pci data security standardv1
DESCRIPTION
PCI Data SecurityTRANSCRIPT
![Page 1: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/1.jpg)
PCI Security Standards
![Page 2: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/2.jpg)
Agenda
• Introduce about PCI DSSP3
• Why should PCI DSS be the basis of your compliance plan?
P11• Overview of PCI Requirements
P13• Detailed PCI DSS Requirements
P18• How to Comply with PCI DSS
P52
![Page 3: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/3.jpg)
Protecting Cardholder Data with PCI Security Standards
Enter a credit card number into a website, what happens after you hit the Submit button?
![Page 4: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/4.jpg)
Protecting Cardholder Data with PCI Security Standards
Compliance with the PCI DSS helps to alleviate these vulnerabilities and protect cardholder data.
![Page 5: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/5.jpg)
Payment Card Industry Data Security Standard (PCI DSS)
![Page 6: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/6.jpg)
PCI DSS
• The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirement for enhancing payment account data security, was developed by the founding payment brands of the PCI Security Standards Council
• The standard applies to all organizations• The PCI DSS was created jointly in 2004 by four major
credit-card companies: Visa, MasterCard, Discover and American Express.
![Page 7: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/7.jpg)
PCI DSS
• The PCI DSS is a multifaceted security standard that include requirement for:
• Security management• Policies and procedures• Network architecture• Software design• Other critical protective measures
![Page 8: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/8.jpg)
PCI DSS
• There are three ongoing steps for adhering to the PCI DSS
• Assess : identifying cardholder data, analyzing them for vulnerabilities
• Remediate: fixing vulnerabilities
• Report: compiling and submitting required remediation
![Page 9: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/9.jpg)
PCI DSS
![Page 10: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/10.jpg)
PCI DSS
• The PCI DSS provides an actionable framework for developing a robust payment card data security process.
• PCI DSS comprises a minimum set of requirements for protecting cardholder data.
![Page 11: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/11.jpg)
Why should PCI DSS be the basis of your compliance plan?
• Build and maintain a secure network• Maintain a vulnerability management programme• Implement strong access control measures• Regularly monitor and test networks to prove that
malicious activity is not occurring• Maintain an information security policy
![Page 12: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/12.jpg)
Why should PCI DSS be the basis of your compliance plan?
![Page 13: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/13.jpg)
Overview of PCI Requirements
![Page 14: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/14.jpg)
Overview of PCI Requirements (cont)
PCI Security Standards Include:• PCI Data Security Standard (DSS)
• PIN Transaction Security (PTS) Requirements
• Payment Application Data Security Standard (PA-DSS)
• PIN Transaction Security Requirements
• Payment application Data Security Standard
![Page 15: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/15.jpg)
Security Controls and Processes for PCI DSS Requirements
Account Dataconsists of Cardholder Dataplus Sensitive Authentication Data, as follows:
![Page 16: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/16.jpg)
Security Controls and Processes for PCI DSS Requirements
Sensitive authentication data must not be stored after authorization (even if encrypted).PCI DSS applies only if PANs are stored, processed and/or transmitted.
![Page 17: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/17.jpg)
The PCI Data Security Standard
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data.
![Page 18: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/18.jpg)
Detailed PCI DSS Requirements
![Page 19: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/19.jpg)
Build and Maintain a Secure Network• Requirement 1: Install and maintain a firewall
configuration to protect cardholder data
• To comply with this standard you have to demonstrate that your firewalls and routers are correctly maintained and independently tested.
![Page 20: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/20.jpg)
1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change.a review of configuration rule sets at least every six months.
1.2 Build firewall and router configurations that restrict all traffic from “untrusted” networks and hosts.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
1.4 Install personal firewall software on any mobile and/or employee-owned computers
![Page 21: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/21.jpg)
Build and Maintain a Secure Network
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
![Page 22: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/22.jpg)
2.1 Always change vendor-supplied defaults before installing a system on the network. (includes wireless devices)
2.2 Develop configuration standards for all system components.
2.3 Encrypt using strong cryptography all non-console administrative access
2.4 Shared hosting providers must protect each entity’s hosted environment and cardholder data
![Page 23: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/23.jpg)
Protect Cardholder Data
• Requirement 3: Protect stored cardholder data
Sensitive data on the magnetic stripe or chip must never be stored.If your organization stores PAN, it is crucial to render it unreadable
![Page 24: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/24.jpg)
3.1 Limit cardholder data storage and retention time to that required for business, legal, and/or regulatory purposes,
3.2 Do not store sensitive authentication data after authorization (even if it is encrypted).
3.3 Mask PAN when displayed;
![Page 25: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/25.jpg)
3.4 Render PAN unreadable anywhere it is stored
3.5 Protect any keys used for encryption of cardholder data from disclosure and misuse.
3.6 Fully document and implement all appropriate key management processes and procedures for cryptographic keys used for encryption of cardholder data.
