SlideShare a Scribd company logo

PCI Quick Reference Guide

Marcelo Guimarães
Marcelo Guimarães

PCIDSS

Internet
1 of 32
Download to read offline
PCIQuickReferenceGuide UnderstandingthePaymentCardIndustry DataSecurityStandardversion1.2 Formerchantsandorganizationsthatstore,processortransmitcardholderdata Contents
Copyright2008PCISecurityStandardsCouncil,LLC.AllRightsReserved. ThisQuickReferenceGuidetothePCIDataSecurityStandardisprovidedbythePCISecurity StandardsCounciltoinformandeducatemerchantsandotherorganizationsthatprocess,storeor transmitcardholderdata.FormoreinformationaboutthePCISSCandthestandardswemanage, pleasevisitwww.pcisecuritystandards.org. Theintentofthisdocumentistoprovidesupplementalinformation,whichdoesnotreplaceor supersedePCISecurityStandardsCouncilstandardsortheirsupportingdocuments.Fulldetailscan befoundonourWebsite. 03/09
3 ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. Contents Introduction:ProtectingCardholderDatawithPCISecurityStandards...................................4 OverviewofPCIRequirements......................................................................................................................6 PCIDataSecurityStandard(PCIDSS)....................................................................................................8 PaymentApplicationDataSecurityStandard(PADSS)..................................................................10 PINTransactionSecurityRequirements(PTS)....................................................................................10 SecurityControlsandProcessesforPCIDSSRequirements.............................................................11 BuildandMaintainaSecureNetwork...................................................................................................12 ProtectCardholderData............................................................................................................................14 MaintainaVulnerabilityManagementProgram...............................................................................16 ImplementStrongAccessControlMeasures.....................................................................................18 RegularlyMonitorandTestNetworks...................................................................................................21 MaintainanInformationSecurityPolicy..............................................................................................23 CompensatingControlsforPCISecurity..............................................................................................24 HowtoComplywithPCIDSS............................................................................................................................25 ChoosingaQualifiedSecurityAssessor(QSA)...................................................................................26 ChoosinganApprovedScanningVendor(ASV)...............................................................................27 UsingtheSelf-AssessmentQuestionnaire(SAQ)..............................................................................28 Reporting.......................................................................................................................................................29 WebResources.......................................................................................................................................................30 AboutthePCISecurityStandardsCouncil...............................................................................................31 Introduction
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 4 Introduction:ProtectingCardholderDatawith PCISecurityStandards ThetwentiethcenturyU.S.criminalWillieSuttonwassaidtorobbanksbecause“that’swherethe moneyis.”Thesamemotivationinourdigitalagemakesmerchantsthenewtargetforfinancial fraud.Occasionallylaxsecuritybysomemerchantsenablescriminalstoeasilystealandusepersonal consumerfinancialinformationfrompaymentcardtransactionsandprocessingsystems. It’saseriousproblem–morethan234millionrecordswithsensitiveinformationhavebeenbreached sinceJanuary2005,accordingtoPrivacyRightsClearinghouse.org.Asamerchant,youareatthe centerofpaymentcardtransactionssoitisimperativethatyouusestandardsecurityproceduresand technologiestothwarttheftofcardholderdata. Merchant-basedvulnerabilitiesmayappearalmostanywhereinthecard-processingecosystem includingpoint-of-saledevices;personalcomputersorservers;wirelesshotspotsorWebshopping applications;inpaper-basedstoragesystems;andunsecuredtransmissionofcardholderdatato serviceproviders.Vulnerabilitiesmayevenextendtosystemsoperatedbyserviceprovidersand acquirers,whicharethefinancialinstitutionsthatinitiateandmaintaintherelationshipswith merchantsthatacceptpaymentcards(seediagramonpage5). CompliancewiththePaymentCardIndustry(PCI)DataSecurityStandard(DSS)helpstoalleviate thesevulnerabilitiesandprotectcardholderdata. RISKYBEHAVIOR AsurveyofbusinessesintheU.S. andEuroperevealsactivitiesthat mayputcardholderdataatrisk. 81%storepaymentcard numbers 73%storepaymentcard expirationdates 71%storepaymentcard verificationcodes 57%storecustomerdatafrom thepaymentcardmagneticstripe 16%storeotherpersonaldata Source:ForresterConsulting:TheState ofPCICompliance(commissionedby RSA/EMC)
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 5 TheintentofthisPCIQuickReferenceGuideistohelpyouunderstandthePCIDSSandtoapplyitto yourpaymentcardtransactionenvironment. TherearethreeongoingstepsforadheringtothePCIDSS:Assess—identifyingcardholder data,takinganinventoryofyourITassetsandbusinessprocessesforpaymentcardprocessing, andanalyzingthemforvulnerabilitiesthatcouldexposecardholderdata.Remediate—fixing vulnerabilitiesandnotstoringcardholderdataunlessyouneedit.Report—compilingand submittingrequiredremediationvalidationrecords(ifapplicable),andsubmittingcompliancereports totheacquiringbankandcardbrandsyoudobusinesswith. PCIDSSfollowscommonsensestepsthatmirrorbestsecuritypractices.TheDSSgloballyappliesto allentitiesthatstore,processortransmitcardholderdata.PCIDSSandrelatedsecuritystandards areadministeredbythePCISecurityStandardsCouncil,whichwasfoundedbyAmericanExpress, DiscoverFinancialServices,JCBInternational,MasterCardWorldwideandVisaInc.Participating organizationsincludemerchants,paymentcardissuingbanks,processors,developersandother vendors. PCICOMPLIANCEISA CONTINUOUSPROCESS ASSESS REMEDIATE REPORT AA DIATEDIATE POSMerchantAcquirerServiceProvider INTERNET PUBLICNETWORKS WIRELESS INTERNET PUBLICNETWORKS WIRELESS INTERNET PUBLICNETWORKS WIRELESS OverviewofPCI Requirements
