The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB What is PCI – DSS
Being compliant with PCI DSS means that you are doing your very best to keep your customers valuable information safe and secure and out of the hands of people who could use that data in a fraudulent way. If card data is lost and the system is not PCI DSS compliant company could incur Card Scheme fines for the loss of this data and may be liable for the fraud losses incurred against these cards and the operational costs associated with replacing the accounts. Your customers may also not want to do further business with you. Why is PCI DSS Compliance Important?
1. QPay credit card policy and procedure 2. Overview of PCI DSS 3. Yearly Scans and Questionnaires 4. What happens if a breach occurs 5. Audits 6. Changes and Revisions Agenda
Policy and Procedures Credit Card Information Access and Storage Change approval process. Password Policy Incident Response Plan Data Security Policy Background checks Scans to be performed
Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organized:
Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti- virus software Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
Credit Card Information Access and Storage Do not store card number in plain text. Use SHA512 with salt method to hash card numbers For reporting purpose store first 6 and last 2 digits in database
Change Approval Process Any code change in the application or database needs to go through change process Approval from client Approval from manager Change request forms is must
Password Requirement Group and shared passwords are prohibited Passwords should be at least 8 characters long. Passwords must contain alphabetic and numeric characters. Password should not contain all or part of the user's account name Only the following characters are allowed in password creation English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Non-alphabetic characters (!, $, #, %)
Password Requirement Group and shared passwords are prohibited Passwords should be at least 8 characters long. Passwords must contain alphabetic and numeric characters. Password should not contain all or part of the user's account name Only the following characters are allowed in password creation o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base 10 digits (0 through 9) o Non-alphabetic characters (!, $, #, %)
Password should be stored as encrypted value using SHA256.\ The current password must not be the same as the previous four passwords. A user id will be locked out after three invalid password attempts. Admin is given the option to unblock the \ locked account. Password should be generated using the URL -
Password change request form change the password for database / OS domain / remote access user. Password Change Process in Server
Never write passwords down. Never send a password through . Never include a password in a non-encrypted stored document. Never tell anyone about the password. Never reveal the password over the telephone. Never hint at the format of the password. Never reveal or hint at the password on a form on the internet. Never use the "Remember Password" feature of application programs such as Internet Explorer, program, or any other program. Password Protection
Never use your corporate or network password on an account over the internet which does not have a secure login where the web browser address starts with rather than Report any suspicion of the password being broken to system admin. If anyone asks for the password, refer them to the system admin. Don't use common acronyms as part of the password. Don't use common words or reverse spelling of words in part of the password. Don't use names of people or places as part of the password.
Denial of Service / Distributed Denial of Service Excessive Port Scans Firewall Breach Virus Outbreak Breach of Personal Information Detection of unauthorized wireless devices Incident Response Plan Type of Incidents
Dangerous virus attack in servers. Intrusion in firewall Malicious code running in windows system folder Network system failures Any change in log server files Data leakage in SQL server database Failure in camera log system Incident in IDC Hardware When Notification Is Required
If the IR team leader hear of or identifies any of the above incidents, he will contact the head of the IR team within 24 hours. Head and leader will analysis the severity of the incident and report it to the head of the Vidyut IR team. If the incident cannot be handled within 24 hrs, vidyut head will call the client and inform about the incident details Notification Steps:-
PAN data is not sent through without Encryption PAN data will not be given to merchants / banks through chat system. Password will not be given to merchants / banks through chat system
HR needs to verify the employee details with previous employer Police clearance Certificate for new employee Background Check
Security Vulnerability Scan – Quarterly External ASV by certified vendor Internal VA using Nessus tool by internal team External Web APP PT – yearly Must be performed by Approved Scanning Vendor (ASV) External Network PT – Yearly Must be performed by Approved Scanning Vendor (ASV) Scans to be performed
Internal Network PT – Yearly o Must be performed by Approved Scanning Vendor (ASV) Card Holder Data using PCI CDD tool - Quarterly Wireless Analyzer Scan in IDC – Quarterly o Using Insider tool