PCI Compliance - WordPress.com

advertisement
An introduction and overview of
An overview of PCI-DSS
 What is required of you as an employee
of the City of Eden Prairie
 Potential issues facing the security of
information
 Necessary steps to protect cardholder
data
 Information Security is part of your
responsibility

If you see this image on a slide, the
information is very technical in nature…
we’ll breeze through it for most employees.
IT employees will focus on this information.
ayment ard ndustry
ata ecurity tandard

Purpose
 To educate staff on what security measures
must be taken to protect the private information
of individuals during any transaction occurring
with the use of a credit card or paycard (i.e.
Visa, Mastercard, etc.).

Includes:




terms you might need to know
your responsibilities
vulnerabilities of which you should be aware
knowledge you need to help protect cardholder
data.
Standards used by all card brands to
ensure the security of the cardholder
data related to credit, debit and
electronic payment cards.
 A set of association mandated
requirements for the handling of credit
card information, classification of
merchants, and validation of merchant
compliance.


Originally developed by Mastercard and Visa
through an alignment of security requirements
 MasterCard Site Data Protection (SDP)
 Visa Cardholder Information Security Plan (CISP)

Formation of the PCI Security Standards
Council
 September 2006
 American Express, Discover Financial Services, JCB,
MasterCard and Visa

Current version, 3.0 released in November of
2013

The payment card industry and merchants lose
billions of dollars each year to fraudulent charges
from stolen cards, card numbers and personal
identity theft.

The negative public exposure of a reported security
breach can cost an organization millions of dollars
for even one incident.

For consumers, it helps reduce identity theft. If not
prevented, it can cost an individual thousands of
dollars and countless hours to correct. The most
common type of identity theft is credit card fraud.

Build and Maintain a Secure Network
 Requirement 1: Install and maintain a firewall
configuration to protect cardholder data.
 Requirement 2: Do not use vendor- supplied defaults for
system passwords and other security parameters.

Protect Cardholder Data
 Requirement 3: Protect stored cardholder data.
 Requirement 4: Encrypt transmission of cardholder data
across open, public networks.

Maintain a Vulnerability Management Program
 Requirement 5: Use and regularly update anti-virus
software.
 Requirement 6: Develop and maintain secure systems
and applications.

Implement Strong Access Control Measures
 Requirement 7: Restrict access to cardholder data by
business need-to-know.
 Requirement 8: Assign a unique ID to each person with
computer access.
 Requirement 9: Restrict physical access to cardholder
data.

Regularly Monitor and Test Networks
 Requirement 10: Track and monitor all access to network
resources and cardholder data.
 Requirement 11: Regularly test security systems and
processes.

Maintain an Information Security Policy
 Requirement 12: Maintain a policy that addresses
information security.

In addition to the previous security standards, merchants and
transaction processors are classified into four categories:
 Level 1 – Processes 6 million transactions or more per year; or any
merchant that has experienced a breach that resulted in compromised
account data.
 Level 2 – Merchants that process between 150,000 and 6 million
transactions per year.
 Level 3 – Merchants that process between 20,000 and 150,000
transactions per year.
 Level 4 – Merchants with less than 20,000 transactions per year.

The lower the classification level number, the higher the level of
security that must be maintained.
What merchant level do you think the City of Eden Prairie is today?
In addition to personnel training, PCI
requires that merchants and service
providers undergo periodic reviews of
their organizational security.

There are three aspects to
these reviews to be validated
as PCI compliant.
 Annual on-site security
audits
 Annual self-assessment
questionnaire
 Quarterly external network
scans
MasterCard and Visa require the largest
merchants (level 1) and service providers
(levels 1 and 2) to have a yearly on-site
compliance assessment performed by a
certified third-party auditor.
In lieu of an on-site audit, smaller
merchants (levels 2, 3 and 4) and service
providers (level 3) are required to complete
a self-assessment questionnaire to
document their security status.
All merchants and service providers are
required to have external network security
scans performed quarterly by a certified
third-party vendor. Scan requirements are
rigorous. All 65,535 ports must be scanned,
all vulnerabilities detected of level 3-5
severity must be remediated, and two
reports must be issued—a technical report
that details all vulnerabilities detected with
solutions for remediation, and an executive
summary report with a PCI-approved
compliance statement suitable for
submission to acquiring banks for
validation.
Requirement 1: Install and maintain a firewall configuration to
protect cardholder data.

