) ◦ The desktops should have a DLP solution deployed ◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not ◦ Internet access should be restricted to a few white listed URL’s ◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log server ◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed ◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network segment.
By Manish Mahapatra Steps for confirming the PCI Scope • This slide details the next set of steps to be taken by client for determining the PCI DSS Scope – ◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet, log files, database, etc..) where the full card number are getting stored. ◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored and confirm on the following – ◦ Source from where the location is receiving the full card number ◦ Whether the full card number is required or whether only truncated card number will suffice ◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or business function requires the full card number, then confirm the following from them – ◦ When have they last used the full card number ◦ And whether they can use any other data apart from the full card number for the business function
By Manish Mahapatra Steps for confirming the Scope • This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope – ◦ Finalize the locations – Finalize all the locations where the full card number is required to processed, stored or transmitted. Please note that if the full card number is received and application only stores the truncated card number, then that system will be in PCI DSS scope. ◦ Based on the above step, identify and finalize all the servers and user desktops within Client network which process, store or transmit full card number. ◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s / network segment.
By Manish Mahapatra Thank You! Manish M Cyber Security Training Provider Manish.cor@gmail.com Contact: +91-9036350000 Linked-in: https://www.linkedin.com/in/manishmahapatra Join my group on https://www.linkedin.com/groups/6517220 for more updates.

More Related Content

PPTX
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Aruba, a Hewlett Packard Enterprise company
 
PPTX
24/7 Outsourced NOC Services
Flightcase1
 
PDF
03FT_ManagedServicesBrochure_HRdigital
Malcolm-John Bell
 
PDF
ServiceDesk Plus Overview - Des 2016
Fanky Christian
 
PPTX
Intacct Security and Operations
Dean Dorton Software Team
 
PPTX
PRTG NETWORK MONITORING
Fanky Christian
 
PDF
TRT Presentation SG 2016
TRT Solutions Ltd Singapore
 
PPTX
TRT GLOBAL - Company Overview
Mina Sarah Marabe
 
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Aruba, a Hewlett Packard Enterprise company
 
24/7 Outsourced NOC Services
Flightcase1
 
03FT_ManagedServicesBrochure_HRdigital
Malcolm-John Bell
 
ServiceDesk Plus Overview - Des 2016
Fanky Christian
 
Intacct Security and Operations
Dean Dorton Software Team
 
PRTG NETWORK MONITORING
Fanky Christian
 
TRT Presentation SG 2016
TRT Solutions Ltd Singapore
 
TRT GLOBAL - Company Overview
Mina Sarah Marabe
 

What's hot (20)

PDF
PCI DSS ASV Scanning from Nettitude
spillans
 
PPT
TRT - Plate Spin Presentation
TRT Solutions Ltd Singapore
 
PPTX
24 by 7 NOC service for MSPs
concordantone
 
PDF
DCMS AKCP Product Presentation
Fanky Christian
 
PPT
Monitor and manage everything Cisco using OpManager
ManageEngine
 
PDF
Rest Solution : NOC-as-a-service
Christian Torres
 
PDF
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Precisely
 
PPT
Data center
gssmedia
 
PDF
NOC Service desk
america.gss
 
PDF
Tatanet Corporate Presentation
Rohit Kumar
 
PDF
Cybernetyx introduction
Fanky Christian
 
PDF
How to create effective NOC in Poland
Kamil Grabowski
 
PPTX
Monitoring a Dynamics CRM Infrastructure
Stéphane Dorrekens
 
PPTX
IT Security: Eliminating threats with effective network & log analysis
ManageEngine, Zoho Corporation
 
PPTX
Overview OpManager
Fanky Christian
 
PPTX
Network Operations Center
Lorenta Erhabor
 
PPTX
24/7 outsourced noc services
Elena Benson
 
PPTX
Configlets, compliance, RBAC & reports - Network Configuration Manager
ManageEngine, Zoho Corporation
 
PPTX
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
ManageEngine, Zoho Corporation
 
PPT
Proof of Concept Guide for ManageEngine OpManager
ManageEngine, Zoho Corporation
 