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 6 OverviewofPCIRequirements PCIsecuritystandardsaretechnicalandoperationalrequirementssetbythePCISecurityStandards Council(PCISSC)toprotectcardholderdata.Thestandardsapplytoallorganizationsthatstore, processortransmitcardholderdata–withguidanceforsoftwaredevelopersandmanufacturers ofapplicationsanddevicesusedinthosetransactions.TheCouncilisresponsibleformanaging thesecuritystandards,whilecompliancewiththePCIsetofstandardsisenforcedbythefounding membersoftheCouncil,AmericanExpress,DiscoverFinancialServices,JCBInternational,MasterCard WorldwideandVisaInc. PAYMENTCARDINDUSTRYSECURITYSTANDARDS ProtectionofCardholderPaymentData MANUFACTURERS SOFTWARE DEVELOPERS MERCHANTS& PROCESSORS PCISECURITY STANDARDS &COMPLIANCE PCIPTS PaymentApplication Vendors DataSecurity Standard PINTransaction Security PCIPA-DSSPCIDSS Ecosystemofpaymentdevices,applications,infrastructureandusers
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 7 PCISecurityStandardsInclude: PCIDataSecurityStandard(DSS) ThePCIDSSappliestoallentitiesthatstore,process,and/ortransmitcardholderdata.Itcovers technicalandoperationalsystemcomponentsincludedinorconnectedtocardholderdata.Ifyouare amerchantwhoacceptsorprocessespaymentcards,youmustcomplywiththePCIDSS. PINTransaction(PTS)SecurityRequirements PCIPTS(formerlyPCIPED)isasetofsecurityrequirementsfocusedoncharacteristicsand managementofdevicesusedintheprotectionofcardholderPINsandotherpaymentprocessing relatedactivities.Therequirementsareformanufacturerstofollowinthedesign,manufactureand transportofadevicetotheentitythatimplementsit.Financialinstitutions,processors,merchantsand serviceprovidersshouldonlyusedevicesorcomponentsthataretestedandapprovedbythePCI SSC (www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html). PaymentApplicationDataSecurityStandard(PA-DSS) ThePA-DSSisforsoftwaredevelopersandintegratorsofpaymentapplicationsthatstore,process ortransmitcardholderdataaspartofauthorizationorsettlementwhentheseapplicationsaresold, distributedorlicensedtothirdparties.Mostcardbrandsencouragemerchantstousepayment applicationsthataretestedandapprovedbythePCISSC.Validatedapplicationsarelistedat: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 8 ThePCIDataSecurityStandard ThePCIDSSversion1.2istheglobaldatasecuritystandardadoptedbythecardbrandsforall organizationsthatprocess,storeortransmitcardholderdata.Itconsistsofcommonsensestepsthat mirrorbestsecuritypractices. GoalsPCIDSSRequirements BuildandMaintainaSecure Network 1.Installandmaintainafirewallconfigurationtoprotectcardholder data 2.Donotusevendor-supplieddefaultsforsystempasswordsand othersecurityparameters ProtectCardholderData3.Protectstoredcardholderdata 4.Encrypttransmissionofcardholderdataacrossopen,public networks MaintainaVulnerability ManagementProgram 5.Useandregularlyupdateanti-virussoftwareorprograms 6.Developandmaintainsecuresystemsandapplications ImplementStrongAccess ControlMeasures 7.Restrictaccesstocardholderdatabybusinessneed-to-know 8.AssignauniqueIDtoeachpersonwithcomputeraccess 9.Restrictphysicalaccesstocardholderdata RegularlyMonitorandTest Networks 10.Trackandmonitorallaccesstonetworkresourcesandcardholder data 11.Regularlytestsecuritysystemsandprocesses MaintainanInformation SecurityPolicy 12.Maintainapolicythataddressesinformationsecurityfor employeesandcontractors
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 9 ToolsforAssessingCompliancewithPCIDSS ThePCISSCsetsthePCIDSSstandard,buteachcardbrandhasitsownprogramforcompliance, validationlevelsandenforcement.Moreinformationaboutcompliancecanbefoundattheselinks: •AmericanExpress:•www.americanexpress.com/datasecurity •DiscoverFinancialServices:•www.discovernetwork.com/fraudsecurity/disc.html •JCBInternational:•www.jcb-global.com/english/pci/index.html •MasterCardWorldwide:•www.mastercard.com/sdp •VisaInc:•www.visa.com/cisp VisaEurope:•www.visaeurope.com/ais QualifiedAssessors.TheCouncilmanagesprogramsthatwillhelpfacilitatetheassessmentof compliancewithPCIDSS:QualifiedSecurityAssessor(QSA)andApprovedScanningVendor(ASV). QSAsareapprovedbytheCounciltoassesscompliancewiththePCIDSS.ASVsareapprovedbythe CounciltovalidateadherencetothePCIDSSscanrequirementsbyperformingvulnerabilityscansof Internet-facingenvironmentsofmerchantsandserviceproviders.Additionaldetailscanbefoundon ourWebsiteat:www.pcisecuritystandards.org/qsa_asv/find_one.shtml Self-AssessmentQuestionnaire.The“SAQ”isavalidationtoolfororganizationsthatarenot requiredtoundergoanon-siteassessmentforPCIDSScompliance.DifferentSAQsarespecifiedfor variousbusinesssituations;moredetailscanfoundonourWebsiteat: www.pcisecuritystandards.org/saq/index.shtml.Theorganization’sacquiringfinancialinstitutioncan alsodetermineifitshouldcompleteaSAQ.
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 10 PaymentApplicationDataSecurityStandard ThePA-DSSisastandardfordevelopersofpaymentapplications.Itsgoalistohelpdevelopmentof securecommercialpaymentapplicationsthatdonotstoreprohibiteddata,andensurethatpayment applicationssupportcompliancewiththePCIDSS.Merchantsandserviceprovidersshouldensure thattheyareusingCouncil-approvedpaymentapplications;checkwithyouracquiringfinancial institutiontounderstandrequirementsandassociatedtimeframesforimplementingapproved applications.PA-DSShas14requirements:FordetailsandalistofapprovedPaymentApplications, see:www.pcisecuritystandards.org/security_standards/pa_dss.shtml PINTransaction(PTS)SecurityRequirements Theserequirements,referredtoasPCIPTS(formerlyPCIPED),appliestocompanieswhichmake devicesorcomponentsthatacceptorprocesspersonalidentificationnumbersasapartofaPIN basedtransactionandforotherpaymentprocessingrelatedactivities.RecognizedPTSlaboratories validateadherencetothePTSrequirements.Financialinstitutions,processors,merchantsandservice providersshouldensurethattheyareusingapprovedPTSdevicesorcomponents.Nonfinancial institutionsshouldcheckwiththeiracquiringfinancialinstitutiontounderstandrequirementsand associatedtimeframesforcompliance.ThePTSrequirementscoverdevices,includingthephysicaland logicalsecuritycharacteristicsoftheircomponents,anddevicemanagement.Fordetailsandalistof approvedPTSdevicesandcomponentssee: www.pcisecuritystandards.org/security_standards/ped/index.shtml
