SlideShare ist ein Scribd-Unternehmen logo

Pci dss intro v2

T
Torstein Hansen

Gammel intro til pci-dss v2.. Ikke oppdatert til nyeste version..

Software
1 von 23
Downloaden Sie, um offline zu lesen
PCI-DSS v2
About PCI-DSS ● "Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and MasterCard require Merchants and Service Providers to be validated according to the PCI DSS. Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS although these organizations must still implement all controls in order to maintain safe harbour and avoid potential liability in the event of fraud associated with theft of cardholder data. Issuing banks are not required to go through PCI DSS validation although they still have to secure the sensitive data in a PCI DSS compliant manner. Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit. (In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines.)" - Wikipedia ● The PCI Standards Council General Manager Bob Russo has indicated that liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs ● PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
Documentation ● ROC Reporting Instructions for PCI DSS v2.0 - https://www.pcisecuritystandards.org/documents/PCI_DSS_2.0_ROC_Reporting_Instructions.pd f ● PCI DSS Virtualization Guidelines v2.0 - https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf ● Requirement 6.6 Application Reviews and Web Application Firewalls Clarified v1.2 - https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf ● Requirement 11.3 Penetration Testing v1.2 - https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf ● Cisco - http://www.cisco.com/en/US/docs/solutions/Enterprise/Compliance/Compliance_DIG/PCI_20_DI G.pdf ● Symantec NetBackup og PCI-DSS - http://www.symantec.com/business/support/index?page=content&id=TECH153100 ● HP BladeSystem and Virtual Connect Suitability in PCI DSS Compliant Deployments - http://h20195.www2.hp.com/v2/GetPDF.aspx%2F4AA4-6580ENW.pdf
Apply for “PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply”
Storage of PAN Primary Account Number (PAN), Storage Permitted but Render Stored Account Data Unreadable per Requirement 3.4
Scoop - Software Please note the following regarding PA-DSS applicability: ● PA-DSS does apply to payment applications that are typically sold and installed ―off the shelfǁ without much customization by software vendors. ● PA-DSS does not apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant’s or service provider’s normal PCI DSS compliance
Scoop - Infrastcture ● The PCI DSS security requirements apply to all system components ● “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment. ―System componentsǁ also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications
PCI-DSS requirements Achieving PCI DSS compliance requires an organization to successfully meet ALL PCI DSS requirements, regardless of the order in which they are satisfied, or whether the organization seeking compliance follows the PCI DSS Prioritized Approach. The Prioritized Approach is a tool provided to assist organizations seeking to achieve compliance, but it does not, and is not intended in any manner to, modify or abridge the PCI DSS or any of its requirements.
Milestone 1 ● 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks ● 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes as follows: 3.1.1 Implement a data retention and disposal policy that includes: § Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements. § Processes for secure deletion of data when no longer needed. § Specific retention requirements for cardholder data. § A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. ● 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)
Milestone 2 ● 1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. ● 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. ● 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. ● 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. ● 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. ● 4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
Milestone 2 ● 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2.1 Perform quarterly internal vulnerability scans. ● 11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). ● 11.2.3 Perform internal and external scans after any significant change. ● 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: ● 11.3.1 Network-layer penetration tests. ● 11.3.2 Application-layer penetration tests. ● 11.4 Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines, baselines, and signatures up-to-date.
Milestone 2 ● 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. ● 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks ● 2.1 Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
Milestone 3 ● 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. ● 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers ● 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. ● "6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Note: Risk rankings should be based on industry best practices. For example, criteria for ranking ""High"" risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as ""critical,"" and/or a vulnerability affecting a critical system component. Note: The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement."
Milestone 3 ● 6.3 Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices. Incorporate information security throughout the software development life cycle. These processes must include the following: ● "6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development lifecycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6." ● "6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following: ● 6.4.1 Separate development/test and production environments." ● 6.4.3 Production data (live PANs) are not used for testing or development.
Milestone 3 ● 6.5.5 Improper error handling. ● "6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: § Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes § Installing a web-application firewall in front of public-facing web applications" ● A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. ● A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
