SlideShare a Scribd company logo

Implement PCI DSS Compliance for Card Data Security

Download as PPT, PDF
Luong Trung Thanh
Luong Trung Thanh

Chia se kinh nghiem trien kahi PCI-DSS cua anh Phan Canh Nhat.

Technology
1 of 26
IMPLEMENT PCI DSS Phan Cảnh Nhật - 2014
What is PCI DSS? • Payment Card Industry Data Security Standard • Enforced by PCI Security Standard Council • Council formed by the five major card brands shown
Who apply? • Any company that process, stores or transmits card information is require to be PCI DSS complaint • So not just for E-commerce, also required for..  Retail (brick-and-mortar)  Mail/Telephone ordering
What’s the goal? • Protect cardholder data and sensitive auth. data • Cardholder data:  Primary account number  Cardholder name  Expiration date  Service code • Sensitive authentication data:  Full track data (from magnetic strip)  CAV2 / CVC2 / CVV2 / CID  PIN blocks
6 Goal • Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
6 Goal • Maintain a Vul. Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications • Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
6 Goal • Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
Noncompliance • Fines (can range between $90-$500 per card exposed) • On the news, lost image, … • Revoke of merchant account
Implement PCI DSS • Apply ISO 27001 first • Build Policy, Document, Process, … • Risk Assessment • Scope reduce •
Implement PCI DSS
Implement PCI DSS • Man vs money • Requirements and Security Assessment Procedures: https://www.pcisecuritystandards.org/docu ments/PCI_DSS_v3.pdf
Implement PCI DSS • Working hard •
Result
Build and Maintain a Secure Network • Req 1 - Install and maintain a firewall  Document list of services and ports necessary (1.1.5)  Have a formal process for approving and testing all external network connections (1.1.1)  Quarterly review of firewall and router rule sets (1.1.8)  Firewall should deny all traffic not explicitly allowed (1.3.7)  Placing database servers in an internal network segregated from the DMZ (1.3.4)  Placing personal firewall software on any mobile device that has access to the organization's network (1.3.9)
Build and Maintain a Secure Network • Req 2 - Do not use vendor-supplied defaults for system passwords and other security parameters  Eliminate unneccessary accounts (2.1)  Implement only one primary function per server (web,  database, dns, etc) (2.2.1)  Disable all unnecessary and insecure protocols (2.2.2)  Remove all unneccessary scripts, drivers, features (2.2.4)  Encrypt all non-console administrative access - SSH,VPN,SSL/TLS (2.3)
Protect Cardholder Data • Req 3 - Protect stored cardholder data  Keep card storage to a minimum (3.1)  Do not store the card magnetic track (3.2.1)  Do not store the card verification code - CVC2/CVV2/CID (3.2.2)  Do not store the card's PIN  Mask PAN when displayed (3.3) for example first 6 last 4 digits  Encrypt PAN when it's stored (3.4)
Protect Cardholder Data • Req 4 - Encrypt transmission of cardholder data across open, public networks  SSL/TLS (4.1.1)  Never send unencrypted PANs via Email (4.2)
Maintain a Vulnerability Management Program • Req 5 - Use and regularly update antivirus software  Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software (5.1.1)  Ensure AV generates logs (5.2)
Maintain a Vulnerability Management Program • Req 6 - Develop and maintain secure systems and applications  Ensure all software have the latest patches (within a month of release) (6.1)  Maintain separate development,test and production environments (6.3.2)  Live PANs are not used for testing or dev. (6.3.4)  Review code for vulnerabilities before going live (6.3.7)  Have all code reviewed for these common vulnerabilities by an outside organization that specializes in application security (6.6)  Have an web application firewall (WAF) (6.6)
Implement Strong Access Control Measures • Req 7 - Restrict access to cardholder data by business need-to-know  Deny access unless explicitly allowed by authorized personnel (7.2)
Implement Strong Access Control Measures • Req 8 - Assign a unique ID to each person with computer access  All users have a unique username (8.1)  Encrpyt all passwords during transmission and storage (8.4)  Passwords must have a minimum of 9 characters (8.5.10)  Passwords must be alphanumeric (8.5.11)  Lock account after not more than 6 failed attempts (8.5.13)  If a session is idle for more than 15 minutes, require re-login (8.5.15)
Implement Strong Access Control Measures • Req 9 - Restrict physical access to cardholder data  Use proper facility that controls and monitors access (9.1)  Have a procedure to distinguish between employees and visitors (9.2)  Use visitor log (9.4)  Store backup media in a secure location (9.5)
Regularly Monitor and Test Networks • Req 10 - Track and monitor all access to network resources and cardholder data  Implement audit trails (10.2)  Synchronize all critical system clocks and times (10.4)  Backup audit trail files (10.5.3)  Review logs for all system components at least daily (10.6)  Retain audit trail history for at least one year (10.7)
Regularly Monitor and Test Networks • Req 11 - Regularly test security systems and processes  Test security controls, limitations and restrictions annually (11.1)  Run internal/external scans at least quarterly (11.2)  Perform penetration testing at least once a year (11.3)  Use network intrusion detection systems (11.4)
Maintain an Information Security Policy • Req 12 - Maintain a policy that addresses informational security  Establish and publish your security policy (12.1.1)  Develop daily operational security procedures (12.2)  Implement a formal security awareness program to make all employees aware of the importance of cardholder data security (12.6)  Educate employees upon hire and at least annually (12.6.1)  If cardholder data is shared with service providers, then contractually the service provider must follow PCI DSS (12.8.1)
Q & A