Firewall and router standards should include:
 A formal process for testing and approving any network connections or







changes.
A network diagram that identifies ALL connections between cardholder
data and any other system or networks (including wireless).
Required firewalls at each Internet connection.
Required firewalls between any DMZ and the internal network zone.
A description of all groups and roles for network component
management.
Documentation showing justification and business need for ALL services,
protocols and open ports.
Documentation of the security features of any services, protocols and
open ports.
A schedule to review firewall and router rules sets at least every six
months.

Firewalls and routers should be configured so
that they restrict connections between any
system component in the cardholder
environment and untrusted networks.
 Only allow traffic (inbound or outbound) that is necessary for
the cardholder environment. Deny all other traffic.
 Secure and synchronize all configuration files.
 Install perimeter firewalls between all wireless networks and
the cardholder environment. Deny all unnecessary traffic.

All public access from the Internet to system components in the
cardholder environment should be prohibited. Safeguard steps
should include:
 Limiting inbound traffic by implementing a DMZ.
 IP address restrictions limiting inbound traffic to authorized DMZ







addresses.
Denying any direct connections between the Internet and system
components within the cardholder environment.
Implementation of anti-spoofing measures.
Block all forged source IP addresses from accessing the network.
Blocking any unauthorized outbound traffic originating from the
cardholder environment.
Utilizing dynamic packet filtering to only allow "established" connections
into the network.
Placing any system component that stores cardholder data on the
internal network zone, separate from the DMZ or any untrusted
networks.
Protecting component IP addresses from any unauthorized distribution
or disclosure.

Mobile and Employee Owned Devices
Any device that connects to the network but is also used to access the Internet when
outside the network MUST have personal firewall software installed. Personal firewall
software should be:
 Actively running at all times
 Configured to the PCI DSS standards defined by the organization.
 Unable to be changed or disabled by the user.

Documentation
Document all policies, procedures, and configurations needed for managing
firewalls, routers and system components.
Make sure that the documentation remains up to date and is available for any
personnel that need it for their job responsibilities. Conversely, secure this
documentation from unauthorized access.

Network Scans
All merchants and service providers are required to have external network security
scans performed quarterly by a certified third-party vendor. During a PCI network
audit, an external scan will be performed on all 65,535 ports. The scan will identify
any vulnerabilities. Two reports should be issued. A technical report that details the
vulnerabilities detected as well as the solutions for remediation. The second report is
an executive summary that outlines the process performed, the findings and the
solutions applied along with a PCI approved compliance statement.
Which of these statements
is FALSE when configuring
a PCI-compliant network?
A)
B)
C)
D)
Any cardholder databases should be
placed in internal network zones
(layered).
Unrestricted wireless networks should
be used to reduce backbone traffic.
Dynamic packet filtering should be used
to allow only “established” connections.
Router and firewall configuration files
must be protected at all times.
As a matter of a fact, wireless networks should be
outside the perimeter firewalls, encrypted and require
appropriate authentication.
Requirement 2: Do not use vendor-supplied defaults for
system passwords and other security parameters.

One of the first things a hacker may try is the use of default
passwords for popular security devices, systems or software.
Default passwords should be changed before the
installation of a device on the network. The passwords
should conform to best practice standards of the following:








Use at least ten (10) characters for Administrator passwords.
Utilize both letters and numbers.
Use special characters, if possible.
Use upper- and lower-case letters, if possible.
Do not use words found in the dictionary.
Combine misspelled words or phrases.
Do not use familiar names.
Avoid using commonly known facts about yourself.
Other Passwords
If you are a System Administrator, it is your responsibility to create strong passwords for
other accounts on the system. Do not use any default passwords such as “welcome” or a
combination of the user’s last or first name and/or initials. Use the tips on the previous page
when creating new account passwords.
Configuration Standards

Each server should have ONE primary function (i.e. Web server, DNS, database
server).

