Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

Published byVanessa Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit."— Presentation transcript:

1 The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB What is PCI – DSS

2 Being compliant with PCI DSS means that you are doing your very best to keep your customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. If card data is lost and the system is not PCI DSS compliant company could incur Card Scheme fines for the loss of this data and may be liable for the fraud losses incurred against these cards and the operational costs associated with replacing the accounts. Your customers may also not want to do further business with you. Why is PCI DSS Compliance Important?

3 1. QPay credit card policy and procedure 2. Overview of PCI DSS 3. Yearly Scans and Questionnaires 4. What happens if a breach occurs 5. Audits 6. Changes and Revisions Agenda

4 Policy and Procedures Credit Card Information Access and Storage Change approval process. Password Policy Incident Response Plan Data Security Policy Background checks Scans to be performed

5 Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:

6 Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti- virus software Requirement 6: Develop and maintain secure systems and applications

7 Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

8 Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security

9 Credit Card Information Access and Storage Do not store card number in plain text. Use SHA512 with salt method to hash card numbers For reporting purpose store first 6 and last 2 digits in database

10 Change Approval Process Any code change in the application or database needs to go through change process Approval from client Approval from manager Change request forms is must

11 Password Requirement Group and shared passwords are prohibited Passwords should be at least 8 characters long. Passwords must contain alphabetic and numeric characters. Password should not contain all or part of the user's account name Only the following characters are allowed in password creation English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (!, $, #, %)

12 Password Requirement Group and shared passwords are prohibited Passwords should be at least 8 characters long. Passwords must contain alphabetic and numeric characters. Password should not contain all or part of the user's account name Only the following characters are allowed in password creation o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base 10 digits (0 through 9) o Non-alphabetic characters (!, $, #, %)

13 Password should be stored as encrypted value using SHA256.\ The current password must not be the same as the previous four passwords. A user id will be locked out after three invalid password attempts. Admin is given the option to unblock the \ locked account. Password should be generated using the URL - http://www.pctools.com/guides/password/

14 Password change request form change the password for database / OS domain / remote access user. Password Change Process in Server

15 Never write passwords down. Never send a password through email. Never include a password in a non-encrypted stored document. Never tell anyone about the password. Never reveal the password over the telephone. Never hint at the format of the password. Never reveal or hint at the password on a form on the internet. Never use the "Remember Password" feature of application programs such as Internet Explorer, email program, or any other program. Password Protection

16 Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with https:// rather than http:// Report any suspicion of the password being broken to system admin. If anyone asks for the password, refer them to the system admin. Don't use common acronyms as part of the password. Don't use common words or reverse spelling of words in part of the password. Don't use names of people or places as part of the password.

17 Denial of Service / Distributed Denial of Service Excessive Port Scans Firewall Breach Virus Outbreak Breach of Personal Information Detection of unauthorized wireless devices Incident Response Plan Type of Incidents

18 Dangerous virus attack in servers. Intrusion in firewall Malicious code running in windows system folder Network system failures Any change in log server files Data leakage in SQL server database Failure in camera log system Incident in IDC Hardware When Notification Is Required

19 If the IR team leader hear of or identifies any of the above incidents, he will contact the head of the IR team within 24 hours. Head and leader will analysis the severity of the incident and report it to the head of the Vidyut IR team. If the incident cannot be handled within 24 hrs, vidyut head will call the client and inform about the incident details Notification Steps:-

20 PAN data is not sent through e-mail without Encryption PAN data will not be given to merchants / banks through chat system. Password will not be given to merchants / banks through chat system

21 HR needs to verify the employee details with previous employer Police clearance Certificate for new employee Background Check

22 Security Vulnerability Scan – Quarterly External ASV by certified vendor Internal VA using Nessus tool by internal team External Web APP PT – yearly Must be performed by Approved Scanning Vendor (ASV) External Network PT – Yearly Must be performed by Approved Scanning Vendor (ASV) Scans to be performed

23 Internal Network PT – Yearly o Must be performed by Approved Scanning Vendor (ASV) Card Holder Data using PCI CDD tool - Quarterly Wireless Analyzer Scan in IDC – Quarterly o Using Insider tool

Download ppt "The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit."

Similar presentations

Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management.

Data Privacy IU Financial Transactions Sterling George Director, Financial Systems Administration and Records Management.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.

Copyright Security-Assessment.com 2005 Payment Card Industry Digital Security Standards Presented By Carl Grayson.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

Similar presentations

Ads by Google