Recommended

CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
 
DataPower as PCI
DataPower as PCIDataPower as PCI
DataPower as PCIShiu-Fun Poon
 
PCI Compliance Myths, Reality and Solutions for Retail
PCI Compliance Myths, Reality and Solutions for RetailPCI Compliance Myths, Reality and Solutions for Retail
PCI Compliance Myths, Reality and Solutions for RetailInDefense Security
 
MBESDatasheet
MBESDatasheetMBESDatasheet
MBESDatasheetWiveka O'Sullivan
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionQuick Heal Technologies Ltd.
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best PracticesMike Sherwood
 
Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet
 
USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9Javier Arrospide
 

Recommended

CSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoCSF18 - The Night is Dark and Full of Hackers - Sami Laiho
CSF18 - The Night is Dark and Full of Hackers - Sami LaihoNCCOMMS
 
DataPower as PCI
DataPower as PCIDataPower as PCI
DataPower as PCIShiu-Fun Poon
 
PCI Compliance Myths, Reality and Solutions for Retail
PCI Compliance Myths, Reality and Solutions for RetailPCI Compliance Myths, Reality and Solutions for Retail
PCI Compliance Myths, Reality and Solutions for RetailInDefense Security
 
MBESDatasheet
MBESDatasheetMBESDatasheet
MBESDatasheetWiveka O'Sullivan
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionQuick Heal Technologies Ltd.
 
Network Design and Security Best Practices
Network Design and Security Best PracticesNetwork Design and Security Best Practices
Network Design and Security Best PracticesMike Sherwood
 
Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet
 
USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9USB-Lock-RP Technical Datasheet version 11.9
USB-Lock-RP Technical Datasheet version 11.9Javier Arrospide
 
Pci dss-compliance
Pci dss-compliancePci dss-compliance
Pci dss-compliancefaisal_ss1
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT SecurityCRISIL Limited
 
Secure Email Communications from Symantec
Secure Email Communications from SymantecSecure Email Communications from Symantec
Secure Email Communications from SymantecArrow ECS UK
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Quick Heal Technologies Ltd.
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code ScannerLuigi Perrone
 
Operations Security
Operations SecurityOperations Security
Operations SecurityMauro Alberto
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
File Security System_2
File Security System_2File Security System_2
File Security System_2Dheeraj Kumar Singh
 
Panda Security - Gatedefender
Panda Security - GatedefenderPanda Security - Gatedefender
Panda Security - GatedefenderPanda Security
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
usb-lock-rp-en
usb-lock-rp-enusb-lock-rp-en
usb-lock-rp-enJavier Arrospide
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security IntroductionGLC Networks
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
SCC (Security Control Center)
SCC (Security Control Center)SCC (Security Control Center)
SCC (Security Control Center)Junyoung Jung
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprisebagnalldarren
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017Micro Focus
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglyAlgoSec
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 