Develop, test and document standards for all system components.

Standards should address all known security vulnerabilities and should also be
reviewed and updated at least every six months or as new vulnerabilities are
discovered.

Sources for security standards include:




ISO
NIST
CIS
SANS
-
International Organization for Standardization
National Institute of Standards Technology
Center for Internet Security
SysAdmin Audit Network Security
As with routers and firewalls, system components should only have required services and
protocols configured and running.
Remove all unnecessary functionality such as scripts, drivers, features and services.
Any administrative access that is not performed directly at the console should be encrypted
using VPN, SSH or SSL/TLS.
Requirement 3: Protect stored
cardholder data.
 Minimize cardholder data storage
by implementing data storage,
retention and disposal policies,
procedures and processes.
 Limit data storage to what is
necessary for business
requirements or what is required
legally via laws or regulatory
requirements.
 Securely delete or dispose of data
as soon as it is no longer needed.
 Review data that is retained
quarterly to identify anything that
exceeds defined retention needs.
Cardholder
Data
Sensitive
Authentication
Data **
Data Element
Storage
Permitted
Protection
Required
PCI DSS
3.4 Required
Primary Account Number
(PAN)
Yes
Yes
Yes
Cardholder Name
Yes
Yes *
No
Service Code
Yes
Yes *
No
Expiration Date
Yes
Yes *
No
Full Magnetic Stripe
No
n/a
n/a
CVC2/CID
No
n/a
n/a
PIN/PIN Block
No
n/a
n/a
* These elements must be protected if stored in conjunction with the PAN. This
protection must be consistent with PCI DSS required standards.
** Sensitive authentication data must not be stored subsequent to authentication
(even if encrypted).
Cardholder Information Storage

Sensitive authentication data must NEVER be stored after the transaction authorization
process. These data items include the full magnetic stripe, the card validation code (CVC or
CID), or the PIN or encrypted PIN block. Storage of these data elements is strictly forbidden,
even in encrypted form.

Data elements that can be stored include the Primary Account Number (PAN), the cardholder
name, the service code and the expiration date. While these items are permitted to be stored,
they must be protected at all times. The PAN must be rendered unreadable through the use
of cryptography, strong one-way hash algorithms, or truncation.

In addition, anytime the PAN is displayed or printed (point of sale receipt) the full number
must not be shown and should be masked.

Example: **** **** **** 2936
Other data elements must also be stored in protected form if stored with the PAN.
Do NOT store the card verification code (CVC/CID/CAV2, etc.) used to verify card-not-present
transactions.
Do NOT store the PIN or even the encrypted PIN block.
Which of these items
should NOT be stored after
a credit card transaction?
PIN
B) Magnetic Stripe Data
C) CVC.CID
D) Encrypted PIN Block
E) All of the above
A)
All of these items are sensitive in nature and should not
be stored after the transaction.

If encryption is used to protect cardholder information, the following
requirements apply:












Restrict access to keys to the fewest people necessary.
Store keys securely.
Generate strong keys.
Change keys at least annually if not more frequent.
Properly destroy old keys.
Immediately replace any key that is known or suspected of compromise.
Have key custodians sign a policy form acknowledging their responsibilities.
Fully document the processes for each of the items above.
If disk encryption is used instead of file or column-level database encryption,
then access must be managed separately and independently of operating
system authentication and access control.
Key protection procedures must be implemented and documented.
Key management and access must be limited to a few personnel as possible
on an as needed basis only.
Keys must be stored utilizing one (or more) of the following forms at all times:



Encrypted with a key-encrypting key that is at least as strong as the data encrypting key
(This key must be stored separately from the data-encrypting key)
Within a separate and secure cryptographic device; and/or
As at least two full-length key components or key shares
(in accordance with industry accepted methods)
Important: Store cryptographic keys in the fewest possible locations.
Cardholder information storage should be for the minimum time necessary
for the business function or for legal/regulatory compliance purposes. A
policy should be developed to outline the data retention period and disposal
policy and procedure.
Requirement 4: Encrypt transmission of cardholder data across open,
public network.

