By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

The Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Protecting Credit Card Information
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Why Comply with PCI Security Standards?
Introduction to PCI DSS
Northern KY University Merchant Training
Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
Protecting Your Credit Card Security Environment (PCI) September 26, 2012 Jacob Arthur, CPA, QSA, CEH Timothy Agee, CISA, CGEIT, QSA FDH Consulting Frasier,
The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
EDUCAUSE Security Conference Denver, Colorado April 10 to 12, 2006 Bob Beer Biggs Engineering 117 (419)
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
The Payment Card Industry (PCI) Data Security Standard: What it is and why you might find it useful Fred Hopper, CISSP TASK - 27 March 2007.
PCI requirements in business language What can happen with the cardholder data?
Inventory Management & Administration System Tourism suite What is the PCI DSS? The PCI DSS stands for Payment Card Industry Data Security Standard.
PCI: As complicated as it sounds? Gerry Lawrence CTO
Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.
Introduction to Payment Card Industry Data Security Standard
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
Chapter 6 of the Executive Guide manual Technology.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.
Information Security 2013 Roadshow - PCI. Roadshow Outline  What IS PCI  Why we Care about PCI  What PCI Means to You and Me.
Chapter 2 Securing Network Server and User Workstations.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,
Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.
Payment Card Industry (PCI) Data Security Standard Version 3.1
CPT 123 Internet Skills Class Notes Internet Security Session B.
The Unique Alternative to the Big Four ® 25 th Annual Conference of the Association of Local Government Auditors (ALGA) Understanding Payment Card Industry.
Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Introduction to PCI DSS
Payment Card Industry Data Security Standards
Payment Card Industry (PCI) Rules and Standards
Payment Card Industry (PCI) Rules and Standards
Performing Risk Analysis and Testing: Outsource or In-house
PCI-DSS Security Awareness
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Internet Payment.
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Introduction to the PACS Security
Presented by: Jeff Soukup
Presentation transcript:

By: Matt Winkeler

 PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number

Remediate Report Assess

 Point of Sale  Merchant  Service Provider  Acquirer

 While not legally necessary, the DSS is enforced by: ◦ American Express ◦ Discover ◦ JCB International ◦ Mastercard ◦ Visa

Six Sections, Twelve Requirements

Requirement 1: install and maintain a firewall Requirement 2: do not use vendor- supplied defaults

 Include testing upon change and/or every six months  Basic deny on all “untrusted” networks and hosts  Prohibit public access  Install personal firewall on mobile devices

 Change defaults before deployment  Develop configuration standards  Encrypt all non-console admin access

Requirement 3: protect stored cardholder data Requirement 4: encrypt transmission of cardholder data across open, public networks

 Limit storage time  Do not store sensitive authentication data (even if encrypted)  Mask PAN when displayed  Render PAN unreadable at minimum for portable media, backup media, logs, etc  Protect crypto keys  Key management process

 Use strong cryptography  Never send PAN unencrypted

Requirement 5: use and regularly update anti-virus software or programs Requirement 6: develop and maintain secure systems and applications

 Deploy antivirus software  Ensure that all antivirus software is current, active and capable of generating logs

 Ensure that all software is updated/patched (critical patches within a month)  Create process for vulnerability discovery  Develop software in accordance with DSS  Follow change control  Develop web software securely  Annual code review of web-facing applications

Requirement 7: restrict access to cardholder data by business need to know Requirement 8: assign a unique ID to each person with computer access Requirement 9: restrict physical access to cardholder data

 Limit physical and digital access  Establish access control (default: deny all)

 Unique user names  Employ either password or two-factor authentication  Two-factor required for remote access  Encrypt passwords (storage and transmission)  Password management

 Facility entry controls  Distinguish between employee and visitor  Ensure authorization  Keep Visitor log and retain for three months  Store media backups securely  Secure all digital and physical media  Maintain control of data flow  Destroy media

Requirement 10: track and monitor all access to network resources and cardholder data Requirement 11: regularly test security systems and processes

 Establish process to link access control to users  Implement automated audit trails  Sync clocks  Secure audit trails  Review logs at least daily  Retain audit trail for at least one year; three months should be readily accessible

 Test for WAPs at least quarterly  Run internal and external vulnerability scans at least quarterly  Run internal and external penetration testing at least once a year  Use intrusion detection/prevention  Deploy file integrity monitoring system

Requirement 12: maintain a policy that addresses information security for employees and contractors

 Publish all policies related to DSS implementation  Develop SOP  Develop employee-related policies  Policies must address SAs and contractors  Security awareness program  Screen incoming employees  Incident response plan

Questions? Answers.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.