More Related Content

What's hot

Pci dss-compliance
Pci dss-compliancePci dss-compliance
Pci dss-compliancefaisal_ss1
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT SecurityCRISIL Limited
 
Secure Email Communications from Symantec
Secure Email Communications from SymantecSecure Email Communications from Symantec
Secure Email Communications from SymantecArrow ECS UK
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Quick Heal Technologies Ltd.
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code ScannerLuigi Perrone
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Jan Ketil Skanke
 
Panda Security - Gatedefender
Panda Security - GatedefenderPanda Security - Gatedefender
Panda Security - GatedefenderPanda Security
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-dataKevin Mayo
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security IntroductionGLC Networks
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017Micro Focus
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
SCC (Security Control Center)
SCC (Security Control Center)SCC (Security Control Center)
SCC (Security Control Center)Junyoung Jung
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprisebagnalldarren
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017Micro Focus
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Ulf Mattsson
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglyAlgoSec
 

What's hot (20)

Pci dss-compliance
Pci dss-compliancePci dss-compliance
Pci dss-compliance
 
Institutional IT Security
Institutional IT SecurityInstitutional IT Security
Institutional IT Security
 
Secure Email Communications from Symantec
Secure Email Communications from SymantecSecure Email Communications from Symantec
Secure Email Communications from Symantec
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
z/OS Authorized Code Scanner
z/OS Authorized Code Scannerz/OS Authorized Code Scanner
z/OS Authorized Code Scanner
 
Operations Security
Operations SecurityOperations Security
Operations Security
 
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
Security @ Windows 10 Partner Technical Bootcamp Microsoft Norway October 2015
 
File Security System_2
File Security System_2File Security System_2
File Security System_2
 
Panda Security - Gatedefender
Panda Security - GatedefenderPanda Security - Gatedefender
Panda Security - Gatedefender
 
Secure nets-and-data
Secure nets-and-dataSecure nets-and-data
Secure nets-and-data
 
usb-lock-rp-en
usb-lock-rp-enusb-lock-rp-en
usb-lock-rp-en
 
Cloud Security Introduction
Cloud Security IntroductionCloud Security Introduction
Cloud Security Introduction
 
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
PROTECT AND SURVIVE – SAFEGUARDING YOUR INFORMATION ASSETS - #MFSummit2017
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
SCC (Security Control Center)
SCC (Security Control Center)SCC (Security Control Center)
SCC (Security Control Center)
 
Closing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet EnterpriseClosing PCI WiFi Loopholes with AirMagnet Enterprise
Closing PCI WiFi Loopholes with AirMagnet Enterprise
 
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
SUPPORTING SECURITY THROUGH NEXT GEN IDENTITY GOVERNANCE - #MFSummit2017
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 
Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014Practical advice for cloud data protection ulf mattsson - jun 2014
Practical advice for cloud data protection ulf mattsson - jun 2014
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
 

Similar to Implement PCI DSS Compliance for Card Data Security

Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standardmanojghimiray
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Jamal Soudi
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 

Similar to Implement PCI DSS Compliance for Card Data Security (20)

Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 

More from Luong Trung Thanh

Cloud Control Matrix v3 - Security Bootcamp 2016
Cloud Control Matrix v3 - Security Bootcamp 2016Cloud Control Matrix v3 - Security Bootcamp 2016
Cloud Control Matrix v3 - Security Bootcamp 2016Luong Trung Thanh
 
Cloud Security - What you Should Be Concerned About
Cloud Security - What you Should Be Concerned AboutCloud Security - What you Should Be Concerned About
Cloud Security - What you Should Be Concerned AboutLuong Trung Thanh
 
PCI-DSS Funny (Vietnamese only)
PCI-DSS Funny (Vietnamese only)PCI-DSS Funny (Vietnamese only)
PCI-DSS Funny (Vietnamese only)Luong Trung Thanh
 