Transmitting any information across a public network such as the
Internet can allow its interception or modification by hackers.

Encrypt any sensitive information and use secure protocols such as
SSL/TLS and IPSEC (Internet Protocol Security). This will help
safeguard cardholder information that must be transmitted.

Never send a PAN via unencrypted e-mail.




Do not use WEP to protect cardholder
information transmitted on a wireless
network.
Instead, use IEEE 802.11i standardized
methods such as WPA2.
Never send unprotected PANs via
unsecured and unencrypted
methods such as e-mail, instant
messaging or chat applications.
All security policies and/or procedures for
encrypting transmissions
of cardholder data should be fully
documented, implemented and known to
all affected
parties.
Did you know?
LTE
(Long-Term Evolution);
GSM
(Global System for Mobile
communication);
WiFi
(Wireless networks);
and GPRS
(General Packet Radio Service)
are also forms of
public networks.
Requirement 5: Protect all systems against malware and
regularly update anti-virus software or programs.

With the dawn of e-mail, it quickly became the vehicle of choice
for virus distribution. Now, virus authors are also creating
malicious code that can be distributed through other means
such as seemingly innocuous web sites, mini-applications such
as games and even graphic pictures. Because of these
vulnerabilities, it is important to maintain effective and up- todate anti-virus software.


Deploy Anti-Virus Software on All Systems
Every personal computer, server or any other machine that
could be infected within our networks must have our standard
anti-virus software installed before it is allowed to be connected
to the network.
 Ensure that all anti-virus software is actively running, includes current
updates and can produce an audit log, if necessary.
 It is important that anti-virus programs cannot be disabled by end-users.
Requirement 6: Develop and maintain secure systems and
applications.
Hackers will attempt to gain access to a network or system by utilizing
vulnerabilities in software applications. We must maintain our applications
at the highest level of security possible.

Commercial Software
It would be nice if all software was fully secure before release, but we all
know that is almost never the case. Therefore, vendors release patches or
updates when new vulnerabilities are discovered.
A security patch is considered safe to install once it has been evaluated and
tested to ensure it does not conflict with any other software or security
configurations.
It is imperative that all software and system components have the latest
security patches deemed safe. The PCI Security Standards Council
recommends that these should be installed within one month of release.

New Vulnerabilities
We must be on constant watch for new vulnerabilities. There are many
sources for this type of information. There are many industry newsletters or email lists available that can help. Subscribe to e-mail alerts from organizations
such as SANS and CERT. Some of the information security magazines also
offer e-news or alerts as well. System vendors may also have e-mail alert
lists. Be sure to ask if this is available as it could be the earliest warning
available. Our security standards should be updated as new vulnerabilities
are discovered.
There are a number of things to keep in
mind when developing our own software.
Security vulnerabilities can be kept to a
minimum by following industry best
practices. These measures include:
 Separate environments for
development, test and production.
 Separation of duties between
development, test and production.
 Secondary review of all code for
possible vulnerabilities.
 Never use real data (PANs) for
testing.
 Remove all test data before moving
to production.
 Remove any test accounts or
passwords before moving to
production.
When moving to production, start with a
clean account list. Test accounts or
passwords that remain could provide
unauthorized access.
Applications should be developed in a
separate environment from testing and
production. Similarly, once developed,
applications should be tested in a separate
environment so as not to affect live data
(production) or the development area. And
of course, development and testing should
NEVER be done on any system in the
production environment or even connected
to production systems or networks.
The application development team should
not take active part of the production
deployment.
Someone other than the development group
should review each application or
application change. This third party process
helps ensure that vulnerabilities have not
slipped into the development process. An
extra set of eyes always helps!
Use mock-up data for testing. Never use
live PANs or account information.
Be sure to remove all test data before
moving to production. This will help protect
the integrity of the application data.