Milestone 4 ● "7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. ● 8.1 Assign all users a unique username before allowing them to access system components or cardholder data. ● 8.5.2 Verify user identity before performing password resets. ● 8.5.3 Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. ● 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. ● "8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Restrict user direct access or queries to databases to database administrators."
Milestone 4 ● 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. ● "10.2 Implement automated audit trails for all system components to reconstruct the following events: ● 10.2.1 All individual accesses to cardholder data." ● 10.2.2 All actions taken by any individual with root or administrative privileges. ● 10.2.3 Access to all audit trails. ● 10.2.7 Creation and deletion of system-level objects. ● "10.5 Secure audit trails so they cannot be altered. ● 10.5.1 Limit viewing of audit trails to those with a job-related need. " ● 10.5.2 Protect audit trail files from unauthorized modifications. ● 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. ● 10.5.5 Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). ● 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). ● 11.5 Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files; and configure the software to perform critical file comparisons at least weekly.
Milestone 4 ● 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. ● 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. ● "12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: § Roles, responsibilities and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum § Specific incident response procedures § Business recovery and continuity procedures § Data back-up processes § Analysis of legal requirements for reporting compromises § Coverage and responses of all critical system components § Reference or inclusion of incident response procedures from the payment brands" ● 12.9.2 Test the plan at least annually. ● 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. ● 12.9.4 Provide appropriate training to staff with security breach response responsibilities.
Milestone 5 ● 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). ● 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: § One-way hashes based on strong cryptography (hash must be of the entire PAN) § Truncation (hashing cannot be used to replace the truncated segment of PAN) § Index tokens and pads (pads must be securely stored) § Strong cryptography with associated key management processes and procedures Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. ● 3.5 Protect any keys used to secure cardholder data against both disclosure and misuse: Note: This requirement also applies to key encryption keys used to protect data encrypting keys -- such key encryption keys must be at least as strong as the data encrypting key. ● 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary.
Milestone 6 ● 1.1 Establish firewall and router configuration standards that include the following: ○ 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations" ○ 1.1.6 Requirement to review firewall and router rule sets at least every six months. ● 6.4.5 Change control procedures for the implementation of security patches and software modifications. Procedures must include the following: ○ 6.4.5.1 Documentation of impact." ○ 6.4.5.2 Documented change approval by authorized parties. ○ 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. ○ 6.4.5.4 Back-out procedures.
Milestone 6 ● 12.3.5 Acceptable uses of the technology. ● 12.3.7 List of company-approved products. ● 12.3.10 For personnel accessing cardholder data via remote access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. ● 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. ● 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. ○ "12.6.1 Educate personnel upon hire at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data." ○ 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
Virtualization PCI DSS Virtualization Guidelines v2.0 - The Virtualization Considerations in this appendix do not replace, supersede, or extend PCI DSS requirements. All best practices and recommendations contained herein are provided as guidance only: ● If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope. For additional guidance on the presence of both in-scope and out-of-scope VMs on the same hypervisor, please refer to Section 4.2 Recommendations for Mixed Mode Environments. Note: the term “mixed-mode” refers to a virtualization configuration where both in-scope and out-of-scope virtual components are running on the same hypervisor or host. ● An entire VM will be in scope if it stores, processes or transmits cardholder data, or if it connects to or provides an entry point into the CDE. If a VM is in scope, both the underlying host system and the hypervisor would also be considered in scope, as they are directly connected to and have a fundamental impact on the functionality and security of the VM. ● Virtual Appliances used to connect or provide services to in-scope system components or networks would be considered in-scope. Any VSA/SVA that could impact the security of the CDE would also be considered in scope ● Networks provisioned on a hypervisor-based virtual switch will be in scope if provisioned with an in-scope component or if they provide services or connect to an in-scope component. Physical devices hosting virtual switches or routers would be considered in scope if any of the hosted components connects to an in-scope network ● Separate administrative functions such that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs. ● Monitor audit logs to identify activities that could indicate a breach in the integrity of segmentation, security controls, or communication channels between workloads. ● Disable or remove all unnecessary interfaces, ports, devices and services ● Establish limits on VM resource usage
Annet (udokumentert/uklart) ● Passord policy’er gjelder også switcher, brannmurer og egne web apper. Ikke bare os brukere. Det går ikke tydelig frem av doc’en men pci-dss v3 skal gjøre dette tydelig ● Det samme gjelder krav til logging etc etc. ● Ting som ikke har pci data kan også være underlagt pci dersom det brukes av pci miljøet. F.eks login server, dns server etc. De må herdes etc akkurat som pci maskiner men pci scopet “smitter” ikke fra de normalt ●