![Page 26: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/26.jpg)
![Page 27: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/27.jpg)
Protect Cardholder Data
Requirement 4: encrypt transmission of cardholder data across open, public network
The highly distributed nature of today’s supply chain and service relationships creates a dependency on public networks.
![Page 28: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/28.jpg)
4.1 - Use strong cryptography and security protocols such as SSL/TLS, SSH or IPSec- Ensure wireless networks use industry best practices- The use of WEP as a security control is prohibited.
4.2 Never send unprotected PANs by end user messaging technologies.
![Page 29: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/29.jpg)
Maintain a Vulnerability Management Program• Vulnerability management is
the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system.
![Page 30: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/30.jpg)
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software or programs
Cyber criminals’ capabilities to break into networks are increasing at an alarming rate.
• Deploy anti-virus software on all systems affected by malicious software (PC and servers).
• Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs
![Page 31: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/31.jpg)
Maintain a Vulnerability Management Program
Requirement 6: Develop and maintain secure systems and applications• All critical systems must have update regularly• Secure coding practices for developing
applications, change control procedures and other secure software development practices should always be followed.
![Page 32: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/32.jpg)
6.1 Ensure that all system components and software are protected
6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities.
6.3 Develop software applications (internal and external) in accordance with PCI DSS and based on industry best practices.
![Page 33: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/33.jpg)
6.4 Follow change control processes and procedures for all changes to system components.
6.5 Develop applications based on secure coding guidelines and review custom application code to identify coding vulnerabilities.
6.6 Ensure all public-facing web applications are protected against known attacks
![Page 34: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/34.jpg)
Implement Strong access Control Measures
• Allows merchants to permit or deny the use of physical or technical means to access PAN and other cardholder data.
• Access must be granted on a business need to know basis.
• Physical access control entails the use of locks or restricted access to paper-based cardholder records or system hardware.
• Logical access control permits or denies use of PIN entry devices.
![Page 35: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/35.jpg)
Implement Strong access Control Measures
Requirement 7: Restrict access to cardholder data by business need to knowTo ensure critical data can only be accessed by authorized personnel.
7.1 Limit access to only those individuals whose job requires such access.
7.2 Establish an access control system for systems components with multiple users and is set to “deny all” unless specifically allowed
![Page 36: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/36.jpg)
Implement Strong access Control Measures
Requirement 8: assign a unique ID to each person with computer access• Assigning a unique ID to each person with access• Requirements apply to all accounts, and all
accounts with access to stored cardholder data.
![Page 37: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/37.jpg)
8.1 Assign all users a unique user name.8.2 Employ at least one of password, token device,
biometric to authenticate all users
8.3 Implement two-factor authentication for remote access to the network
8.4 Render all passwords unreadable during storage and transmission.
8.5 Ensure proper user identification and authentication management for non-consumer users and administrators.
![Page 38: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/38.jpg)
Implement Strong access Control Measures
Requirement 9: Restrict physical access to cardholder data• Physical access to any building needs to be via a
reception area with all visitors and contractors signing in. • All devices that store or could store credit card
details have to be in a secure environment.
• Server rooms need to be locked with CCTV installed. Access to the wireless and wired network components must be restricted
![Page 39: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/39.jpg)
9.1 Use appropriate facility entry controls to limit and monitor physical access to systems
9.2 Develop procedures to easily distinguish between onsite personnel and visitors.
9.3 Ensure all visitors are authorized
9.4 Use a visitor log to maintain a physical audit trail of visitor information and activity.
9.5 Store media back-ups in a secure location, preferably off site.
![Page 40: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/40.jpg)
9.6 Physically secure all media.
9.7 Maintain strict control over the internal or external distribution of any kind of media.
9.8 Ensure that management approves any and all
media moved from a secured area
9.9 Maintain strict control over the storage and accessibility of media.
9.10 Destroy media when it is no longer needed
![Page 41: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/41.jpg)
Regularly Monitor and Test Networks
To prevent exploitation, organizations must regularly monitor and test networks to find and fix vulnerabilities
![Page 42: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/42.jpg)
Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network
resources and cardholder data
The presence of logs in all environments allows thorough tracking and analysis if something goes wrong.
![Page 43: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/43.jpg)
10.1 Establish a process for linking all access to system components to each individual user
10.2 Implement automated audit trails for all system components for reconstructing these events: • all individual user accesses to cardholder data• all actions taken by any individual with root or
administrative privileges• access to all audit trails• invalid logical access attempts• …
![Page 44: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/44.jpg)
10.3 Record audit trail entries for all system components for each event.
10.4 Using time synchronization technology, synchronize all critical system clocks and times
10.5 Secure audit trails so they cannot be altered.10.6 Review logs for all system components related to
security functions at least daily.10.7 Retain audit trail history for at least one year; at
least three months of history must be immediately available for analysis
![Page 45: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/45.jpg)
Regularly Monitor and Test Networks
Requirement 11: Regularly test security systems and processes• Vulnerabilities are being
discovered continually being introduced by new software.
