Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Guidelines & Procedures When Working With Sensitive Data

advertisement 
PCI-DSS:
Guidelines & Procedures When
Working With Sensitive Data
Guidelines & Procedures When Working With Sensitive Data
Introduction
As a HelpDesk Agent you have been given the responsibility to resolve
customer issues that include working with sensitive data.
Sensitive data can be defined as card account numbers, magnetic
stripe information, PIN numbers, and card validation codes.
It will be critical you follow these guidelines and procedures.
Failure could result in the customer’s information being compromised,
and non-compliancy with PA-DSS regulations.
3
Guidelines & Procedures When Working With Sensitive Data
Introduction
PCI/PA-DSS Requirement 1.1.5 states:
Securely delete any sensitive authentication data used for debugging or
troubleshooting purposes from log files, debugging files, and other data sources
received from customers, to ensure that magnetic stripe data, card validation
codes or values, and PINs or PIN block data are not stored on software vendor
systems. These data sources must be collected in limited amounts and only
when necessary to resolve a problem, encrypted while stored, and deleted
immediately after use (PCI Data Security Standard Requirement 3.2). To ensure
compliance , the following guidelines must be applied:
1. Collect data only when needed to solve a specific problem.
2. Collect only a limited amount of data.
3. Store such data in a specific, known location with limited access.
4. Encrypt sensitive authentication data while stored.
5. Secure deletion of such data immediately after use.
4
Guidelines & Procedures When Working With Sensitive Data
Course Objectives
By the end of this training you will be able to:
 Create a Private Encryption Key.
 Store sensitive data to only the Secure Area Encrypted Folder.
 Give others permission to sensitive data.
 Securely delete sensitive data after use, by moving the data to
the Shredder folder.
5
Guidelines & Procedures When Working With Sensitive Data
Overview
PA-DSS Requirement 1.1.5 indicates that any sensitive authentication
data used for troubleshooting must be stored in an encrypted
format and once the issue is resolved it must be immediately
deleted in a secure manner.
Sensitive authentication data includes magnetic stripe data, card
validation codes/values, PINs, and card account numbers.
It will be critical you follow these guidelines and procedures.
6
Guidelines & Procedures When Working With Sensitive Data
Process
When working with sensitive data you will:
1. Collect the data – only collect sensitive data when it is necessary
to resolve the specific problem.
2. Store the data in the EncryptedArea folder.
3. Once you have resolved the issue, you will MOVE (not copy) the
information into the Shredder folder.
NOTE: If the data needs to be given to someone else you will MOVE
(not copy) the data to the appropriate secure user’s folder.
7
Guidelines & Procedures When Working With Sensitive Data
Access To The EncryptedArea Folder
Your Supervisor has requested you have access to the EncryptedArea
folder.
This is a designated Secure Storage area to save sensitive data – THIS
INFORMATION MUST NOT BE SAVED ANYWHERE ELSE.
Do not save sensitive data on the local drive of any computer.
Do not use any type of external storage device to store sensitive data.
8
Guidelines & Procedures When Working With Sensitive Data
Set Up
The set up is very easy. The purpose for the set up is for the Secure
Server to issue a private key for the user.
All that is required is for you to log on to the Secure Server and then
move a test file into the EncryptedData folder. The first time you
move a file into this folder a private key will be created. This key
will identify you to the server.
The following slides give you the steps for creating your Private
Encryption Key.
9
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
Click on:
• My Computer
• Tools
• Map Network Drive
• Check to see if your S
drive is mapped to:
\\vfiwvsecserv1\secarea
If yes - you are set.
If no – you will need to
map the drive.
10
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
To Map the drive:
1. Select the S
Drive.
11
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
2. In the folder field type: \\vfiwvsecserv1\secarea
3. Click on Finish
12
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
The EncryptedData Folder has now been mapped.
13
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
Open the
EncryptedData
folder and find
the TEST folder.
Find a file (any file
will do), Hold the
SHIFT key down
and MOVE the
file into the Test
Folder
14
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
You now have created a Private Encryption Key that identifies you on
the Secure Server.
15
Guidelines & Procedures When Working With Sensitive Data
Steps to Set Up a Private Encryption Key
To ensure your Private Encryption Key do the following:
1. Open the TEST folder.
2. RIGHT click on the File you moved to the TEST folder and select
Properties.
