Embed Size (px)
Citation preview
BUSINESS OFFICE FORUM
Payment Card IndustryData Security Standard (PCI DSS)
ByRoni Argetsinger
BUSINESS OFFICE FORUMMembers of the PCI Security Standards Council Include: American Express, Discover, JCB, MasterCard & Visa.
Does your organization accept payment or gifts via credit cards? Then you MUST meet some form of PCI DSS Compliance
BUSINESS OFFICE FORUMPrioritized Approach
Help stakeholders understand where they can act to reduce risk. *No single milestone in the Prioritized Approach will provide comprehensive security or PCI DSS Compliance, but following it’s guidelines will help stakeholders to expedite the process of securing cardholder data.
BUSINESS OFFICE FORUMPrioritized Approach
Provides six security milestones that will help merchants & other organizations incrementally protect against the hightest risk factors & escalating threats while on the road to PCI DSS Compliance.
* To achieve PCI DSS compliance, an organization must meet all PCI DSS requirements.
BUSINESS OFFICE FORUMPrioritized Approach Milestones
1: Goal: Remove sensitive authentication data and limit data retention.2: Goal: Protect systems & networks, and be prepared to respond to a system breach.3: Goal: Secure payment card applications.4: Goal: Monitor and control access to your systems.5: Goal: Protect stored cardholder data.6: Goal: Finalize remaining compliance efforts, and ensure all controls are in place.
BUSINESS OFFICE FORUMPCI DSS Requirements
• There are twelve requirements.• Each requirement has sub-
requirements that need to be met to fulfill the requirement.
• The Prioritized Approach maps out which sub-requirements should have a higher priority than others.
• Note: Counting all sub-requirements, there are a total of 229 items that need to be met (depending upon which type of merchant you are!)
BUSINESS OFFICE FORUMPCI DSS Requirements
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks.
BUSINESS OFFICE FORUMPCI DSS Requirements
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
BUSINESS OFFICE FORUMPCI DSS Requirements
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
BUSINESS OFFICE FORUMSelf Assessment Questionnaire
SAQ: Validation tool intended to assist merchants & service providers in self-evaluating their compliance with PCI DSS. There are multiple versions of the SAQ to meet various scenarios.
The SAQ Validation tool is for merchants & service providers not required to submit an onsite data security assessment Report on Compliance (ROC).• Keep in mind: Compensating Controls = may be considered for most
PCI DSS requirements where an organization can not meet the technical specification of a requirement, but has sufficiently mitigated the associated risk through alternative controls.
BUSINESS OFFICE FORUMSAQ Form(s)
A = Card not present (eCommerce). All cardholder data functions outsourced (13 pages)
B = Imprint only – no electronic cardholder data storage, or stand-alone dial out terminal merchants with no electronic cardholder data storage (18 pages)
C-VT = Merchants using only web based virtual terminals – no electronic cardholder data storage (26 pages)
BUSINESS OFFICE FORUMSAQ Form(s)
C = Merchants with payment application systems connected to the internet, no electronic cardholder data storage (40 pages)
D = All Others
• I.E. More pages = more questions = more requirements to satisfy!
www.pcisecuritystandards.org