Protection Against Known Attacks
Developers should be trained in secure coding practices and be continually updated on
new vulnerabilities and secure coding techniques.
All custom developed web-based applications should be reviewed by an outside
organization that specializes in application security. They will help determine if any
known vulnerabilities exist in the code.
An application layer firewall should be installed between any web-based applications
and the Internet.

Change Control
Almost every application developed evolves at some point. It is important that these
changes occur with a formal and controlled process, including:






Code changes must be reviewed by someone other than the originating code author;
Code reviews ensure code is developed to secure code guidelines;
Sign off by the appropriate management;
Testing the change(s);
Documenting the change request and the impact it will have; and
Complete back-out procedures.
Requirement 7: Restrict access to cardholder data by
business need-to-know.
Cardholder information should only be accessible to those
individuals who need it to perform their job.
Default access rights to cardholder data should be “Deny All”
unless a user or group is specifically allowed. This access should
be reviewed periodically for “need to know” applicability.

Access Control
 Assign access based on individual personnel job function.
 All access requests should be reviewed and approved by authorized
parties.
 Access restrictions should cover all system components.
 Security policies and procedures should be developed for requesting,
granting, revoking and documenting all access. These policies should be
known to and readily available to all affected parties.
As with all systems, unique access identification provides control and accountability. PCI
DSS provides strict requirements for system account or ID creation.
For local system access, each user should be assigned a unique user account or ID. Each
ID is required to employ at least one of the following for authentication:

Strong passwords





Biometrics





Minimum of eight characters
Utilize both upper- and lower-case letters
Utilize both letters and numbers
Use special characters, if the system permits
Fingerprints
Retinal or Iris scan
Facial Scan
Voice recognition
Token devices



SecureID
Certificates
PKI
PCI DSS provides stringent requirements for account and password management. These
apply to all non-consumer users as well as administrator accounts.

PCI DSS specifies that we:






Properly manage and control the addition, deletion or modification of user ID’s.
Verify user identity before processing password reset requests.
Utilize unique passwords during account/password creation or subsequent password changes.
Immediately remove access for terminated users.
Review and remove inactive accounts at least every 90 days.
Require strong passwords.
○







Minimum of 8 characters utilizing upper- and lower-case letters, numbers and special characters (if
system permits)
Users should be prohibited from re- using a password for four (4) password change cycles.
Limit invalid login attempts to six then lock account for a minimum of 30 minutes (or admin reset)
Disconnect login sessions that have been inactive for more than 15 minutes. Password required
to re- activate connection.
All cardholder database access must be authenticated, including users, administrators and
applications.
Use strong cryptography and/or render all authentication credentials unreadable during
transmission and storage on all systems.
Verify user identity before modifying any authentication credential (ie. password resets,
generating new keys)
Set passwords/phrases for first-time and upon reset to a unique value for each user
and require a password/phrase change at first use.
Requirement 9: Restrict physical access to
cardholder data

Systems or printed reports that contain cardholder
information must be physically secured at all times.
Physical access must be controlled and provided
based on job requirements. Uncontrolled access
could provide the opportunity for unauthorized
viewing, manipulating or even theft of this sensitive
data.

PCI DSS requires that video surveillance be utilized
to monitor areas containing cardholder systems or
work areas where this information may be handled
or processed. The video media must be retained for
at least three months unless otherwise restricted by
law.

Never allow public access to wired network jacks or
wireless access points for networks that connect to
cardholder systems.



Data should be classified and labeled so it can be
handled adequately. Any information that is
considered sensitive should be given appropriate
status and labeled as such. This classification would
include any form cardholder information. Any media
(electronic or paper) that contains classified
information should be physically secured, logged and
tracked.
Any classified media transport should be performed
through a secured courier that can be accurately
tracked.
Any storage or access to media with cardholder
information should be strictly controlled and
monitored.

“Confidential data on individuals” is inaccessible
to the public or to the individual subject of the data.

“Private data on individuals” is inaccessible to the
public, but is accessible to the individual subject of
the data.

“Protected nonpublic data” is data not on
individuals that is inaccessible to the public or the
subject of the data, if any.

