PCI presentation
Download as PPTX, PDF1 like365 views
The document discusses PCI-DSS compliance, which represents a common set of industry tools and measurements to help ensure the safe handling of sensitive cardholder data. It applies to any entity that stores, processes, or transmits cardholder data. The document outlines the 12 requirements of PCI-DSS compliance, including building a secure network, protecting cardholder data, maintaining vulnerability management, and more. It provides details on what is required to comply with each of the 12 requirements.
PCI presentation
- 1. What is PCI – DSS Compliance and Who needs to do this?
- 2. The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process - including preventing, detecting and reacting to security incidents. Applies to any entity that stores, processes and/or transmits CHD.
- 3. PCI is not government legislation. It is an industry regulation. The major Card Brands (Visa, MC, Discover, Amex) decided to create regulations which were initially agreed upon by the Card Brands in 2004. PCI DSS version 1 is dated December 2004. On June 30, 2005, the regulations took effect. The PCI Security Standards Council came into existence in 2006.
- 4. Build and Maintain a Secure Network Protect Card Holder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy
- 5. 1) Install and Maintain a firewall configuration to protect Card Holder Data (CHD) ◦ Firewall and Router configuration standards ◦ Review Network Diagram ◦ Firewall and Router connections are restricted (inbound/outbound traffic) ◦ No direct internet connection to CHD (DMZ) 2) Do not use vendor supplied defaults ◦ Attempt to sign on with defaults ◦ Hardening standards and system configuration ◦ Non-console admin access is encrypted
- 6. 3) Protect stored CHD ◦ Retention Policy and Procedures ◦ Quarterly process for deleting stored CHD ◦ Sample incoming transactions, logs, history files, trace files, database schemas and content ◦ Do not store full track, CVV or PIN ◦ Render PAN unreadable (mask/truncate) ◦ Encryption and key management 4) Encrypt transmission of CHD ◦ Verify encryption and encryption strength ◦ Verify wireless is industry best practice (no WEP)
- 7. 5) Use and regularly update Antivirus software ◦ All system have AV ◦ AV is current, actively running and logging 6) Develop and maintain secure systems and applications ◦ Patch management – current within one month ◦ ID new security vulnerabilities with risk rating ◦ Custom code is reviewed prior to release ◦ Change management process ◦ Developers are trained in secure coding techniques
- 8. 7) Restrict access to CHD by need-to-know ◦ Review access policies ◦ Confirm access rights for privileged users ◦ Confirm access controls are in place ◦ Confirm access controls default with “deny-all” 8) Assign a unique ID to each user ◦ Verify all users have a unique ID ◦ Verify authentication with ID/PW combination ◦ Verify two-factor authentication for remote access ◦ Verify terminated users are deleted ◦ Inspect configurations for PW controls
- 9. 9) Restrict physical access to CHD ◦ Access to computer rooms and data centers ◦ Video cameras are in place and video is secure ◦ Network jacks are secure – not in visitor area ◦ Process for assigning badges ◦ Storage locations are secure (offsite media) 10) Track and monitor all access to network resources ◦ Review audit trails – actions, time, date, user, etc. ◦ Time server updates and distribution ◦ Process to review security logs
- 10. 11) Regularly test security systems ◦ Test for wireless access points ◦ Internal and external network vulnerability scans ◦ Internal and external penetration testing annually ◦ File integrity monitoring tools are used 12) Maintain security policies ◦ Policies are reviewed at least annually ◦ Explicit approval is required for access ◦ Auto disconnect for inactivity-internal and remote ◦ Security awareness program is in place ◦ Incident Response Plan
- 11. ~260 tests ◦ PCI DSS gives both the requirement and the test ◦ Every test has to have an answer ◦ Every bullet within each test must have an answer ◦ If the requirement is not in place, a target date and comments must be made ◦ If there are compensating controls, a Compensating Control Worksheet must be completed
- 12. Attestation of Compliance Executive Summary Score Report on Compliance Test Procedures Score Sheet Report on Compliance
- 13. Service providers Third-party applications Individuals interviewed with titles List of documentation reviewed My contact information Quarterly scan information Findings and observations
- 14. How each control was tested ◦ Observation – configuration or process ◦ Sampling ◦ Interview with whom ◦ Document reviews
- 15. Eng. Mahmoud Salaheldin Network and info Security Architecture