5. COMPLIANCE – FRIEND OR FOE
• Increases workload
• Creates extra process
• Costly
6. COMPLIANCE – FRIEND OR FOE
• Business enabler –
• PCI DSS for processing card details
• RBI PSS for getting and running a digital wallet
• Give confidence to clients and third party
• Force organizations to give security a thought
• Act as baseline for security
Compliance acts as an enabler for security
8. A BIT OF HISTORY ……
• Drafted, Maintained and promoted by PCI SSC (Payment Card Industry
Security Standard Council)
• PCI SSC is founded by --- American Express, Discoverer Financial Services,
JCB International, Master card Worldwide, VISA Inc.
• PCI DSS ver. 1.0 (2004) ------------ PCI DSS ver. 3.2 (2017)
• Other Standards by PCI SSC – PA DSS, PCI PTS, etc.
9. PCI DSS APPLICABILITY
• It applies to –
• Systems that Store, Process or Transmit Card holder data
• Systems that provide security functionalities or may impact the security of
Card Holder Data (CDE)
• Any other component or device, located within or connected to CDE
13. REQUIREMENT 1
Install and Maintain a firewall configuration to protect card holder data
• Firewall & Router Hardening
• Firewall Rule review
• Firewall Rule justification
14. REQUIREMENT 2
Do not use Vendor – Supplied defaults for system password and other
security parameters
• Removal of default configurations
• Hardening
15. REQUIREMENT 3
Protect Stored Card holder data
• Storage of Card holder data
• Not Storing Sensitive Authentication Data
• Encryption and Key Management
16. REQUIREMENT 4
Encrypt transmission of cardholder data across open, public network
• Encryption standard for secure transmission
• End user messaging
17. REQUIREMENT 5
Protect all systems against malware and regularly update anti-virus
software or programs
• Anti- Virus - Update, Scanning , Logging
18. REQUIREMENT 6
Develop and maintain secure systems and applications
• Secure application development
• Change Control procedure
• Patching
• Risk Ranking
• Web application firewall
19. REQUIREMENT 7
Restrict access to cardholder data by business need to know
• Least Privilege
• User Management Process
20. REQUIREMENT 8
Identify and authenticate access to system components
• Password policy
• User Access Review
• Remote access Management
21. REQUIREMENT 9
Restrict physical access to cardholder data
• Physical Access controls – Visitor management
• CCTV & Smart card based access
• Physical security of Media
• Protecting POS devices from physical tempering
22. REQUIREMENT 10
Track and monitor all access to network resources and cardholder data
• Log management
• Time Synchronization
• FIM
23. REQUIREMENT 11
Regularly test security systems and processes.
• Wireless scan – Quarterly
• Network Level VA (Internal/ External) - Quarterly
• Network Level PT (Internal/ External) – Half Yearly
• Application testing – Yearly
• PT Methodology
24. REQUIREMENT 12
Maintain a policy that addresses information security for all personnel.
• Risk Assessment
• Policy & procedure Documentation
• Training and Awareness
• Incident Response
• Internal Audit