Empfohlen

Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
Nhat Phan Canh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 

Empfohlen

Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
Nhat Phan Canh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
Alexander Polyakov
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed Introduction
ControlCase
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
Victor Oluwajuwon Badejo
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
ControlCase
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
Derrick McBreairty
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
Crash vintage
Crash vintageCrash vintage
Crash vintage
VASILE Viorel
 
Croaziera pe tamisa (sc)
Croaziera pe tamisa (sc)Croaziera pe tamisa (sc)
Croaziera pe tamisa (sc)
VASILE Viorel
 

Weitere ähnliche Inhalte

Was ist angesagt?

Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
Rochester Security Summit
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 

Was ist angesagt? (20)

Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 

Andere mochten auch

Croaziera pe tamisa (sc)
Croaziera pe tamisa (sc)Croaziera pe tamisa (sc)
Croaziera pe tamisa (sc)
VASILE Viorel
 
Cru00 e9puscule (sc)
Cru00 e9puscule (sc)Cru00 e9puscule (sc)
Cru00 e9puscule (sc)
VASILE Viorel
 
intro of Kingthai
intro of Kingthaiintro of Kingthai
intro of Kingthai
Jason Wang
 

Andere mochten auch (11)

Crash vintage
Crash vintageCrash vintage
Crash vintage
 
Croaziera pe tamisa (sc)
Croaziera pe tamisa (sc)Croaziera pe tamisa (sc)
Croaziera pe tamisa (sc)
 
SCAQMD CO OP REPORT
SCAQMD CO OP REPORTSCAQMD CO OP REPORT
SCAQMD CO OP REPORT
 
Cru00 e9puscule (sc)
Cru00 e9puscule (sc)Cru00 e9puscule (sc)
Cru00 e9puscule (sc)
 
Ken Courtright at LaCosta GMP
Ken Courtright at LaCosta GMPKen Courtright at LaCosta GMP
Ken Courtright at LaCosta GMP
 
Unidad ii ejercicios. trabajo de criyimar
Unidad ii ejercicios. trabajo de criyimarUnidad ii ejercicios. trabajo de criyimar
Unidad ii ejercicios. trabajo de criyimar
 
TE ACORDARÁS DE ELLOS
TE ACORDARÁS DE ELLOSTE ACORDARÁS DE ELLOS
TE ACORDARÁS DE ELLOS
 
Aide
AideAide
Aide
 
intro of Kingthai
intro of Kingthaiintro of Kingthai
intro of Kingthai
 
Logstash
LogstashLogstash
Logstash
 
Project- Aston Martin Marketing Plan
Project- Aston Martin Marketing Plan Project- Aston Martin Marketing Plan
Project- Aston Martin Marketing Plan
 

Ähnlich wie Pci dss intro v2

Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
bagnalldarren
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
Risk Crew
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
SafeNet
 
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEEASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
Alex Himmelberg
 

Ähnlich wie Pci dss intro v2 (20)

PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2
 
Update to PCI DSS v3.2
Update to PCI DSS v3.2Update to PCI DSS v3.2
Update to PCI DSS v3.2
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0Key New Requirements Added to PCI DSS 3.0
Key New Requirements Added to PCI DSS 3.0
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCEEASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
EASING THE COMPLIANCE BURDEN SAGAN SOLUTION & PCI COMPLIANCE
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper
 