• System components, processes, and custom software should be tested frequently.
![Page 46: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/46.jpg)
11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network.
11.3 Perform external and internal penetration testing, at least annually and after any significant infrastructure or application upgrade or modification
![Page 47: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/47.jpg)
11.4 Use network intrusion detection systems and/or intrusion prevention systems to monitor all traffic.IDS/IPS engines, baselines, and signatures must be kept up to date.
11.5 Deploy file integrity monitoring toolsConfigure the software to perform critical file comparisons at least weekly
![Page 48: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/48.jpg)
Maintain an Information Security Policy
• A strong security policy sets the tone for security affecting an organization’s entire company, and it informs employees of their expected duties related to security.
• All employees should be aware of the sensitivity of cardholder data and their responsibilities for protecting it
![Page 49: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/49.jpg)
Requirement 12: Maintain a policy that addresses information security for all personnel
12.1 Establish, publish, maintain, and disseminate a security policy.
12.2 Develop daily operational security procedures
12.3 Develop usage policies for critical technologies to define their proper use by all personnel.
12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel.
![Page 50: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/50.jpg)
12.5 Assign to an individual or team information security responsibilities
12.6 Implement a formal security awareness program
12.7 Screen potential personnel prior to hire to minimize the risk of attacks from internal sources.
12.8 Maintain policies and procedures to formally identify service provider responsibilities.
12.9 Implement an incident response plan.
![Page 51: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/51.jpg)
Compensating Controls for PCI DSS Requirements
• Compensating controls may be considered for most PCI DSS requirements
• In order for a compensating control to be considered valid, it must be reviewed by a qualified assessor.
• The effectiveness of a compensating control is dependent on the specifics of the environment in
![Page 52: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/52.jpg)
How to Comply with PCI DSS 1. PCI DSS Scoping: determine what system components
are governed by PCI DSS2. Assessing: examine the compliance of system
components in scope 3. Compensating Controls: assessor validates alternative
control technologies/processes4. Reporting: assessor and/or entity submits required
documentation 5. Clarifications: assessor and/or entity clarifies/updates
report upon request of the acquiring bank or payment card brand
![Page 53: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/53.jpg)
How to Comply with PCI DSS (cont)• Choosing a Qualified Security assessor (QSA)
A (QSA) is a data security firm that has been trained and is certified by the PCI Security Standards Council to perform on-site security assessments for verification of compliance with PCI DSS. The QSA will:
▪Verify all technical information given bymerchant or service provider▪ Use independent judgment to confirmthe standard has been met▪Provide support and guidance duringthe compliance process
![Page 54: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/54.jpg)
How to Comply with PCI DSS (cont)• Choosing an approved Scanning vendor• An Approved Scanning Vendor (ASV) is a data security
firm using a scanning solution to determine whether or not the customer is compliant with the PCI DSS external vulnerability scanning requirement.
• An ASV may use its own software or an approved commercial or open source solution to validate compliance.
• ASV solutions must be non-disruptive to customers’ systems and data
![Page 55: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/55.jpg)
How to Comply with PCI DSS (cont)
• Scope of Assessment for Compliance with PCI DSS Requirements
• The PCI DSS security requirements apply to all system components.
• “System components” are defined as any network component , server, app included or connected to the cardholder data environment (CDE) or any virtualization components.
![Page 56: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/56.jpg)
How to Comply with PCI DSS (cont)
• To confirm the accuracy and appropriateness of PCI DSS scope:▪ The assessed entity identifies and documents the existence of all
cardholder data in their environment▪ Once all locations of cardholder data are identified and
documented, the entity uses the results to verify that PCI DSS scope is appropriate
▪ The entity considers any cardholder data found to be in scope of the PCI DSS assessment and part of the CDE
![Page 57: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/57.jpg)
How to Comply with PCI DSS (cont)
•Using the Self-assessment Questionnaire (SaQ)The SAQ is a validation tool for eligible merchants
and service providers who self-assess their PCI DSS compliance and who are not required to submit a Report on Compliance (ROC).
The SAQ includes a series of yes-or-no questions for compliance
![Page 58: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/58.jpg)
SAQ
![Page 59: PCI Data Security Standardv1](https://reader036.vdocuments.mx/reader036/viewer/2022070508/577cc7681a28aba711a0d76b/html5/thumbnails/59.jpg)
How to Comply with PCI DSS (cont)• Reporting
Reports are the official mechanism by which merchants and other entities verify compliance with PCI
Information Contained in PCI DSS Report on ComplianceThe template for an entity’s annual Report on Compliance• Executive Summary• Description of Scope of Work and Approach Taken• Details about Reviewed Environment• Contact Information and Report Date• Quarterly Scan Results• Findings and Observations