“Nonpublic data” is data not on individuals that is
inaccessible to the public, but accessible to the
subject of the data, if any.
In which classification category does credit card data belong?

Any form of device or
media that contains
cardholder information
must be secured and
tracked at all times. This
includes:




Computers
Mobile Devices
Portable Media
Paper files, reports or
receipts
Physically secure any paper- based media
that contains cardholder information.
Ensure that these items are also properly
destroyed when discarded.
Computers should be physically secured to
the work area, if possible. Each device
should have an asset tag or ID tag. There
should be an auditable log of to whom each
device is assigned.
PDA’s and other devices that could contain
cardholder information should be reviewed
for necessity in the workplace. If deemed
necessary, these devices need to adhere to
the access and encryption standards for
PCI DSS. A strict inventory and control
system should be put in place prior to
distribution or use. They should be
physically secured at all times when not in
use.
As with mobile devices, the use of portable
media should be thoroughly reviewed for
necessity before being implemented. If
deemed necessary, these devices need to
adhere to the access and encryption
standards for PCI DSS. A strict inventory
and control system should be put in place
prior to distribution or use. They should be
physically secured at all times when not in
use.

It is important to be able to quickly identify and tell
between employees and visitors. Access control
badges are a good example of this type of system.

Be sure that visitor access is only granted after
verified authorization. Access badges should be
dated, logged and provided for a specified and
expiring time period. The badges should be visible
at all times and must be returned to the controlling
authority, prior to leaving the physical premises.

All access should be logged for audit
and investigation purposes. If
necessary. These logs should be
maintained for at least 3 months.

Proper disposal of classified or sensitive
information is essential to its security.
Paper media should be either shredded
using a crosscut shredder, incinerated,
or pulped. Records Destruction Form

Electronic media should be purged,
degaussed or otherwise destroyed so as
to not be re-constructable.

PCI DSS Section 9.9 is new and states that you should protect devices
that capture payment card data via direct physical interaction with
the card from tampering or substitution.

Maintain an up-to-date inventory of devices. The list should include



Make and model of device
Location of device
Device serial number or other unique identifier

Devices should be periodically inspected for signs of tampering or
substitution. Look for indications of changed security labels, attached
cables, broken casing, etc.

Train personnel to be aware of attempted tampering or device
replacement.

This includes being aware of suspicious behavior of individuals near
devices, verifying anyone attempting to "repair" or "maintain" devices,
and reporting any such suspicious behavior to the appropriate
personnel (supervisor or security officer).
Requirement 10: Track and monitor all access to network
resources and cardholder data.
System logs that document user access and activities are
imperative in the event that cardholder information is compromised.
PCI provides strict rules for the implementation of these logs.
Audit Logs
For potential investigative purposes, an automated audit log facility
should be implemented to identify:







Individual user access to cardholder data.
Any action by a user with root or admin access.
Access to audit logs.
Invalid access attempts.
Use of ID and authentication.
Initialization, stopping or pausing of audit logs.
Creation and/or deletion of system-level objects.
Forensic investigation is often the only method available for
identifying the cause or origin of a security breach. It is important
that as much information be recorded as possible to help this
process.

For each type of event, a minimum of the following items should
be recorded:






Type of event
Date and time
Success or failure message
User identification
IP address or other indicator of event origin
In addition, to accurately track events, all system clocks should
be synchronized.
Because your audit trail may be your only evidence in the event of a breach, it is important
that this information be safeguarded accordingly.

The viewing of audit logs should be limited to job function. There should not be any
unauthorized modification or deletion of the audit logs. Also, backup the audit logs to a
central location (if possible) and use a media platform that is not easily altered, such as
optical disk or tape.

It is also important to track wireless network access. These logs should be copied to a
server on the physical LAN.

Use some form of file integrity checking to ensure that no unauthorized changes take
place.
Log Review and Accessibility

Logs should be reviewed at least daily for each system component. When reviewing
the logs, be sure to include security function servers such as intrusion detection or
authentication (ie. RADIUS).

Logs should be available to authorized individuals for online access for at least three
months. Retain all logs for a total of at least one year.
Requirement 11: Regularly test security
systems and processes.