Kürzlich hochgeladen

introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 

Kürzlich hochgeladen (20)

ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 

Pci dss intro v2

  • 2. About PCI-DSS ● "Although the PCI DSS must be implemented by all entities that process, store or transmit cardholder data, formal validation of PCI DSS compliance is not mandatory for all entities. Currently both Visa and MasterCard require Merchants and Service Providers to be validated according to the PCI DSS. Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS although these organizations must still implement all controls in order to maintain safe harbour and avoid potential liability in the event of fraud associated with theft of cardholder data. Issuing banks are not required to go through PCI DSS validation although they still have to secure the sensitive data in a PCI DSS compliant manner. Acquiring banks are required to comply with PCI DSS as well as to have their compliance validated by means of an audit. (In the event of a security breach, any compromised entity which was not PCI DSS compliant at the time of breach will be subject to additional card scheme penalties, such as fines.)" - Wikipedia ● The PCI Standards Council General Manager Bob Russo has indicated that liabilities could change depending on the state of a given organization at the point in time when an actual breach occurs ● PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
  • 3. Documentation ● ROC Reporting Instructions for PCI DSS v2.0 - https://www.pcisecuritystandards.org/documents/PCI_DSS_2.0_ROC_Reporting_Instructions.pd f ● PCI DSS Virtualization Guidelines v2.0 - https://www.pcisecuritystandards.org/documents/Virtualization_InfoSupp_v2.pdf ● Requirement 6.6 Application Reviews and Web Application Firewalls Clarified v1.2 - https://www.pcisecuritystandards.org/documents/information_supplement_6.6.pdf ● Requirement 11.3 Penetration Testing v1.2 - https://www.pcisecuritystandards.org/documents/information_supplement_11.3.pdf ● Cisco - http://www.cisco.com/en/US/docs/solutions/Enterprise/Compliance/Compliance_DIG/PCI_20_DI G.pdf ● Symantec NetBackup og PCI-DSS - http://www.symantec.com/business/support/index?page=content&id=TECH153100 ● HP BladeSystem and Virtual Connect Suitability in PCI DSS Compliant Deployments - http://h20195.www2.hp.com/v2/GetPDF.aspx%2F4AA4-6580ENW.pdf
  • 4. Apply for “PCI DSS requirements are applicable if a primary account number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed or transmitted, PCI DSS requirements do not apply”
  • 5. Storage of PAN Primary Account Number (PAN), Storage Permitted but Render Stored Account Data Unreadable per Requirement 3.4
  • 6. Scoop - Software Please note the following regarding PA-DSS applicability: ● PA-DSS does apply to payment applications that are typically sold and installed ―off the shelfǁ without much customization by software vendors. ● PA-DSS does not apply to payment applications developed by merchants and service providers if used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed payment application would be covered as part of the merchant’s or service provider’s normal PCI DSS compliance
  • 7. Scoop - Infrastcture ● The PCI DSS security requirements apply to all system components ● “system components” are defined as any network component, server, or application that is included in or connected to the cardholder data environment. ―System componentsǁ also include any virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors. The cardholder data environment is comprised of people, processes and technology that store, process or transmit cardholder data or sensitive authentication data. Network components include but are not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Server types include, but are not limited to the following: web, application, database, authentication, mail, proxy, network time protocol (NTP), and domain name server (DNS). Applications include all purchased and custom applications, including internal and external (for example, Internet) applications
  • 8. PCI-DSS requirements Achieving PCI DSS compliance requires an organization to successfully meet ALL PCI DSS requirements, regardless of the order in which they are satisfied, or whether the organization seeking compliance follows the PCI DSS Prioritized Approach. The Prioritized Approach is a tool provided to assist organizations seeking to achieve compliance, but it does not, and is not intended in any manner to, modify or abridge the PCI DSS or any of its requirements.
  • 9. Milestone 1 ● 1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks ● 3.1 Keep cardholder data storage to a minimum by implementing data retention and disposal policies, procedures and processes as follows: 3.1.1 Implement a data retention and disposal policy that includes: § Limiting data storage amount and retention time to that which is required for legal, regulatory, and business requirements. § Processes for secure deletion of data when no longer needed. § Specific retention requirements for cardholder data. § A quarterly automatic or manual process for identifying and securely deleting stored cardholder data that exceeds defined retention requirements. ● 12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)