Slide 2013 05_31_include_hidden_slide
Slide 2013 05_31_include_hidden_slideSlide 2013 05_31_include_hidden_slide
Slide 2013 05_31_include_hidden_slideLuong Trung Thanh
 
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ AnhSlide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ AnhLuong Trung Thanh
 
Slide Notes Event Security Monitoring
Slide Notes Event Security MonitoringSlide Notes Event Security Monitoring
Slide Notes Event Security MonitoringLuong Trung Thanh
 
Monitoring event 20130525_chinhsua
Monitoring event 20130525_chinhsuaMonitoring event 20130525_chinhsua
Monitoring event 20130525_chinhsuaLuong Trung Thanh
 
Virtualization application(app v)
Virtualization application(app v)Virtualization application(app v)
Virtualization application(app v)Luong Trung Thanh
 

More from Luong Trung Thanh (13)

Cloud Control Matrix v3 - Security Bootcamp 2016
Cloud Control Matrix v3 - Security Bootcamp 2016Cloud Control Matrix v3 - Security Bootcamp 2016
Cloud Control Matrix v3 - Security Bootcamp 2016
 
Cloud Security - What you Should Be Concerned About
Cloud Security - What you Should Be Concerned AboutCloud Security - What you Should Be Concerned About
Cloud Security - What you Should Be Concerned About
 
APP-V Present - Vietnamese
APP-V Present - VietnameseAPP-V Present - Vietnamese
APP-V Present - Vietnamese
 
PCI-DSS Funny (Vietnamese only)
PCI-DSS Funny (Vietnamese only)PCI-DSS Funny (Vietnamese only)
PCI-DSS Funny (Vietnamese only)
 
The first slide
The first slide The first slide
The first slide
 
Main slinux
Main slinuxMain slinux
Main slinux
 
Slide 2013 05_31_include_hidden_slide
Slide 2013 05_31_include_hidden_slideSlide 2013 05_31_include_hidden_slide
Slide 2013 05_31_include_hidden_slide
 
Present 2013 05_31
Present 2013 05_31Present 2013 05_31
Present 2013 05_31
 
Main
MainMain
Main
 
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ AnhSlide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
Slide kinh nghiệm vận hành Cloud trên Amazon - Huỳnh Kỳ Anh
 
Slide Notes Event Security Monitoring
Slide Notes Event Security MonitoringSlide Notes Event Security Monitoring
Slide Notes Event Security Monitoring
 
Monitoring event 20130525_chinhsua
Monitoring event 20130525_chinhsuaMonitoring event 20130525_chinhsua
Monitoring event 20130525_chinhsua
 
Virtualization application(app v)
Virtualization application(app v)Virtualization application(app v)
Virtualization application(app v)
 

Recently uploaded

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Implement PCI DSS Compliance for Card Data Security