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 11 SecurityControls andProcessesforPCI DSSRequirements SecurityControlsandProcessesfor PCIDSSRequirements ThegoalofthePCIDataSecurityStandardversion1.2(PCIDSS)istoprotectcardholderdatathat isprocessed,storedortransmittedbymerchants.Thesecuritycontrolsandprocessesrequiredby PCIDSSarevitalforprotectingcardholderaccountdata,includingthePAN–theprimaryaccount numberprintedonthefrontofapaymentcard.Merchantsandanyotherserviceprovidersinvolved withpaymentcardprocessingmustneverstoresensitiveauthenticationdataafterauthorization.This includessensitivedatathatisprintedonacard,orstoredonacard’smagneticstripeorchip–and personalidentificationnumbersenteredbythecardholder.ThischapterpresentstheobjectivesofPCI DSSandrelated12requirements. CID (AmericanExpress) ExpirationDateMagneticStripe (dataontracks1&2) PAN Chip (dataonmagnetic stripeimage) CAV2/CID/CVC2/CVV2 (Discover,JCB,MasterCard,Visa) TypesofDataonaPaymentCard
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 12 BuildandMaintainaSecureNetwork Inthepast,theftoffinancialrecordsrequiredacriminaltophysicallyenteranorganization’sbusiness site.Now,manypaymentcardtransactions(suchasdebitintheU.S.and“chipandpin”inEurope) usePINentrydevicesandcomputersconnectedbynetworks.Byusingnetworksecuritycontrols, organizationscanpreventcriminalsfromvirtuallyaccessingpaymentsystemnetworksandstealing cardholderdata. Requirement1:Installandmaintainafirewallandrouterconfigurationtoprotect cardholderdata Firewallsaredevicesthatcontrolcomputertrafficallowedintoandoutofanorganization’snetwork, andintosensitiveareaswithinitsinternalnetwork.Routersarehardwareorsoftwarethatconnects twoormorenetworks. 1.1Establishfirewallandrouterconfigurationstandardsthatformalizetestingwhenever configurationschange;thatidentifyallconnectionstocardholderdata(includingwireless);that usevarioustechnicalsettingsforeachimplementation;andstipulateareviewofconfiguration rulesetsatleasteverysixmonths. 1.2Buildafirewallconfigurationthatdeniesalltrafficfrom“untrusted”networksandhosts,except forprotocolsnecessaryforthecardholderdataenvironment. 1.3ProhibitdirectpublicaccessbetweentheInternetandanysystemcomponentinthecardholder dataenvironment. 1.4Installpersonalfirewallsoftwareonanymobileand/oremployee-ownedcomputerswithdirect connectivitytotheInternetthatareusedtoaccesstheorganization’snetwork. CONTROLSFOR NETWORKSECURITY Firewall Devicethatcontrolsthepassage oftrafficbetweennetworksand withinaninternalnetwork Router Hardwareorsoftwarethatconnects trafficbetweentwoormore networks Illustration/Photo:WikimediaCommons
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 13 Requirement2:Donotusevendor-supplieddefaultsforsystempasswordsandother securityparameters Theeasiestwayforahackertoaccessyourinternalnetworkistotrydefaultpasswordsorexploits basedondefaultsystemsoftwaresettingsinyourpaymentcardinfrastructure.Fartoooften, merchantsdonotchangedefaultpasswordsorsettingsupondeployment.Thisisakintoleavingyour storephysicallyunlockedwhenyougohomeforthenight.Defaultpasswordsandsettingsformost networkdevicesarewidelyknown.Thisinformation,combinedwithhackertoolsthatshowwhat devicesareonyournetworkcanmakeunauthorizedentryasimpletask–ifyouhavefailedtochange thedefaults. 2.1Alwayschangevendor-supplieddefaultsbeforeinstallingasystemonthenetwork.Thisincludes wirelessdevicesthatareconnectedtothecardholderdataenvironmentorareusedtotransmit cardholderdata. 2.2Developconfigurationstandardsforallsystemcomponentsthataddressallknownsecurity vulnerabilitiesandareconsistentwithindustry-accepteddefinitions. 2.3Encryptallnon-consoleadministrativeaccesssuchasbrowser/Web-basedmanagementtools. 2.4Sharedhostingprovidersmustprotecteachentity’shostedenvironmentandcardholder data(detailsareinPCIDSSAppendixA:“AdditionalPCIDSSRequirementsforSharedHosting Providers.”) TYPICALDEFAULT PASSWORDSTHATMUST BECHANGED [none] [nameofproduct/vendor] 1234or4321 access admin anonymous database guest manager pass password root sa secret sysadmin user
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 14 ProtectCardholderData Cardholderdatareferstoanyinformationprinted,processed,transmittedorstoredinanyformona paymentcard.Organizationsacceptingpaymentcardsareexpectedtoprotectcardholderdataand topreventtheirunauthorizeduse–whetherthedataisprintedorstoredlocally,ortransmittedovera publicnetworktoaremoteserverorserviceprovider. Requirement3:Protectstoredcardholderdata Ingeneral,nocardholderdatashouldeverbestoredunlessit’snecessarytomeettheneedsofthe business.Sensitivedataonthemagneticstripeorchipmustneverbestored.Ifyourorganization storesPAN,itiscrucialtorenderitunreadable(see3.4,andtablebelowforguidelines). 3.1Limitcardholderdatastorageandretentiontimetothatrequiredforbusiness,legal,and/or regulatorypurposes,asdocumentedinyourdataretentionpolicy. 3.2Donotstoresensitiveauthenticationdataafterauthorization(evenifitisencrypted).See guidelinesintablebelow. 3.3MaskPANwhendisplayed;thefirstsixandlastfourdigitsarethemaximumnumberofdigits youmaydisplay.Notapplicableforauthorizedpeoplewithalegitimatebusinessneedtosee thefullPAN.Doesnotsupersedestricterrequirementsinplacefordisplaysofcardholderdata suchasonapoint-of-salereceipt. 3.4RenderPAN,atminimum,unreadableanywhereitisstored–includingonportabledigital media,backupmedia,inlogs,anddatareceivedfromorstoredbywirelessnetworks. Technologysolutionsforthisrequirementmayincludestrongone-wayhashfunctions, truncation,indextokens,securelystoredpads,orstrongcryptography.(SeePCIDSSGlossaryfor definitionofstrongcryptography.) ENCRYPTIONPRIMER Cryptographyusesamathematical formulatorenderplaintextdata unreadabletopeoplewithout specialknowledge(calleda“key”). Cryptographyisappliedtostored dataaswellasdatatransmitted overanetwork. Encryptionchangesplaintextinto ciphertext. Decryptionchangesciphertext backintoplaintext. Illustration:WikimediaCommons
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 15 3.5Protectcryptographickeysusedforencryptionofcardholderdatafromdisclosureandmisuse. 3.6Fullydocumentandimplementallappropriatekeymanagementprocessesandproceduresfor cryptographickeysusedforencryptionofcardholderdata. GuidelinesforCardholderDataElements DataElement Storage Permitted Protection Required PCIDSS Req.3.4 CardholderData PrimaryAccountNumber(PAN)YesYesYes CardholderName1YesYes1No ServiceCode1YesYes1No ExpirationDate1YesYes1No Sensitive Authentication Data2 FullMagneticStripeData3NoN/AN/A CAV2/CVC2/CVV2/CIDNoN/AN/A PIN/PINBlockNoN/AN/A 1ThesedataelementsmustbeprotectedifstoredinconjunctionwiththePAN.ThisprotectionshouldbeperPCIDSS requirementsforgeneralprotectionofthecardholderdataenvironment.Additionally,otherlegislation(forexample, relatedtoconsumerpersonaldataprotection,privacy,identitytheft,ordatasecurity)mayrequirespecificprotectionof thisdata,orproperdisclosureofacompany’spracticesifconsumer-relatedpersonaldataisbeingcollectedduringthe courseofbusiness.PCIDSS,however,doesnotapplyifPANsarenotstored,processed,ortransmitted. 2Sensitiveauthenticationdatamustnotbestoredafterauthorization(evenifencrypted). 3Fulltrackdatafromthemagneticstripe,magneticstripeimageonthechip,orelsewhere.
