Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry (PCI) Data Security Standard

Similar presentations

Presentation on theme: "Payment Card Industry (PCI) Data Security Standard"— Presentation transcript:

1 Payment Card Industry (PCI) Data Security Standard

2 12 standards over six areas
Build & Maintain Secure Network(2) Protect Cardholder Data(2) Maintain a Vulnerability Management Program(2) Implement Strong Access Control Measures(3) Regularly Monitor and Test Networks(2) Maintain an Information Security Policy(1)

3 1) Build & Maintain Secure Network
Install and maintain a firewall configuration to protect cardholder data Establish firewall configuration standards Process for testing external connections & changes to firewall Network diagram with all connections to cardholder data Document all services & ports necessary for business Justify any protocol besides Http, Https, VPN Justification of risky protocols such as FTP, reasons for use and security measures implemented to deal with them Quarterly review of firewall and router rule sets Configuration standards for routers

4 Build firewall configuration that denies all traffic from untrusted networks & hosts, except for protocols necessary for the card holder data environment

5 Firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data Restrict inbound & outbound traffic to that which is necessary for cardholder data environment Deny all other inbound & outbound traffic

6 Do not use vendor-supplied defaults for system passwords and other security parameters
Develop configuration standards for components Assure that standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards Hosting providers must protect each entity’s hosted environment & data Comply with PCI DSS for hosting providers

7 2) Protect Cardholder Data
Keep cardholder storage to a minimum Data retention Policy Only as long as needed for Business Legal and/or Regulatory purposes Do not store sensitive authentication data subsequent to authorization, even if encrypted Do not store full contents of any track from magnetic stripe

8 Commonly used elements of cardholder and sensitive authentication data

9 Mask PAN when displayed
First six or last 4 are the max Protect encryption keys used for encryption of cardholder data Restrict access to keys Secure storage of keys

10 Encrypt transmission of cardholder data across open, public networks
Use strong cryptology & security protocols For wireless, use WPA or WPA2 If you must use WEP, additional security measures needed such as minimum 104 bit encryption, Restrict access base on MAC address Never send unencrypted PANs by

11 3) Maintain a Vulnerability Management Program
Use and regularly update anti-virus software Deploy on all systems commonly affected by viruses(especially personal computers and servers)

12 Develop and maintain secure systems and applications
Latest patches installed Develop software apps based on industry best practices Change control procedures

13 4) Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Account management Restrict physical access to cardholder data

14 5) Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data Automated assessment trails Regularly test security systems and processes Test controls on regular basis Run internal & external vulnerability scans Penetration test at least once per year

15 6) Maintain an Information Security Policy
Maintain a policy that addresses information security for employees & contractors Document, maintain and disseminate Ensure policies clearly define security responsibilities for all employees & contractors Establish formal security awareness program Screen potential employees Implement incident response team

Download ppt "Payment Card Industry (PCI) Data Security Standard"

Similar presentations

Ads by Google