  • 1. IMPLEMENT PCI DSS Phan Cảnh Nhật - 2014
  • 2. What is PCI DSS? • Payment Card Industry Data Security Standard • Enforced by PCI Security Standard Council • Council formed by the five major card brands shown
  • 3. Who apply? • Any company that process, stores or transmits card information is require to be PCI DSS complaint • So not just for E-commerce, also required for..  Retail (brick-and-mortar)  Mail/Telephone ordering
  • 4. What’s the goal? • Protect cardholder data and sensitive auth. data • Cardholder data:  Primary account number  Cardholder name  Expiration date  Service code • Sensitive authentication data:  Full track data (from magnetic strip)  CAV2 / CVC2 / CVV2 / CID  PIN blocks
  • 5. 6 Goal • Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
  • 6. 6 Goal • Maintain a Vul. Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications • Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data
  • 7. 6 Goal • Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes • Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel
  • 8. Noncompliance • Fines (can range between $90-$500 per card exposed) • On the news, lost image, … • Revoke of merchant account
  • 9. Implement PCI DSS • Apply ISO 27001 first • Build Policy, Document, Process, … • Risk Assessment • Scope reduce •
  • 11. Implement PCI DSS • Man vs money • Requirements and Security Assessment Procedures: https://www.pcisecuritystandards.org/docu ments/PCI_DSS_v3.pdf
  • 12. Implement PCI DSS • Working hard •
  • 14. Build and Maintain a Secure Network • Req 1 - Install and maintain a firewall  Document list of services and ports necessary (1.1.5)  Have a formal process for approving and testing all external network connections (1.1.1)  Quarterly review of firewall and router rule sets (1.1.8)  Firewall should deny all traffic not explicitly allowed (1.3.7)  Placing database servers in an internal network segregated from the DMZ (1.3.4)  Placing personal firewall software on any mobile device that has access to the organization's network (1.3.9)
  • 15. Build and Maintain a Secure Network • Req 2 - Do not use vendor-supplied defaults for system passwords and other security parameters  Eliminate unneccessary accounts (2.1)  Implement only one primary function per server (web,  database, dns, etc) (2.2.1)  Disable all unnecessary and insecure protocols (2.2.2)  Remove all unneccessary scripts, drivers, features (2.2.4)  Encrypt all non-console administrative access - SSH,VPN,SSL/TLS (2.3)
  • 16. Protect Cardholder Data • Req 3 - Protect stored cardholder data  Keep card storage to a minimum (3.1)  Do not store the card magnetic track (3.2.1)  Do not store the card verification code - CVC2/CVV2/CID (3.2.2)  Do not store the card's PIN  Mask PAN when displayed (3.3) for example first 6 last 4 digits  Encrypt PAN when it's stored (3.4)
  • 17. Protect Cardholder Data • Req 4 - Encrypt transmission of cardholder data across open, public networks  SSL/TLS (4.1.1)  Never send unencrypted PANs via Email (4.2)
  • 18. Maintain a Vulnerability Management Program • Req 5 - Use and regularly update antivirus software  Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software (5.1.1)  Ensure AV generates logs (5.2)
  • 19. Maintain a Vulnerability Management Program • Req 6 - Develop and maintain secure systems and applications  Ensure all software have the latest patches (within a month of release) (6.1)  Maintain separate development,test and production environments (6.3.2)  Live PANs are not used for testing or dev. (6.3.4)  Review code for vulnerabilities before going live (6.3.7)  Have all code reviewed for these common vulnerabilities by an outside organization that specializes in application security (6.6)  Have an web application firewall (WAF) (6.6)
  • 20. Implement Strong Access Control Measures • Req 7 - Restrict access to cardholder data by business need-to-know  Deny access unless explicitly allowed by authorized personnel (7.2)
  • 21. Implement Strong Access Control Measures • Req 8 - Assign a unique ID to each person with computer access  All users have a unique username (8.1)  Encrpyt all passwords during transmission and storage (8.4)  Passwords must have a minimum of 9 characters (8.5.10)  Passwords must be alphanumeric (8.5.11)  Lock account after not more than 6 failed attempts (8.5.13)  If a session is idle for more than 15 minutes, require re-login (8.5.15)
  • 22. Implement Strong Access Control Measures • Req 9 - Restrict physical access to cardholder data  Use proper facility that controls and monitors access (9.1)  Have a procedure to distinguish between employees and visitors (9.2)  Use visitor log (9.4)  Store backup media in a secure location (9.5)
  • 23. Regularly Monitor and Test Networks • Req 10 - Track and monitor all access to network resources and cardholder data  Implement audit trails (10.2)  Synchronize all critical system clocks and times (10.4)  Backup audit trail files (10.5.3)  Review logs for all system components at least daily (10.6)  Retain audit trail history for at least one year (10.7)
  • 24. Regularly Monitor and Test Networks • Req 11 - Regularly test security systems and processes  Test security controls, limitations and restrictions annually (11.1)  Run internal/external scans at least quarterly (11.2)  Perform penetration testing at least once a year (11.3)  Use network intrusion detection systems (11.4)
  • 25. Maintain an Information Security Policy • Req 12 - Maintain a policy that addresses informational security  Establish and publish your security policy (12.1.1)  Develop daily operational security procedures (12.2)  Implement a formal security awareness program to make all employees aware of the importance of cardholder data security (12.6)  Educate employees upon hire and at least annually (12.6.1)  If cardholder data is shared with service providers, then contractually the service provider must follow PCI DSS (12.8.1)
  • 26. Q & A