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 16 Requirement4:Encrypttransmissionofcardholderdataacrossopen,publicnetworks Cybercriminalsmaybeabletointercepttransmissionsofcardholderdataoveropen,publicnetworks soitisimportanttopreventtheirabilitytoviewthesedata.Encryptionisatechnologyusedtorender transmitteddataunreadablebyanyunauthorizedperson. 4.1UsestrongcryptographyandsecurityprotocolssuchasSSL/TLSorIPSECtosafeguardsensitive cardholderdataduringtransmissionoveropen,publicnetworks(e.g.Internet,wireless technologies,globalsystemsforcommunications[GSM],generalpacketradiosystems[GPRS]). Ensurewirelessnetworkstransmittingcardholderdataorconnectedtothecardholderdata environmentuseindustrybestpractices(e.g.,IEEE802.11ix)toimplementstrongencryption forauthenticationandtransmission.Fornewwirelessimplementations,itisprohibitedto implementWEPafterMarch31,2009.Forcurrentimplementations,itisprohibitedtouseWEP afterJune30,2010. 4.2NeversendunencryptedPANsbyendusermessagingtechnologies. MaintainaVulnerabilityManagementProgram Vulnerabilitymanagementistheprocessofsystematicallyandcontinuouslyfindingweaknessesinan organization’spaymentcardinfrastructuresystem.Thisincludessecurityprocedures,systemdesign, implementation,orinternalcontrolsthatcouldbeexploitedtoviolatesystemsecuritypolicy. Requirement5:Useandregularlyupdateanti-virussoftwareorprograms Manyvulnerabilitiesandmaliciousvirusesenterthenetworkviaemployees’e-mailandotheronline activities.Anti-virussoftwaremustbeusedonallsystemsaffectedbymalwaretoprotectsystems fromcurrentandevolvingmalicioussoftwarethreats. VULNERABILITY MANAGEMENT Createpolicygoverningsecurity controlsaccordingtoindustry standardbestpractices(e.g.,IEEE 802.11ix) Regularlyscansystemsfor vulnerabilities Createremediationschedule basedonriskandpriority Pre-testanddeploypatches Rescantoverifycompliance Updatesecuritysoftwarewith themostcurrentsignaturesand technology Useonlysoftwareorsystems thatweresecurelydevelopedby industrystandardbestpractices
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 17 5.1Deployanti-virussoftwareonallsystemsaffectedbymalicioussoftware(particularlypersonal computersandservers). 5.2Ensurethatallanti-virusmechanismsarecurrent,activelyrunning,andcapableofgenerating auditlogs. Requirement6:Developandmaintainsecuresystemsandapplications SecurityvulnerabilitiesinsystemsandapplicationsmayallowcriminalstoaccessPANandother cardholderdata.Manyofthesevulnerabilitiesareeliminatedbyinstallingvendor-providedsecurity patches,whichperformaquick-repairjobforaspecificpieceofprogrammingcode.Allcritical systemsmusthavethemostrecentlyreleasedsoftwarepatchestopreventexploitation.Organizations shouldapplypatchestoless-criticalsystemsassoonaspossible,basedonarisk-basedvulnerability managementprogram.Securecodingpracticesfordevelopingpaymentsapplications,change controlproceduresandothersecuresoftwaredevelopmentpracticesshouldalwaysbefollowed. 6.1Ensurethatallsystemcomponentsandsoftwarehavethelatestvendor-suppliedsecurity patchesinstalled.Deploycriticalpatcheswithinamonthofrelease. 6.2Establishaprocesstoidentifynewlydiscoveredsecurityvulnerabilities,suchasbysubscribing toalertservices,orusingavulnerabilityscanningserviceorsoftware.Updatetheprocessto addressnewvulnerabilityissues. 6.3DevelopsoftwareapplicationsinaccordancewithPCIDSSbasedonindustrybestpracticesand incorporateinformationsecuritythroughoutthesoftwaredevelopmentlifecycle. 6.4Followchangecontrolproceduresforallchangestosystemcomponents.
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 18 6.5DevelopallWebapplicationsbasedonsecurecodingguidelinesandreviewcustomapplication codetoidentifycodingvulnerabilities. 6.6EnsurethatallpublicWeb-facingapplicationsareprotectedagainstknownattackswithatleast annualreviewsofcode,andbyinstallingaWebapplicationfirewallinfrontofpublic-facingWeb applications. ImplementStrongAccessControlMeasures Accesscontrolallowsmerchantstopermitordenytheuseofphysicalortechnicalmeanstoaccess PANandothercardholderdata.Accessmustbegrantedonabusinessneed-to-knowbasis.Physical accesscontrolentailstheuseoflocksorrestrictedaccesstopaper-basedcardholderrecordsorsystem hardware.LogicalaccesscontrolpermitsordeniesuseofPINentrydevices,awirelessnetwork,PCs andotherdevices.Italsocontrolsaccesstodigitalfilescontainingcardholderdata. Requirement7:Restrictaccesstocardholderdatabybusinessneed-to-know Toensurecriticaldatacanonlybeaccessedbyauthorizedpersonnel,systemsandprocessesmustbe inplacetolimitaccessbasedonneed-to-knowandaccordingtojobresponsibilities.Need-to-knowis whenaccessrightsaregrantedtoonlytheleastamountofdataandprivilegesneededtoperformajob. 7.1Limitaccesstosystemcomponentsandcardholderdatatoonlythoseindividualswhosejob requiressuchaccess. 7.2Establishanaccesscontrolsystemforsystemscomponentswithmultipleusersthatrestricts accessbasedonauser’sneed-to-know,andissetto“denyall”unlessspecificallyallowed. RESTRICTINGACCESS ISCRUCIAL! RestrictAccesstoCardholderData Environmentsemployingaccess controlssuchasRBAC(RoleBased AccessControl) Limitaccesstoonlythose individualswhosejobrequiressuch access Formalizeanaccesscontrolpolicy thatincludesalistofwhogets accesstospecifiedcardholderdata Denyallaccesstoanyonewhois notspecificallyallowedtoaccess cardholderdata Photo:WikimediaCommons
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 19 Requirement8:AssignauniqueIDtoeachpersonwithcomputeraccess Assigningauniqueidentification(ID)toeachpersonwithaccessensuresthatactionstakenoncritical dataandsystemsareperformedby,andcanbetracedto,knownandauthorizedusers. 8.1Assignallusersauniqueusernamebeforeallowingthemtoaccesssystemcomponentsor cardholderdata. 8.2Employatleastoneofthesetoauthenticateallusers:passwordorpassphrase;ortwo-factor authentication(e.g.,tokendevices,smartcards,biometrics,publickeys). 8.3Implementtwo-factorauthenticationforremoteaccesstothenetworkbyemployees, administrators,andthirdparties.Usetechnologiessuchasremoteauthenticationanddial- inserviceorterminalaccesscontrolleraccesscontrolsystemwithtokens;orvirtualprivate networkwithindividualcertificates. 8.4Renderallpasswordsunreadableforallsystemcomponentsbothinstorageandduring transmissionusingstrongcryptographybasedonapprovedstandards. 8.5Ensureproperuserauthenticationandpasswordmanagementfornon-consumerusersand administratorsonallsystemcomponents. GIVEEVERYUSERA UNIQUEID Everyuseronthepaymentsystem musthaveauniqueID.Thisallows abusinesstotraceeveryactiontoa specificworker.
