1. By: Matt Winkeler

2.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number

4. Remediate Report Assess

5.  Point of Sale  Merchant  Service Provider  Acquirer

6.  While not legally necessary, the DSS is enforced by: ◦ American Express ◦ Discover ◦ JCB International ◦ Mastercard ◦ Visa

7. Six Sections, Twelve Requirements

8. Requirement 1: install and maintain a firewall Requirement 2: do not use vendor- supplied defaults

9.  Include testing upon change and/or every six months  Basic deny on all “untrusted” networks and hosts  Prohibit public access  Install personal firewall on mobile devices

10.  Change defaults before deployment  Develop configuration standards  Encrypt all non-console admin access

11. Requirement 3: protect stored cardholder data Requirement 4: encrypt transmission of cardholder data across open, public networks

12.  Limit storage time  Do not store sensitive authentication data (even if encrypted)  Mask PAN when displayed  Render PAN unreadable at minimum for portable media, backup media, logs, etc  Protect crypto keys  Key management process

14.  Use strong cryptography  Never send PAN unencrypted

15. Requirement 5: use and regularly update anti-virus software or programs Requirement 6: develop and maintain secure systems and applications

16.  Deploy antivirus software  Ensure that all antivirus software is current, active and capable of generating logs

17.  Ensure that all software is updated/patched (critical patches within a month)  Create process for vulnerability discovery  Develop software in accordance with DSS  Follow change control  Develop web software securely  Annual code review of web-facing applications

18. Requirement 7: restrict access to cardholder data by business need to know Requirement 8: assign a unique ID to each person with computer access Requirement 9: restrict physical access to cardholder data

19.  Limit physical and digital access  Establish access control (default: deny all)

20.  Unique user names  Employ either password or two-factor authentication  Two-factor required for remote access  Encrypt passwords (storage and transmission)  Password management

21.  Facility entry controls  Distinguish between employee and visitor  Ensure authorization  Keep Visitor log and retain for three months  Store media backups securely  Secure all digital and physical media  Maintain control of data flow  Destroy media

22. Requirement 10: track and monitor all access to network resources and cardholder data Requirement 11: regularly test security systems and processes

23.  Establish process to link access control to users  Implement automated audit trails  Sync clocks  Secure audit trails  Review logs at least daily  Retain audit trail for at least one year; three months should be readily accessible

24.  Test for WAPs at least quarterly  Run internal and external vulnerability scans at least quarterly  Run internal and external penetration testing at least once a year  Use intrusion detection/prevention  Deploy file integrity monitoring system

25. Requirement 12: maintain a policy that addresses information security for employees and contractors

26.  Publish all policies related to DSS implementation  Develop SOP  Develop employee-related policies  Policies must address SAs and contractors  Security awareness program  Screen incoming employees  Incident response plan

27. Questions? Answers.