1

Payment Card Industry (PCI) Security Standard

• Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express, Diners Club, JCB International and Discover Card.

• All issuing financial institutions and merchants that take credit card transactions on the Internet have to comply.

• Failure to comply may lead to financial penalty.Chan

PCI Security Standard

• Visa and MasterCard require major merchants and IT service organizations (over 1 million transactions annually or over 20,000 eTransactions annually) to have an annual external validation for compliance.

2

3

PCI Standards

1.Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor supplied defaults for system passwords and other security parameters.

3. Protect stored cardholder data.4. Encrypt transmission of cardholder data

across the Internet

4

PCI Standards

5. Use regularly updated anti-virus software

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business on a need-to-know basis

8. Assign a unique ID to each person with computer access

5

PCI Security Standard

9. Restrict physical access to cardholder data

10. Track and monitor all access to network

resources and cardholder data

11. Regularly test security systems and

processes

12. Maintain a policy that addresses

information security

Review Questions

1. What kinds of organizations are required to provide an annual external validation of

compliance with the PCI Security Standard? Organizations that process > 1 million transactions or 20,000 eTransactions annually

6

MC Question

• Which organization is most likely exempted from obtain external scanning for

compliance with the PCI Security Standard?

A. Sony

B. Amazon

C.Boeing

D.Walmart

7

MC Question

What kind of access to cardholder data must be monitored by Best Buy?

A.Update

B.All

C.External

D.Create

8

MC Question

Who make up the PCI Security Council?

A.Banks

B.Major credit card issuers

C.Governments

D.Central banks

9

MC Question

• What is the maximum number of digits in a credit card number that can be displayed

to a customer or a merchant?

A.First 6 and last 4

B.First 6

C.Last 4

D.First 4 and last 4

10

MC Question

How is the PIN verified?

A. Comparing the keyed PIN to the database

B. Comparing the keyed in value to the hash of the credit card number

C. Calculating the PIN offset based on decrypting the keyed in PIN and comparing the calculated PIN offset to the stored PIN offset.

11