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 20 Requirement9:Restrictphysicalaccesstocardholderdata Anyphysicalaccesstodataorsystemsthathousecardholderdataprovidestheopportunityfor personstoaccessand/orremovedevices,data,systemsorhardcopies,andshouldbeappropriately restricted. 9.1Useappropriatefacilityentrycontrolstolimitandmonitorphysicalaccesstosystemsinthe cardholderdataenvironment. 9.2Developprocedurestohelpallpersonneleasilydistinguishbetweenemployeesandvisitors, especiallyinareaswherecardholderdataisaccessible. 9.3Ensureallvisitorsareauthorizedbeforeenteringareaswherecardholderdataisprocessedor maintained;givenaphysicaltokenthatexpiresandthatidentifiesvisitorsasnon-employees; andareaskedtosurrenderthephysicaltokenbeforeleavingthefacilityoratthedateof expiration. 9.4Useavisitorlogtomaintainaphysicalaudittrailofvisitorinformationandactivity.Retainthe logforatleastthreemonthsunlessotherwiserestrictedbylaw. 9.5Storemediaback-upsinasecurelocation,preferablyoffsite. 9.6Physicallysecureallpaperandelectronicmediathatcontaincardholderdata. 9.7Maintainstrictcontrolovertheinternalorexternaldistributionofanykindofmediathat containscardholderdata. 9.8Ensurethatmanagementapprovesanyandallmediacontainingcardholderdatamovedfroma securedarea,especiallywhenmediaisdistributedtoindividuals. PHYSICALLYSECURETHE PAYMENTSYSTEM Businessesmustphysicallysecure orrestrictaccesstoprintoutsof cardholderdata,tomediawhere itisstored,andtodevicesusedfor accessingorstoringcardholder data.It’simportanttounderstand thatPCIisaboutprotectingboth electronicdataandpaperreceipts aswell. Illustration:WikimediaCommons
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 21 9.9Maintainstrictcontroloverthestorageandaccessibilityofmediathatcontainscardholderdata. 9.10Destroymediacontainingcardholderdatawhenitisnolongerneededforbusinessorlegal reasons. RegularlyMonitorandTestNetworks Physicalandwirelessnetworksaretheglueconnectingallendpointsandserversinthepayment infrastructure.Vulnerabilitiesinnetworkdevicesandsystemspresentopportunitiesforcriminalsto gainunauthorizedaccesstopaymentcardapplicationsandcardholderdata.Topreventexploitation, organizationsmustregularlymonitorandtestnetworkstofindandfixvulnerabilities. Requirement10:Trackandmonitorallaccesstonetworkresourcesandcardholderdata Loggingmechanismsandtheabilitytotrackuseractivitiesarecriticalforeffectiveforensicsand vulnerabilitymanagement.Thepresenceoflogsinallenvironmentsallowsthoroughtrackingand analysisifsomethinggoeswrong.Determiningthecauseofacompromiseisverydifficultwithout systemactivitylogs. 10.1Establishaprocessforlinkingallaccesstosystemcomponentstoeachindividualuser– especiallyaccessdonewithadministrativeprivileges. 10.2Implementautomatedaudittrailsforallsystemcomponentsforreconstructingtheseevents: allindividualuseraccessestocardholderdata;allactionstakenbyanyindividualwithroot oradministrativeprivileges;accesstoallaudittrails;invalidlogicalaccessattempts;useof identificationandauthenticationmechanisms;initializationoftheauditlogs;creationand deletionofsystem-levelobjects. MONITORALLACTIVITY Organizationsmusttrackand monitorallaccesstocardholder dataandrelatednetworkresources –instores,regionaloffices, headquarters,andotherremote access. Photo:WikimediaCommons
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 22 10.3Recordaudittrailentriesforallsystemcomponentsforeachevent,includingataminimum:user identification,typeofevent,dateandtime,successorfailureindication,originationofevent, andidentityornameofaffecteddata,systemcomponentorresource. 10.4Synchronizeallcriticalsystemclocksandtimes. 10.5Secureaudittrailssotheycannotbealtered. 10.6Reviewlogsforallsystemcomponentsrelatedtosecurityfunctionsatleastdaily. 10.7Retainaudittrailhistoryforatleastoneyear;atleastthreemonthsofhistorymustbe immediatelyavailableforanalysis. Requirement11:Regularlytestsecuritysystemsandprocesses Vulnerabilitiesarebeingdiscoveredcontinuallybymaliciousindividualsandresearchers,and beingintroducedbynewsoftware.Systemcomponents,processes,andcustomsoftwareshouldbe testedfrequentlytoensuresecurityismaintainedovertime.Testingofsecuritycontrolsisespecially importantforanyenvironmentalchangessuchasdeployingnewsoftwareorchangingsystem configurations. 11.1Testforthepresenceofwirelessaccesspointsbyusingawirelessanalyzeratleastquarterly,or deployingawirelessIDS/IPStoidentifyallwirelessdevicesinuse. 11.2Runinternalandexternalnetworkvulnerabilityscansatleastquarterlyandafteranysignificant changeinthenetwork.ASVsarenotrequiredtoperforminternalscans. 11.3Performexternalandinternalpenetrationtestingatleastonceayearandafteranysignificant infrastructureorapplicationupgradeormodification,includingnetwork-andapplication-layer penetrationtests. SEVERITYLEVELS FORVULNERABILITY SCANNING 5Urgent:Trojanhorses;fileread andwriteexploit;remotecommand execution 4Critical:PotentialTrojanhorses; filereadexploit 3High:Limitedexploitofread; directorybrowsing;DoS 2Medium:Sensitive configurationinformationcanbe obtainedbyhackers 1Low:Informationcan beobtainedbyhackerson configuration “Tobeconsideredcompliant,a componentmustnotcontain vulnerabilitiesassignedLevel3,4, or5.Tobeconsideredcompliant,all componentswithinthecustomer infrastructuremustbecompliant. Thescanreportmustnotinclude anyvulnerabilitiesthatindicate featuresorconfigurationsthatmay violatePCIDSSrequirements.”
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 23 11.4Usenetworkintrusiondetectionsystemsand/orintrusionpreventionsystemstomonitorall trafficinthecardholderdataenvironmentandalertpersonneltosuspectedcompromises.IDS/ IPSenginesmustbekeptuptodate. 11.5Deployfileintegritymonitoringsoftwaretoalertpersonneltounauthorizedmodificationof criticalsystemfiles,configurationfilesorcontentfiles.Configurethesoftwaretoperformcritical filecomparisonsatleastweekly. MaintainanInformationSecurityPolicy Astrongsecuritypolicysetsthetoneforsecurityaffectinganorganization’sentirecompany,andit informsemployeesoftheirexpecteddutiesrelatedtosecurity.Allemployeesshouldbeawareofthe sensitivityofcardholderdataandtheirresponsibilitiesforprotectingit. Requirement12:Maintainapolicythataddressesinformationsecurityforemployees andcontractors 12.1Establish,publish,maintain,anddisseminateasecuritypolicythataddressesallPCIDSS requirements,includesanannualprocessforidentifyingvulnerabilitiesandformallyassessing risks,andincludesareviewatleastonceayearandwhentheenvironmentchanges. 12.2DevelopdailyoperationalsecurityproceduresthatareconsistentwithrequirementsinPCIDSS. 12.3Developusagepoliciesforcriticalemployee-facingtechnologiestodefinetheirproperusefor allemployeesandcontractors.Theseincluderemoteaccess,wireless,removableelectronic media,laptops,handhelddevices,emailandInternet. 12.4Ensurethatthesecuritypolicyandproceduresclearlydefineinformationsecurity responsibilitiesforallemployeesandcontractors. “PCIDSSrepresentsthebest availableframeworktoguidebetter protectionofcardholderdata. Italsopresentsanopportunity toleveragecardholderdata securityachievedthroughPCIDSS complianceforbetterprotectionof othersensitivebusinessdata–and toaddresscompliancewithother standardsandregulations.” AberdeenGroup ITIndustryAnalyst