New vulnerabilities are being discovered
almost daily. Hackers and security
researchers are continuously looking for
new ways to break into systems. System
updates can also introduce new
vulnerabilities.

Each server, network component, and
software system should be tested
frequently to ensure that security is
maintained.

Test all security controls at least annually
to ensure adequate ability to identify and
to stop unauthorized access attempts.

Use a wireless analyzer to inventory and
identify all wireless devices detected,
whether connected to a network or not.
A hacker does it and so should you! Run
internal and external vulnerability scans.
Scans must be performed by qualified
individuals.
 This should be done at least quarterly or
immediately after any system
modifications or upgrades.
 Re-scans must be performed if
vulnerabilities were identified and
corrected.

Quarterly external scans must be done by an Approved Scanning Vendor.
This is a qualified organization or individual approved by the PCI Security Council.

Develop and implement a methodology for penetration testing that
includes the following:








Is based on industry-accepted penetration testing approaches (ie. NIST
SP800-115);
Includes coverage of the entire CDE perimeter and critical systems;
Includes testing from both inside and outside the network;
Includes testing to validate any segmentation and scope reduction controls;
Defines application-layer penetration tests identified in requirement 6.5;
Defines network-layer penetration tests including components that support
network functions as well as operating systems;
Includes review and consideration of threats and vulnerabilities experienced in
the last 12 months; and
Specifies retention of penetration testing results and remediation activities.

External and internal penetration testing must be done at least
annually and after any infrastructure or application changes.

Vulnerabilities found during testing should be corrected and testing
repeated.

All system traffic and activities must be monitored for
intruders. Utilize intrusion detection and intrusion
prevention systems that can alert appropriate personnel
of suspected violations.

Critical system or content files should be monitored for
unauthorized changes. Utilize integrity monitoring
software that can alert appropriate personnel of any
changes. Configure this monitoring system to compare
critical files at least once a week.
 Critical files are typically not changed and a modification could
indicate a compromise. Most integrity monitoring systems come
pre- configured with a list of critical files respective to the related
operating system. Custom application files should be added to
this configuration.
Requirement 12: Maintain a policy that addresses
information security for employees and contractors.
The backbone of security within any organization is the
security policy. This document sets forth the rules by which
employees, contractors and even vendors must conduct
themselves when it comes to the security of our information
resources.
A good security policy is clear, strong and supports the goals
of the organization. It educates employees about the
importance of information security and most importantly, their
responsibility.
PCI DSS requires that organizations establish, publish and
maintain a security policy. These policies must be
communicated to affected personnel.
Security policies must be reviewed and updated at least
annually or if there are any environmental changes.
The security policy should
address the PCI DSS
requirements, identify
threats and vulnerabilities,
and be reviewed at least
once a year. Security
policies should clearly
identify responsibility areas
for all employees and
contractors.
In addition, the security
policy should call for an
annual formal risk
assessment .

Risk Assessment
 Implement a risk assessment process that is performed at
least annually.
 It should identify critical assets, threats and vulnerabilities.
 Risk assessment methodologies are available from NIST
(SP 800-30), ISO (27005) and others.

Operational Procedures
 Daily operational procedures should be developed to
reflect the requirements of the PCI DSS specifications.
 These procedures should include such things as user
account maintenance, backup practices, log reviews,
physical security, etc.
We are required to create and maintain usage policies for
employee available technologies such as modems and
wireless access. These policies should include:
 Management approval to use;
 Authentication for connection technologies;
 A maintained inventory of the devices and personnel with







access;
Labeling of each device identifying the owner and contact
information;
Acceptable usage;
Permitted network locations;
A list of approved products;
Automatic disconnect configurations;
Vendor connection guidelines; and
Local data storage requirements.
Any organization under PCI requirements should designate
an individual or team with the following responsibilities:
 The development and documentation of the organization’s
security policies. These policies should be distributed or made
available to all employees.
 Monitor and review all security alerts. Notify appropriate
personnel as needed.
 Establish and implement a security incident response plan.
These plans should include an escalation procedure for timely
handling of any situation.
 Administer user authentication accounts. This includes adding
new users, modifying existing users, and deleting users.
 Monitor, evaluate and control all access to sensitive data.