3. On the General Tab select Advanced.
4. Then select Details.
5. You should see your name.
16
Guidelines & Procedures When Working With Sensitive Data
When & How to Use
When working on a case that includes sensitive data you MUST save
these files to the EncryptedData Folder.
For each case make a folder using the Case Number. Then MOVE all
sensitive data into this folder.
NOTE: When moving the file(s) over you MUST hold down the SHIFT key,
then move and drop the files. Failure to do so will result in leaving
the original file in the original folder and a copy will be in the other
folder. This is a violation of PCI-DSS requirements.
17
Guidelines & Procedures When Working With Sensitive Data
When & How to Use
After moving the file(s) to the folder, if you need others to be able to access
the data you will need to give them permission. You must give permission
only to the users who have need to access this information for this case.
Assigning permissions to anyone else is a violation of the PCI/PA-DSS
requirements. To give user permission to the data do the following:
1. RIGHT click on the File and select Properties.
2. Click on Advanced.
3. Click on Details.
4. Click on the Add Button. If the person is in the list, highlight the name and
click on OK. If you do not find the person do the following:
1. Click on Find User, enter the person’s email address and click on the OK Button.
2. Highlight the person’s name and click on the OK button.
NOTE: You can only add one person at a time.
18
Guidelines & Procedures When Working With Sensitive Data
Shredder Folder
Once the sensitive data is no longer needed it is critical the data be securely
destroyed.
This is accomplished by using the Shredder Folder.
Pressing the SHIFT key, MOVE the file(s) to the Shredder Folder.
Every hour the server will securely delete files in this folder.
If a file in any other folder has not been accessed for 60 days, it will be
automatically moved to the Shredder Folder and then securely deleted.
19
Guidelines & Procedures When Working With Sensitive Data
WorkFlow
The following is the entire workflow depicting the life-cycle
for sensitive data.
1. The HelpDesk Agent uploads application artifacts directly to the Encrypted
storage. These artifacts must not be saved anywhere else.
2. The HelpDesk Agent reviews the case and performs further troubleshooting.
If escalation is needed, the HD Agent assigns access permission to the ESG
Agent and escalates the case for further troubleshooting. If the escalation is
not needed, the HD Agent must immediately drag the application artifacts
to the Shredder.
3. The ESG agent reviews the case and performs further troubleshooting. If
escalation is needed, the ESG Agent assigns permission to the Project
Manager and escalates the case to the Project Manager for further
troubleshooting. If the escalation is not needed, the ESG Agent must
immediately drag the application artifacts to the Shredder.
20
Guidelines & Procedures When Working With Sensitive Data
WorkFlow
4. The Project Manager reviews the case. If developer’s involvement is needed,
the Project Manager assigns permission to the developer and escalates the
case to the developer. If the escalation is not needed, the Project Manager
must immediately drag the application artifacts to the Shredder.
5. The developer reviews the case, previous troubleshooting efforts and
resolves the issue. Once the troubleshooting is concluded, the developer
must immediately drag the application artifacts to the Shredder.
21
Guidelines & Procedures When Working With Sensitive Data
Conclusion
PCI-DSS compliancy is everyone’s responsibility.
By following these procedures you will ensure sensitive data is not compromised
and remains secure providing a solution for VeriFone customers while
maintaining the integrity of the data.
22
Related documents
The Four Functions of the Computer
The Four Functions of the Computer
Cereal Box Project
Cereal Box Project
Travels, Initiatory journeys, exile
Travels, Initiatory journeys, exile
Math Workshop - Mrs. Marino's Teachery
Math Workshop - Mrs. Marino's Teachery
Computer Entry Exam Topics The exam contains 40 multiple
Computer Entry Exam Topics The exam contains 40 multiple
PREPARATION - CyberChimp
PREPARATION - CyberChimp
Creating a Contact Sheet in Adobe Bridge CS6
Creating a Contact Sheet in Adobe Bridge CS6
10 Tips For Effective Email Management
10 Tips For Effective Email Management
Final Exam Review
Final Exam Review
Subatomic Structure and Nuclear Stability Graphing
Subatomic Structure and Nuclear Stability Graphing
Download
advertisement