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 24 12.5Assigntoanindividualorteaminformationsecurityresponsibilitiesdefinedby12.5subsections. 12.6Implementaformalsecurityawarenessprogramtomakeallemployeesawareoftheimportance ofcardholderdatasecurity. 12.7Screenemployeespriortohiretominimizetheriskofattacksfrominternalsources. 12.8Ifcardholderdataissharedwithserviceproviders,thenrequirethemtoimplementPCIDSS policiesandproceduresforcardholderdatasecurity. 12.9Implementanincidentresponseplan.Bepreparedtorespondimmediatelytoasystembreach. CompensatingControlsforPCISecurity CompensatingcontrolsmaybeconsideredformostPCIDSSrequirementswhenanentitycannot meetarequirementexplicitlyasstated,duetolegitimatetechnicalordocumentedbusiness constraints,buthassufficientlymitigatedtheriskassociatedwiththerequirementthrough implementationofcompensatingcontrols.Inorderforacompensatingcontroltobeconsidered valid,itmustbereviewedbyaQSA.Theeffectivenessofacompensatingcontrolisdependentonthe specificsoftheenvironmentinwhichthecontrolisimplemented,thesurroundingsecuritycontrols, andtheconfigurationofthecontrol.Organizationsshouldbeawarethataparticularcompensating controlwillnotbeeffectiveinallenvironments.SeethePCIDSSversion1.2,AppendicesBandCfor details.
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 25 HowtoComplywithPCIDSS Merchantsandorganizationsthatstore,processand/ortransmitcardholderdatamustcomplywith PCIDSSversion1.2.WhiletheCouncilisresponsibleformanagingthedatasecuritystandards,each cardbrandmaintainsitsownseparatecomplianceenforcementprograms.Eachcardbrandhas definedspecificrequirementsforvalidationofcomplianceandreporting,suchasprovisionsforself- assessmentversususingaQualifiedSecurityAssessor. Dependingonanorganization’sclassificationorrisklevel(determinedbytheindividualcardbrands), processesforvalidatingcomplianceandreportingtoacquiringfinancialinstitutionsusuallyfollow thistrack: 1.PCIDSSScoping–determinewhatsystemcomponentsaregovernedbyPCIDSS 2.Sampling–examinethecomplianceofasubsetofsystemcomponentsinscope 3.CompensatingControls–QSAvalidatesalternativecontroltechnologies/processes 4.Reporting–merchant/organizationsubmitsrequireddocumentation 5.Clarifications–merchant/organizationclarifies/updatesreportstatements(ifapplicable) uponbankrequest HowtoComply WithPCIDSS
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 26 Specificquestionsaboutcompliancevalidationlevelsshouldbedirectedtoyouracquiringfinancial institution.Onlytheacquiringfinancialinstitutioncanassignavalidationleveltomerchants.Linksto cardbrandcomplianceprogramsinclude: •AmericanExpress:•www.americanexpress.com/datasecurity •DiscoverFinancialServices:•www.discovernetwork.com/fraudsecurity/disc.html •JCBInternational:•www.jcb-global.com/english/pci/index.html •MasterCardWorldwide:•www.mastercard.com/sdp •VisaInc:•www.visa.com/cisp VisaEurope:•www.visaeurope.com/ais ChoosingaQualifiedSecurityAssessor AQualifiedSecurityAssessor(QSA)isadatasecurityfirmthathasbeentrainedandiscertifiedbythe PCISecurityStandardsCounciltoperformon-sitesecurityassessmentsforverificationofcompliance withPCIDSS.TheQSAwill: •Verifyalltechnicalinformationgivenbymerchantorserviceprovider •Useindependentjudgmenttoconfirmthestandardhasbeenmet •Providesupportandguidanceduringthecomplianceprocess •Beonsiteforthevalidationoftheassessmentordurationasrequired •ReviewtheworkproductthatsupportsthePCIRequirementsandSecurityAssessmentProcedures •EnsureadherencetothePCISecurityAssessmentProcedures •Definethescopeoftheassessment •Selectsystemsandsystemcomponentswheresamplingisemployed •Evaluatecompensatingcontrols •Producethefinalreport PREPARINGFORAPCI DSSASSESSMENT GatherDocumentation: Securitypolicies,changecontrol, networkdiagrams,PCIlettersand notifications ScheduleResources:Ensure participationofaprojectmanager andkeypeoplefromIT,security, applications,humanresourcesand legal DescribetheEnvironment: Organizeinformationaboutthe cardholderdataenvironment, includingcardholderdataflow andlocationofcardholderdata repositories
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 27 TheQSAyouselectshouldhavesolidunderstandingofyourbusinessandhaveexperiencein assessingthesecurityofsimilarorganizations.ThatknowledgehelpstheQSAtounderstandbusiness sector-specificnuancesofsecuringcardholderdataunderPCIDSS.Also,lookforagoodfitwithyour company’sculture.Theassessmentwillconcludewhetheryouarecompliantornot–buttheQSAwill alsoworkwithyourorganizationtounderstandhowtoachieveandmaintaincompliance.ManyQSAs alsocanprovideadditionalsecurity-relatedservicessuchasongoingvulnerabilityassessmentand remediation.AlistofQSAsisavailableatwww.pcisecuritystandards.org/qsa_asv/find_one.shtml. ChoosinganApprovedScanningVendor AnApprovedScanningVendor(ASV)isadatasecurityfirmusingascanningsolutiontodetermine whetherornotthecustomeriscompliantwiththePCIDSSexternalvulnerabilityscanning requirement.ASVshavebeentrainedandarequalifiedbythePCISecurityStandardsCouncilto performnetworkandsystemsscansasrequiredbythePCIDSS.AnASVmayuseitsownsoftware oranapprovedcommercialoropensourcesolutiontovalidatecompliance.ASVsolutionsmustbe non-disruptivetocustomers’systemsanddata–theymustnevercauseasystemreboot,orinterfere withorchangedomainnameserver(DNS)routing,switching,andaddressresolution.Root-kitsor othersoftwareshouldnotbeinstalledunlesspartofthesolutionandpre-approvedbythecustomer. TestsnotpermittedbytheASVsolutionincludedenialofservice,bufferoverflow,bruteforceattack resultinginapasswordlockout,orexcessiveusageofavailablecommunicationbandwidth. AnASVscanningsolutionincludesthescanningtool(s),theassociatedscanningreport,andthe processforexchanginginformationbetweenthescanningvendorandthecustomer.ASVsmay submitcompliancereportstotheacquiringinstitutiononbehalfofamerchantorserviceprovider. AlistofASVsisavailableatwww.pcisecuritystandards.org/qsa_asv/find_one.shtml.