Employees that could have access to
volumes of cardholder information
should be screened with background
and criminal checks.
 This is not required for individuals such as
store clerks that only handle one card at a
time, however it is still recommended.

Also evaluate and verify previous
employment.

Speedy response to a system breach
can often reduce the impact of the incident.

Implement a solid incident response plan that addresses
procedures, response personnel, contact information, roles
and responsibilities, business continuity and notification
processes.

Test this plan at least once a year.

Make sure that specific individuals are assigned with alert
monitoring, are available 24/7 and are trained appropriately.

The response team should receive alerts from intrusion
detection, intrusion prevention, file integrity and physical
security systems.
Third Party Data Sharing
 If cardholder information must be shared with a third party
service provider, then a contract should be put in place
requiring that they comply with and adhere to the PCI DSS
standards.

They must also provide an official agreement that they accept
responsibility for the security of the cardholder information.
Connections
 Any service provider or card transaction processor must have
policies in place to manage connected entities. These policies
must include the following:




Maintain a list of connected entities;
Ensure proper due diligence is performed before any entity is connected;
Ensure that each connecting entity is PCI DSS compliant; and
Establish a procedure for connecting and disconnecting entities.



The Payment Card Industry Data Security Standards
are stringent rules for anyone handling cardholder
information. PCI DSS was developed to help protect
cardholder information, thus preventing financial
losses due to the growth of identity theft and
fraudulent card transactions.
Our customers are trusting us to ensure that their
information is kept secure and to help prevent their
identity theft.
It our responsibility as a service provider to uphold
these requirements and follow the proper
guidelines.
How many requirements
are there for PCI
Compliance?
a)
b)
c)
d)
Six
Twelve
Seventeen
Too many to keep track
There are 12 requirements for PCI Compliance.
(Slides 7 & 8)
PCI Data Security
Standards were created
to help:
A) Reduce the monetary losses to
companies and consumers.
B) Protect consumers from identity theft.
C) Both A and B
D) Encourage consumers to use cash
E) Make life difficult for retailers and their
IT staff.
The general idea is to protect companies and
consumers alike. (Slide 6)
According to PCI
requirements, each server
in a cardholder information
environment should have:
A)
B)
C)
D)
Multiple functions
Only one function
Stainless steel casing
None of the above
Each server should only handle one function in a PCI
environment. (Slide 17)
Portable devices, laptops,
or other employee-owned
equipment on PCI networks
do not need to have a
personal firewall installed.
A)
B)
C)
Sometimes
Never
Always
Portable devices connecting to a PCI network MUST
have a personal firewall installed. (Slide 14)
PCI encryption
management requires that
you properly _________ old
keys.
A)
B)
C)
D)
Destroy
Distribute
Detangle
Decrypt
Old keys must be destroyed. (Slide 22)
To protect cardholder
information on wireless
networks you should use:
A)
B)
C)
D)
WPA/WPA2 (Slide 24)
WEP (Wired Equivalent Privacy)
WPA/WPA2 (WiFi Protected Access)
Decoder rings
None of the above
You should always keep
your anti-virus software:
A)
B)
C)
D)
Installed and running
Current and up-to-date
Installed but not running
Both A and B
Antivirus software should be installed, up to date and
running at all times. (Slide 25)
In software development,
Separation of Duties
means that someone from
_______ should not also be
part of _______________.
A) Application development / production
deployment
B) Burger King / McDonalds
C) Accounting / Finance
D) Marketing / Housekeeping
Team members responsibilities should be separated for
proper checks and balances. (Slide 27)
Systems should be
configured to disconnect
inactive sessions after:
A)
B)
C)
D)
Only 15 minutes. (Slide 31)
30 minutes
90 minutes
10 minutes
15 minutes
Video surveillance must be
utilized to monitor areas
containing cardholder
systems or work areas
where this information may
be handled or processed.
A) True
B) False
True. (Slide 32)
Download