Payment Card Industry - PowerPoint PPT Presentation

1 / 24
About This Presentation
Title:

Payment Card Industry

Description:

Telnet. 2500. LANplex. 3COM. Admin. admin. admin. Multi ... Telnet. 7000. CellPlex. 3COM. Privileges. PASSWORD. Username. Access Type. Version. Model. Vendor ... – PowerPoint PPT presentation

Number of Views:321
Avg rating:3.0/5.0
Slides: 25
Provided by: hum65
Category:

less

Transcript and Presenter's Notes

Title: Payment Card Industry


1
Payment Card Industry Data Security Standard
What does it mean and how to build systems to
comply with them
Eddie Humphries IT Audit Manager
2
Contents
  • Background
  • What it is
  • Merchant Levels
  • The Requirements

3
What is PCI DSS?
The PCI DSS is a multifaceted security standard
that includes requirements for security
management, policies, procedures, network
architecture, software design and other critical
protective measures.
4
6 Categories with 12 Requirements
  • Build and Maintain a Secure Network
  • Requirement 1 Install and maintain a firewall
    configuration to protect cardholder data
  • Requirement 2 Do not use vendor-supplied
    defaults for system passwords and other security
    parameters
  • Protect Cardholder Data
  • Requirement 3 Protect stored cardholder data
  • Requirement 4 Encrypt transmission of cardholder
    data across open, public networks
  • Maintain a Vulnerability Management Program
  • Requirement 5 Use and regularly update
    anti-virus software
  • Requirement 6 Develop and maintain secure
    systems and applications

5
6 Categories with 12 Requirements (cont)
  • Implement Strong Access Control Measures
  • Requirement 7 Restrict access to cardholder data
    by business need-to-know
  • Requirement 8 Assign a unique ID to each person
    with computer access
  • Requirement 9 Restrict physical access to
    cardholder data
  • Regularly Monitor and Test Networks
  • Requirement 10 Track and monitor all access to
    network resources and cardholder data
  • Requirement 11 Regularly test security systems
    and processes
  • Maintain an Information Security Policy
  • Requirement 12 Maintain a policy that addresses
    information security

6
Merchant Levels
Level 1 Merchants with more than 6,000,000
transactions per year. Other merchants in Level 1
will be merchants whose security has been
violated and data compromised and merchants which
another credit card company have classified as
Level 1. Level 2 Merchants with 150,000 to
6,000,000 transactions per year. Level
3 Merchants with 20,000 to 150,000 transactions
per year. Level 4 Merchants with less than
20,000 transactions per year
7
Merchant Levels What you MUST do
Level 1 Comply with all 12 PCI DSS
requirements Complete a successful quarterly scan
using an approved scanning vendor (ASV) Be
externally audited by a Qualified Security
Assessor (QSA) Level 2 - 4 Comply with all 12
requirements PCI DSS requirements Complete a
successful quarterly scan using a ASV Submit an
annual Self Assessment Form to the acquiring
bank.
8
Build and Maintain a Secure Network
Requirement 1 Install and maintain a firewall
configuration to protect cardholder data
  • Formal process for Firewall changes
  • Network diagram showing connections to card
    holder data
  • Quarterly review of firewall and router rule sets
  • Obtain and inspect the firewall configuration
    standards and other documentation to verify that
    the standards are complete.
  • Standards and documentation for rules and
    connections
  • Restricting inbound and outbound traffic to that
    which is necessary for the cardholder data
    environment
  • Denying all other inbound and outbound traffic
    not specifically allowed

9
Changes to Network Strategy
10
Changes to Network Strategy
11
Build and Maintain a Secure Network
Requirement 2 Do not use vendor-supplied
defaults for system passwords and other security
parameters
  • Check to ensure that vendor defaults have been
    removed or inhibited.

12
Protect Cardholder Data
Requirement 3 Protect stored cardholder data
  • A data retention and disposal policy exists and
    is followed
  • Cardholder data that is prohibited from being
    stored or prohibited after authorisation is not
    kept
  • Encryption, truncation or masking of the PAN is
    performed appropriately
  • Logical access to the unencrypted PAN is
    controlled adequately
  • Encryption keys are protected
  • A key management process exists
  • Encryption keys are of adequate strength

13
Protect Cardholder Data
Requirement 4 Encrypt transmission of cardholder
data across open, public networks
  • Cryptography and security protocols
  • Wireless network transmission
  • Email transmission

14
Maintain a Vulnerability Management Program
Requirement 5 Use and regularly update
anti-virus software
  • Anti-virus is used
  • Anti-virus software is up to date
  • Anti-virus software generates audit logs

15
Maintain a Vulnerability Management Program
Requirement 6 Develop and maintain secure
systems and applications
  • Patches are up to date.
  • Process to identify new vulnerabilities
  • Patches are tested before updating
  • Change control process exists
  • Coding is secure
  • Web facing applications are protected

16
Implement Strong Access Control Measures
Requirement 7 Restrict access to cardholder data
by business need-to-know
  • Access is restricted to authorised personnel.

17
Implement Strong Access Control Measures
Requirement 8 Assign a unique ID to each person
with computer access
  • Access is controlled by unique user-ID and
    password
  • Remote connections are controlled by two-factor
    authentication
  • User-ID and password management is compliant with
    best practice standards (e.g. ISO27001)

18
Implement Strong Access Control Measures
Requirement 9 Restrict physical access to
cardholder data
  • Physical access control exist to site and
    facilities
  • Visible identification of employees, contractors
    and visitors
  • Visitor log maintained
  • Secured storage and arrangements for confidential
    paperwork, media, backup tapes, etc
  • Destruction of information

19
Regularly Monitor and Test Networks
Requirement 10 Track and monitor all access to
network resources and cardholder data
  • Audit trails for administrators
  • Synchronisation of clocks
  • Tamper proof audit trails
  • Log reviews
  • Log retention

20
Regularly Monitor and Test Networks
Requirement 11 Regularly test security systems
and processes
  • Testing regime
  • Vulnerability scans
  • Intrusion detection systems

21
Regularly Monitor and Test Networks
Requirement 12 Maintain a policy that addresses
information security
  • Security policy review
  • Security personnel
  • Education and awareness
  • Incident Response plans
  • Service Providers

22
Do I have To?
  • Only if you store payment card details

What can I do to avoid it?
  • Do you really need to store the details?
  • Can you work with Transaction Codes only?

23
Summary
  • Background Where it came from
  • What is it 6 Categories, 12 Requirements
  • Merchant Level Your responsibilities
  • Requirements All 12, in Detail!
  • Do you have to do it? Up to your business
    model, check the entire process

24
and finally
Questions?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Payment Card Industry" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!