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 28 UsingtheSelf-AssessmentQuestionnaire The“SAQ”isaself-validationtoolformerchantsandserviceproviderswhoarenotrequiredtodo on-siteassessmentsforPCIDSScompliance.TheSAQincludesaseriesofyes-or-noquestionsfor compliance.Ifananswerisno,theorganizationmuststatethefutureremediationdateandassociated actions.Inordertoalignmorecloselywithmerchantsandtheircompliancevalidationprocess,the SAQwasrevisedandnowallowsforflexibilitybasedonthecomplexityofaparticularmerchant’sor serviceprovider’sbusinesssituation(seechartbelow).TheSAQvalidationtypedoesnotcorrelateto themerchantclassificationorrisklevel. Self-AssessmentQuestionnaires SAQValidation Type DescriptionSAQ 1Card-Not-Present(e-commerceorMO/TO)merchants,allcardholderdata functionsoutsourced.Thiswouldneverapplytoface-to-facemerchants. A 2Imprint-onlymerchantswithnocardholderdatastorage.B 3Standalonedial-upterminalmerchants,nocardholderdatastorage.B 4MerchantswithpaymentapplicationsystemsconnectedtotheInternet,no cardholderdatastorage. C 5Allothermerchants(notincludedindescriptionsforSAQsA,BorCabove),and allserviceprovidersdefinedbyacardbrandaseligibletocompleteaSAQ. D
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 29 WebResources Reporting Reportsaretheofficialmechanismbywhichmerchantsandotherorganizationsverifycompliance withPCIDSStotheirrespectiveacquiringfinancialinstitutions.Dependingoncardbrand requirements,merchantsandserviceprovidersmayneedtosubmitaSAQorannualattestations ofcomplianceforon-siteassessments(seePCIDSSversion1.2,AppendicesDandEformore information).Quarterlysubmissionofareportfornetworkscanningmayalsoberequired.Finally, individualcardbrandsmayrequiresubmissionofotherdocumentation;seetheirWebsitesformore information(URLslistedabove). InformationContainedinPCIDSSReports •SummaryofFindings(generalstatement,detailsofthesecurityassessment) •BusinessInformation(contact,businessdescription,processorrelationships) •CardPaymentInfrastructure(networkdiagram,transactionflowdiagram,POSproductsused, wirelessLANsand/orwirelessPOSterminals) •ExternalRelationships(listserviceproviderswithwhomyousharecardholderdata,connections tocardpaymentcompanies,whollyownedentities(nationalandinternational)thatrequire compliancewithPCIDSS COMPLIANCEPROGRAM Assess AssessyournetworkandIT resourcesforvulnerabilities.You shouldconstantlymonitoraccess andusageofcardholderdata.Log datamustbeavailableforanalysis Remediate Youmustfixvulnerabilitiesthat threatenunauthorizedaccessto cardholderdata Report Reportcomplianceandpresent evidencethatdataprotection controlsareinplace
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. 30 WebResources PCISecurityStandardsCouncilWebsite www.pcisecuritystandards.org FrequentlyAskedQuestions(FAQ) www.pcisecuritystandards.org/faq.htm MembershipInformation www.pcisecuritystandards.org/participation/join.shtml Webinars www.pcisecuritystandards.org/news_events/events.shtml Training(forassessors) QSAs:www.pcisecuritystandards.org/education/qsa_training.shtml PA-DSS:www.pcisecuritystandards.org/education/pa-dss_training.shtml PTSapproveddevices PINTransactionSecurity(PTS)Devices:www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html PaymentApplications:www.pcisecuritystandards.org/security_standards/pa_dss.shtml PCIDataSecurityStandardversion1.2(PCIDSS) TheStandard:www.pcisecuritystandards.org/tech/download_the_pci_dss.htm SupportingDocuments:www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml ApprovedAssessorsandScanningVendors:www.pcisecuritystandards.org/about/resources.shtml NavigatingtheStandard:www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml Self-AssessmentQuestionnaire:www.pcisecuritystandards.org/saq/index.shtml Glossary:www.pcisecuritystandards.org/security_standards/pci_dss_supporting_docs.shtml ApprovedQSAs:www.pcisecuritystandards.org/qsa_asv/find_one.shtml ApprovedASVs:www.pcisecuritystandards.org/qsa_asv/find_one.shtml
31 ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. AboutthePCI SecurityStandards Council AboutthePCISecurityStandardsCouncil ThePCISecurityStandardsCouncil(PCISSC)isaglobalopenbodyformedtodevelop,enhance, disseminateandassistwiththeunderstandingofsecuritystandardsforpaymentaccountsecurity. TheCouncilmaintains,evolves,andpromotesthePaymentCardIndustrysecuritystandards.Italso providescriticaltoolsneededforimplementationofthestandardssuchasassessmentandscanning guidelines,aself-assessmentquestionnaire,trainingandeducation,andproductcertification programs. ThePCISSCfoundingmembers,AmericanExpress,DiscoverFinancialServices,JCBInternational, MasterCardWorldwide,andVisaInc.,haveagreedtoincorporatethePCIDataSecurityStandardas partofthetechnicalrequirementforeachoftheirdatasecuritycomplianceprograms.Eachfounding memberalsorecognizestheQualifiedSecurityAssessorsandApprovedScanningVendorsqualified bythePCISSCtoassesscompliancewiththePCIDSS. ThePCISSC’sfoundingmembercardbrandsshareequallyintheCouncil’sgovernanceand operations.Otherindustrystakeholdersparticipateinreviewingproposedadditionsormodifications tothestandards,includingmerchants,paymentcardissuingbanks,processors,hardwareand softwaredevelopers,andothervendors. PCISSCFOUNDERS PARTICIPATING ORGANIZATIONS Merchants,Banks,Processors, HardwareandSoftwareDevelopers andPoint-of-SaleVendors
ThisGuideprovidessupplementalinformationthatdoesnotreplaceorsupersedePCIDSSversion1.2documents. PCIDataSecurityStandard ThePCIDSSversion1.2isasetofcomprehensiverequirementsforenhancingpaymentaccountdatasecurity.Itrepresentscommonsense stepsthatmirrorsecuritybestpractices.Learnmoreaboutitsrequirements,securitycontrolsandprocesses,andstepstoassesscompliance insidethisPCIQuickReferenceGuide. GoalsPCIDSSRequirements BuildandMaintainaSecureNetwork1.Installandmaintainafirewallconfigurationtoprotectcardholderdata 2.Donotusevendor-supplieddefaultsforsystempasswordsandothersecurityparameters ProtectCardholderData3.Protectstoredcardholderdata 4.Encrypttransmissionofcardholderdataacrossopen,publicnetworks MaintainaVulnerabilityManagement Program 5.Useandregularlyupdateanti-virussoftwareorprograms 6.Developandmaintainsecuresystemsandapplications ImplementStrongAccessControl Measures 7.Restrictaccesstocardholderdatabybusinessneed-to-know 8.AssignauniqueIDtoeachpersonwithcomputeraccess 9.Restrictphysicalaccesstocardholderdata RegularlyMonitorandTestNetworks10.Trackandmonitorallaccesstonetworkresourcesandcardholderdata 11.Regularlytestsecuritysystemsandprocesses MaintainanInformationSecurityPolicy12.Maintainapolicythataddressesinformationsecurityforemployeesandcontractors