  • 10. Milestone 2 ● 1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. ● 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. ● 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access. ● 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties. ● 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. ● 4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
  • 11. Milestone 2 ● 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). 11.2.1 Perform quarterly internal vulnerability scans. ● 11.2.2 Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC). ● 11.2.3 Perform internal and external scans after any significant change. ● 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: ● 11.3.1 Network-layer penetration tests. ● 11.3.2 Application-layer penetration tests. ● 11.4 Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines, baselines, and signatures up-to-date.
  • 12. Milestone 2 ● 1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. ● 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks ● 2.1 Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts.
  • 13. Milestone 3 ● 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. ● 2.2.4 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers ● 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release. ● "6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Note: Risk rankings should be based on industry best practices. For example, criteria for ranking ""High"" risk vulnerabilities may include a CVSS base score of 4.0 or above, and/or a vendor-supplied patch classified by the vendor as ""critical,"" and/or a vulnerability affecting a critical system component. Note: The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement."
  • 14. Milestone 3 ● 6.3 Develop software applications (internal and external, and including web-based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices. Incorporate information security throughout the software development life cycle. These processes must include the following: ● "6.3.2 Review of custom code prior to release to production or customers in order to identify any potential coding vulnerability. Note: This requirement for code reviews applies to all custom code (both internal and public-facing), as part of the system development lifecycle. Code reviews can be conducted by knowledgeable internal personnel or third parties. Web applications are also subject to additional controls, if they are public facing, to address ongoing threats and vulnerabilities after implementation, as defined at PCI DSS Requirement 6.6." ● "6.4 Follow change control processes and procedures for all changes to system components. The processes must include the following: ● 6.4.1 Separate development/test and production environments." ● 6.4.3 Production data (live PANs) are not used for testing or development.
  • 15. Milestone 3 ● 6.5.5 Improper error handling. ● "6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: § Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes § Installing a web-application firewall in front of public-facing web applications" ● A.1.3 Ensure logging and audit trails are enabled and unique to each entity’s cardholder data environment and consistent with PCI DSS Requirement 10. ● A.1.4 Enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.
  • 16. Milestone 4 ● "7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. ● 8.1 Assign all users a unique username before allowing them to access system components or cardholder data. ● 8.5.2 Verify user identity before performing password resets. ● 8.5.3 Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. ● 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. ● "8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Restrict user direct access or queries to databases to database administrators."
  • 17. Milestone 4 ● 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. ● "10.2 Implement automated audit trails for all system components to reconstruct the following events: ● 10.2.1 All individual accesses to cardholder data." ● 10.2.2 All actions taken by any individual with root or administrative privileges. ● 10.2.3 Access to all audit trails. ● 10.2.7 Creation and deletion of system-level objects. ● "10.5 Secure audit trails so they cannot be altered. ● 10.5.1 Limit viewing of audit trails to those with a job-related need. " ● 10.5.2 Protect audit trail files from unauthorized modifications. ● 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. ● 10.5.5 Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert). ● 10.6 Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). ● 11.5 Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files; and configure the software to perform critical file comparisons at least weekly.