PCI DSS ASV Scanning from Nettitude
spillans
 
TRT - Plate Spin Presentation
TRT Solutions Ltd Singapore
 
24 by 7 NOC service for MSPs
concordantone
 
DCMS AKCP Product Presentation
Fanky Christian
 
Monitor and manage everything Cisco using OpManager
ManageEngine
 
Rest Solution : NOC-as-a-service
Christian Torres
 
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Precisely
 
Data center
gssmedia
 
NOC Service desk
america.gss
 
Tatanet Corporate Presentation
Rohit Kumar
 
Cybernetyx introduction
Fanky Christian
 
How to create effective NOC in Poland
Kamil Grabowski
 
Monitoring a Dynamics CRM Infrastructure
Stéphane Dorrekens
 
IT Security: Eliminating threats with effective network & log analysis
ManageEngine, Zoho Corporation
 
Overview OpManager
Fanky Christian
 
Network Operations Center
Lorenta Erhabor
 
24/7 outsourced noc services
Elena Benson
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
ManageEngine, Zoho Corporation
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
ManageEngine, Zoho Corporation
 
Proof of Concept Guide for ManageEngine OpManager
ManageEngine, Zoho Corporation
 
Ad

Similar to PCI DSS Scoping and Applicability (20)

PPTX
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PDF
Pci standards, from participation to implementation and review
isc2-hellenic
 
PDF
Apani PCI-DSS Compliance
Apani Enterprise Security Software
 
PPTX
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PDF
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
PPTX
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PPTX
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
PDF
Credit Card Processing for Small Business
Mark Ginnebaugh
 
PPTX
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
PDF
Achieving PCI Compliance Long And Short Term Strategies 2009
Jason Edelstein
 
PDF
PCI Certification and remediation services
Tariq Juneja
 
PDF
a Guide for quick pci dss and payment security
suridhalder
 
PPTX
Making PCI V3.0 Business as Usual (BAU)
ControlCase
 
PPT
Verderber Rothke What’s New With PCI
Ben Rothke
 
PDF
Pcidss
yazsapa
 
PDF
Pci dss v2
LeviKnight
 
PDF
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PPTX
PCI DSS & PA DSS Version 3.0
ControlCase
 
PPTX
PCI DSS Compliance Checklist
ControlCase
 
PPTX
Payment Card Industry Security Standards
Ashintha Rukmal
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Pci standards, from participation to implementation and review
isc2-hellenic
 
Apani PCI-DSS Compliance
Apani Enterprise Security Software
 
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PCI Compliance for Community Colleges @One CISOA 2011
Donald E. Hester
 
Credit Card Processing for Small Business
Mark Ginnebaugh
 
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
Achieving PCI Compliance Long And Short Term Strategies 2009
Jason Edelstein
 
PCI Certification and remediation services
Tariq Juneja
 
a Guide for quick pci dss and payment security
suridhalder
 
Making PCI V3.0 Business as Usual (BAU)
ControlCase
 
Verderber Rothke What’s New With PCI
Ben Rothke
 
Pcidss
yazsapa
 
Pci dss v2
LeviKnight
 
PCI DSS: What it is, and why you should care
Sean D. Goodwin
 
PCI DSS & PA DSS Version 3.0
ControlCase
 
PCI DSS Compliance Checklist
ControlCase
 
Payment Card Industry Security Standards
Ashintha Rukmal
 
Ad

Recently uploaded (20)

PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Teaching material agriculture food technology
LiaRayya
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Encapsulation theory and applications.pdf
gurumoop
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 