Recommended

Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Ulf Mattsson
 
PCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4auditPCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4auditPrep4Audit
 
Fastiron 08040-icx7250-installguide
Fastiron 08040-icx7250-installguideFastiron 08040-icx7250-installguide
Fastiron 08040-icx7250-installguideMP Casanova
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Icalogoneng
IcalogonengIcalogoneng
IcalogonengCompaniaDekartSRL
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 

Recommended

Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Pci compliance without compensating controls how to take your mainframe out ...
Pci compliance without compensating controls how to take your mainframe out ...Ulf Mattsson
 
PCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4auditPCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4auditPrep4Audit
 
Fastiron 08040-icx7250-installguide
Fastiron 08040-icx7250-installguideFastiron 08040-icx7250-installguide
Fastiron 08040-icx7250-installguideMP Casanova
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani Enterprise Security Software
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Icalogoneng
IcalogonengIcalogoneng
IcalogonengCompaniaDekartSRL
 
Pcidss
PcidssPcidss
Pcidssyazsapa
 
Merrill DataSite Not All VDRs Are Created Equal
Merrill DataSite Not All VDRs Are Created EqualMerrill DataSite Not All VDRs Are Created Equal
Merrill DataSite Not All VDRs Are Created EqualChris_Robilliard
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1leon bonilla
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...IBM India Smarter Computing
 
Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Dira Sabrina
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
 
марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012Валерий Коржов
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
234 237
234 237234 237
234 237Editor IJARCET
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 

More Related Content

What's hot

Merrill DataSite Not All VDRs Are Created Equal
Merrill DataSite Not All VDRs Are Created EqualMerrill DataSite Not All VDRs Are Created Equal
Merrill DataSite Not All VDRs Are Created EqualChris_Robilliard
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGhimalya sharma
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedVISTA InfoSec
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...John Baines
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...IBM India Smarter Computing
 
Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Dira Sabrina
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingTroy Kitch
 
марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012Валерий Коржов
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightScale
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationBhargav Upadhyay
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 

What's hot (20)

Merrill DataSite Not All VDRs Are Created Equal
Merrill DataSite Not All VDRs Are Created EqualMerrill DataSite Not All VDRs Are Created Equal
Merrill DataSite Not All VDRs Are Created Equal
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
Pci dss v3-2-1
Pci dss v3-2-1Pci dss v3-2-1
Pci dss v3-2-1
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
PCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline CompliancePCI Descoping: How to Reduce Controls and Streamline Compliance
PCI Descoping: How to Reduce Controls and Streamline Compliance
 
PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...PCIDSS compliance made easier through a collaboration between NC State and UN...
PCIDSS compliance made easier through a collaboration between NC State and UN...
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
IBM TS7610 ProtecTIER Deduplication Appliance Express – Enterprise Level Tech...
 
Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009Mii Oracle Biz Map 2009
Mii Oracle Biz Map 2009
 
PCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security MappingPCI DSS v 3.0 and Oracle Security Mapping
PCI DSS v 3.0 and Oracle Security Mapping
 
марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012марко Safe net@rainbow-informzashita - februar 2012
марко Safe net@rainbow-informzashita - februar 2012
 
Rightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public CloudRightscale Webinar: PCI in Public Cloud
Rightscale Webinar: PCI in Public Cloud
 
234 237
234 237234 237
234 237
 
Alcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance PresentationAlcumus ISOQAR PCIDSS Compliance Presentation
Alcumus ISOQAR PCIDSS Compliance Presentation
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
 

Similar to PCI Quick Reference Guide

Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentat MicroFocus Italy ❖✔
 
CIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight LoggerCIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight Loggerprotect724rkeer
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18David Dinwoodie
 
6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder dataRichard Thompson
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataCognia
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkErni Susanti
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliancepcidss14s
 

Similar to PCI Quick Reference Guide (20)

Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Hpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessmentHpe secure data-payments-pci-dss-control-applicability-assessment
Hpe secure data-payments-pci-dss-control-applicability-assessment
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
CIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight LoggerCIP for PCI 4.0 Solution Guide for ArcSight Logger
CIP for PCI 4.0 Solution Guide for ArcSight Logger
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI compliance
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
StandardsWritingExample-PSG_PA-DSS_Implementation_Guidepages1&3&6&18
 
6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data6 ways reduce pci dss audit scope tokenizing cardholder data
6 ways reduce pci dss audit scope tokenizing cardholder data
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 
Cognia PCI DSS compliance services
Cognia PCI DSS compliance servicesCognia PCI DSS compliance services
Cognia PCI DSS compliance services
 
Protecting Telephone based Payment Card Data
Protecting Telephone based Payment Card DataProtecting Telephone based Payment Card Data
Protecting Telephone based Payment Card Data
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
EPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber ArkEPV_PCI DSS White Paper (3) Cyber Ark
EPV_PCI DSS White Paper (3) Cyber Ark
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 

Recently uploaded

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 

Recently uploaded (17)

办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 

PCI Quick Reference Guide