What is PCI DSS ?
Payment Card Industry Data Security Standard
For consistent data security measures globally
12 measures in six groups
PCI DSS is a
... [Show More] minimum set of controls
It does not supercede local laws and regulations
It is a contractual agreement, not a standard
PCI-DSS only applies if PANs are stored, processed or transmitted
www.pcisecuritystandards.org
1. Build and Maintain a secure network
Install and maintain a Firewall configuration.
Do not use vendor supplied defaults for passwords, and other security parameters.
2. Protect Card Holder Data
Protect stored cardholder data
Encrypt transmission of cardholder data across open public networks
3. Maintain a vulnerability program
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
4. Implement strong Access control measures
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
5. Regularly Monitor and Test networks
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes
6. Maintain an Information Security Policy
Maintain a policy that addresses Information Security for all personnel
Cardholder data
Primary Account Number (PAN)
Cardholder name
Expiration date
Service Code
Sensitive Authentication Data
Magnetic stripe data or equivalent on a chip
CAV2/CVC2/CVV2/CID
PINs / PIN Blocks
What is PA-DSS ?
Payment Application Data Security Standard
PA-DSS applies to software sold "off the shelf" by 3rd parties
PA-DSS does not apply to applications developed by merchants and service providers for use in-house. (this is covered by PCI-DSS)
PCI-DSS applies to
All system components (VMs, switches, routers, hypervisors, Firewalls, Wireless Access Points, Servers, Applications, Inc Internet based services, Network Services like NTP, DNS)
Scope
IS a Primary requirement
cardholder data flows help set scope
business practices and processes need careful consideration and may need re-engineering.
Network Segmentation is
Recommended
Wireless
Use only for non-sensitive data
Carefully consider the Risk
MUST be tested
Service Providers
Need their own PCI-DSS compliance or will have their services reviewed as part of their customers audits.
The Report on Compliance (ROC) documents the role of each service provider.
Sampling
Sampling of Business Facilities / System components is allowed, however all applicable PCI DSS requirements must be considered.
Compensating Controls
a Compensating Controls Worksheet must be completed for each compensating control. And documented in the ROC.
Report on Compliance contains
1. Executive Summary
Description of the entity's payment card business and the High Level network diagram.
2. Details of Scope of Work and approach taken
Validation of the Scope
Environment on which the assessment is focussed
Segmentation
Details of sampling
Other related entities that require compliance
Wireless Lans
Version of requirements used
3. Details about the reviewed environment
Cardholder data flows
Hardware and Software (Assets)
Services Providers
Individuals Interviewed
Documents reviewed
For MSPs, which requirements apply (and which are the responsibility of the customer)
4. Contact Information and report date
5. Quarterly Scan results
ASV scan results (for all external IP addresses)
6. Findings and Observations
Compliance Completion Steps
1.Complete the ROC
2. Provide evidence of passing scans from ASV
3. Complete the "Attestation of compliance"
4. Submit all to the Aquirer, or Payment Brand
PCI SSC
Payment card Industry Security Standards Council
ASV
Approved Scanning Vendors
QSA
Qualified Security Assessor [Show Less]