1 / 15

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. 12 standards over six areas. Build & Maintain Secure Network(2) Protect Cardholder Data(2) Maintain a Vulnerability Management Program(2) Implement Strong Access Control Measures(3) Regularly Monitor and Test Networks(2)

caron
Download Presentation

Payment Card Industry (PCI) Data Security Standard

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Payment Card Industry (PCI)Data Security Standard

  2. 12 standards over six areas • Build & Maintain Secure Network(2) • Protect Cardholder Data(2) • Maintain a Vulnerability Management Program(2) • Implement Strong Access Control Measures(3) • Regularly Monitor and Test Networks(2) • Maintain an Information Security Policy(1)

  3. 1) Build & Maintain Secure Network • Install and maintain a firewall configuration to protect cardholder data • Establish firewall configuration standards • Process for testing external connections & changes to firewall • Network diagram with all connections to cardholder data • Document all services & ports necessary for business • Justify any protocol besides Http, Https, VPN • Justification of risky protocols such as FTP, reasons for use and security measures implemented to deal with them • Quarterly review of firewall and router rule sets • Configuration standards for routers

  4. Build firewall configuration that denies all traffic from untrusted networks & hosts, except for protocols necessary for the card holder data environment

  5. Firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data • Restrict inbound & outbound traffic to that which is necessary for cardholder data environment • Deny all other inbound & outbound traffic

  6. Do not use vendor-supplied defaults for system passwords and other security parameters • Develop configuration standards for components • Assure that standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards • Hosting providers must protect each entity’s hosted environment & data • Comply with PCI DSS for hosting providers

  7. 2) Protect Cardholder Data • Protect Card holder data • Keep cardholder storage to a minimum • Data retention Policy • Only as long as needed for • Business • Legal and/or • Regulatory purposes • Do not store sensitive authentication data subsequent to authorization, even if encrypted • Do not store full contents of any track from magnetic stripe

  8. Commonly used elements of cardholder and sensitive authentication data

  9. Mask PAN when displayed • First six or last 4 are the max • Protect encryption keys used for encryption of cardholder data • Restrict access to keys • Secure storage of keys

  10. Encrypt transmission of cardholder data across open, public networks • Use strong cryptology & security protocols • For wireless, use WPA or WPA2 • If you must use WEP, additional security measures needed such as minimum 104 bit encryption, Restrict access base on MAC address • Never send unencrypted PANs by email

  11. 3) Maintain a Vulnerability Management Program • Use and regularly update anti-virus software • Deploy on all systems commonly affected by viruses(especially personal computers and servers)

  12. Develop and maintain secure systems and applications • Latest patches installed • Develop software apps based on industry best practices • Change control procedures

  13. 4) Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Account management • Restrict physical access to cardholder data

  14. 5) Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Automated assessment trails • Regularly test security systems and processes • Test controls on regular basis • Run internal & external vulnerability scans • Penetration test at least once per year

  15. 6) Maintain an Information Security Policy • Maintain a policy that addresses information security for employees & contractors • Document, maintain and disseminate • Ensure policies clearly define security responsibilities for all employees & contractors • Establish formal security awareness program • Screen potential employees • Implement incident response team

More Related