PCI DSS Scoping and Applicability

  • 1. Scoping and Controls for PCI DSS By Manish Mahapatra
  • 2. By Manish Mahapatra PCI DSS and it’s applicability • Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system. • PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they drive the implementation of the standard across the globe. • Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
  • 3. By Manish Mahapatra PCI DSS Scoping – Applications • This slide describes on how an Application come under the purview of PCI DSS • In-scope – If the application process, store or transmit the full card number at any point of time, then the application fall under the PCI DSS scope. ◦ Application can receive the card number as part of transaction processing, settlement process or as part of querying a transaction. • Out of scope – An application is out of scope, if it only receives the truncated card number. ◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked with ‘X’ or replaced with any character. ◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed, while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but the middle six needs to be truncated always. ◦ If the application receives the full 16-digit card number and then truncates it during storage, then the application comes under the PCI DSS scope.
  • 4. By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes how Servers and Network falls under PCI DSS scope – • In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls under the PCI DSS scope. ◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN, comes under the purview of PCI DSS scope. ◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope. • In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
  • 5. By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes the measures for reducing the PCI DSS scope - • Scoping out – Using the following measures one can reduce the PCI DSS scope – ◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number) ◦ Deploy all the PCI scoped servers within the PCI V-LAN ◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and out-going traffic ◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI scoped servers from the jump server only ◦ Create dedicated V-LAN for the following segment – ◦ Support V-LAN for support serves like AV, Domain, NTP, etc.. ◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound and out-bound traffic.
  • 6. By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4 previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and session time out of 15 minutes. ◦ User access control – ◦ Zero privilege or permission while creating a new user or role ◦ Option for giving permission for viewing full card number and permission for viewing full card number can be granted to a user and not to a role ◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm ◦ Audit trails – ◦ All successful and unsuccessful login attempts to the application ◦ All actions taken by the application administrator ◦ Any system object level changes made by the application
  • 7. By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Encryption and Key Management – ◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128 bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number ◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the encryption keys ◦ Secure Code Review – ◦ For every major change to the application, Client needs to conduct a secure code review following the OWASP secure code review guide as reference. ◦ In-case of minor changes, then conduct the secure code review on an annual basis ◦ Application penetration testing following OWASP Testing Guide – ◦ If the application has a web interface or have web-service call, then web application penetration testing for the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
  • 8. By Manish Mahapatra PCI DSS Controls – Servers • This slide describes the list of controls to be deployed on the Servers – ◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out for database and web servers as well. ◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for running a full system scan on a weekly basis. ◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes made to system configuration file and application configuration file ◦ Configure NTP – Server should be configured for time synchronization from a central NTP server ◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and pushing the same to a central log server ◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should not be restricted to just OS patches, but should cover application and application library patches as well ◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability assessment scan using either Nessus or Qualys Guard on a quarterly basis
  • 9. By Manish Mahapatra PCI DSS Controls – Infrastructure • This slide describes the list of controls to be deployed at the infrastructure – ◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers ◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing traffic from the PCI scoped server segment ◦ Deploying a Centralized log server and log monitoring process – ◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a central log server ◦ A log monitoring solutions needs to be deployed for generating security alerts ◦ Deploying Centralized AV console and patch management system – The AV solution and patch management system needs to be a centralized solution
  • 10. By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Change Management Process for making any changes at – ◦ For any Firewall rule change ◦ For any changes to the network component configuration ◦ For any changes to the server ◦ For any application level changes ◦ Hardening guidelines for hardening system and network components like – ◦ Hardening the server OS ◦ Hardening other application deployed in the server like data base, web server, etc. ◦ Hardening the network components
  • 11. By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal application ◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis ◦ Process of conducting risk assessment on an annual basis for all process and environment handling card number ◦ Process for conducting internal information security awareness and training program on an annual basis ◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where the card number are getting captured ◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis ◦ An internal pen-test should be conducted on a bi-annual basis
  • 12. By Manish Mahapatra PCI DSS Controls – Desktops • This slide describes the list of controls to be deployed for User Desktops which process card number ◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the finance or collection department) ◦ The desktops should have a DLP solution deployed ◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not ◦ Internet access should be restricted to a few white listed URL’s ◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log server ◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed ◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network segment.
  • 13. By Manish Mahapatra Steps for confirming the PCI Scope • This slide details the next set of steps to be taken by client for determining the PCI DSS Scope – ◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet, log files, database, etc..) where the full card number are getting stored. ◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored and confirm on the following – ◦ Source from where the location is receiving the full card number ◦ Whether the full card number is required or whether only truncated card number will suffice ◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or business function requires the full card number, then confirm the following from them – ◦ When have they last used the full card number ◦ And whether they can use any other data apart from the full card number for the business function
  • 14. By Manish Mahapatra Steps for confirming the Scope • This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope – ◦ Finalize the locations – Finalize all the locations where the full card number is required to processed, stored or transmitted. Please note that if the full card number is received and application only stores the truncated card number, then that system will be in PCI DSS scope. ◦ Based on the above step, identify and finalize all the servers and user desktops within Client network which process, store or transmit full card number. ◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s / network segment.
  • 15. By Manish Mahapatra Thank You! Manish M Cyber Security Training Provider Manish.cor@gmail.com Contact: +91-9036350000 Linked-in: https://www.linkedin.com/in/manishmahapatra Join my group on https://www.linkedin.com/groups/6517220 for more updates.