  • 18. Milestone 4 ● 12.5.3 Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. ● 12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach. ● "12.9.1 Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following, at a minimum: § Roles, responsibilities and communication and contact strategies in the event of a compromise including notification of the payment brands, at a minimum § Specific incident response procedures § Business recovery and continuity procedures § Data back-up processes § Analysis of legal requirements for reporting compromises § Coverage and responses of all critical system components § Reference or inclusion of incident response procedures from the payment brands" ● 12.9.2 Test the plan at least annually. ● 12.9.3 Designate specific personnel to be available on a 24/7 basis to respond to alerts. ● 12.9.4 Provide appropriate training to staff with security breach response responsibilities.
  • 19. Milestone 5 ● 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). ● 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches: § One-way hashes based on strong cryptography (hash must be of the entire PAN) § Truncation (hashing cannot be used to replace the truncated segment of PAN) § Index tokens and pads (pads must be securely stored) § Strong cryptography with associated key management processes and procedures Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN. ● 3.5 Protect any keys used to secure cardholder data against both disclosure and misuse: Note: This requirement also applies to key encryption keys used to protect data encrypting keys -- such key encryption keys must be at least as strong as the data encrypting key. ● 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary.
  • 20. Milestone 6 ● 1.1 Establish firewall and router configuration standards that include the following: ○ 1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations" ○ 1.1.6 Requirement to review firewall and router rule sets at least every six months. ● 6.4.5 Change control procedures for the implementation of security patches and software modifications. Procedures must include the following: ○ 6.4.5.1 Documentation of impact." ○ 6.4.5.2 Documented change approval by authorized parties. ○ 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. ○ 6.4.5.4 Back-out procedures.
  • 21. Milestone 6 ● 12.3.5 Acceptable uses of the technology. ● 12.3.7 List of company-approved products. ● 12.3.10 For personnel accessing cardholder data via remote access technologies, prohibit copy, move, and storage of cardholder data onto local hard drives and removable electronic media, unless explicitly authorized for a defined business need. ● 12.4 Ensure that the security policy and procedures clearly define information security responsibilities for all personnel. ● 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security. ○ "12.6.1 Educate personnel upon hire at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data." ○ 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
  • 22. Virtualization PCI DSS Virtualization Guidelines v2.0 - The Virtualization Considerations in this appendix do not replace, supersede, or extend PCI DSS requirements. All best practices and recommendations contained herein are provided as guidance only: ● If any virtual component connected to (or hosted on) the hypervisor is in scope for PCI DSS, the hypervisor itself will always be in scope. For additional guidance on the presence of both in-scope and out-of-scope VMs on the same hypervisor, please refer to Section 4.2 Recommendations for Mixed Mode Environments. Note: the term “mixed-mode” refers to a virtualization configuration where both in-scope and out-of-scope virtual components are running on the same hypervisor or host. ● An entire VM will be in scope if it stores, processes or transmits cardholder data, or if it connects to or provides an entry point into the CDE. If a VM is in scope, both the underlying host system and the hypervisor would also be considered in scope, as they are directly connected to and have a fundamental impact on the functionality and security of the VM. ● Virtual Appliances used to connect or provide services to in-scope system components or networks would be considered in-scope. Any VSA/SVA that could impact the security of the CDE would also be considered in scope ● Networks provisioned on a hypervisor-based virtual switch will be in scope if provisioned with an in-scope component or if they provide services or connect to an in-scope component. Physical devices hosting virtual switches or routers would be considered in scope if any of the hosted components connects to an in-scope network ● Separate administrative functions such that hypervisor administrators do not have the ability to modify, delete, or disable hypervisor audit logs. ● Monitor audit logs to identify activities that could indicate a breach in the integrity of segmentation, security controls, or communication channels between workloads. ● Disable or remove all unnecessary interfaces, ports, devices and services ● Establish limits on VM resource usage
  • 23. Annet (udokumentert/uklart) ● Passord policy’er gjelder også switcher, brannmurer og egne web apper. Ikke bare os brukere. Det går ikke tydelig frem av doc’en men pci-dss v3 skal gjøre dette tydelig ● Det samme gjelder krav til logging etc etc. ● Ting som ikke har pci data kan også være underlagt pci dersom det brukes av pci miljøet. F.eks login server, dns server etc. De må herdes etc akkurat som pci maskiner men pci scopet “smitter” ikke fra de normalt ●