Presentation is loading. Please wait.

Presentation is loading. Please wait.

Payment Card Industry (PCI) Data Security Standard

Published byBerenice Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "Payment Card Industry (PCI) Data Security Standard"— Presentation transcript:

1 Payment Card Industry (PCI) Data Security Standard

2 12 standards over six areas
Build & Maintain Secure Network(2) Protect Cardholder Data(2) Maintain a Vulnerability Management Program(2) Implement Strong Access Control Measures(3) Regularly Monitor and Test Networks(2) Maintain an Information Security Policy(1)

3 1) Build & Maintain Secure Network
Install and maintain a firewall configuration to protect cardholder data Establish firewall configuration standards Process for testing external connections & changes to firewall Network diagram with all connections to cardholder data Document all services & ports necessary for business Justify any protocol besides Http, Https, VPN Justification of risky protocols such as FTP, reasons for use and security measures implemented to deal with them Quarterly review of firewall and router rule sets Configuration standards for routers

4 Build firewall configuration that denies all traffic from untrusted networks & hosts, except for protocols necessary for the card holder data environment

5 Firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data Restrict inbound & outbound traffic to that which is necessary for cardholder data environment Deny all other inbound & outbound traffic

6 Do not use vendor-supplied defaults for system passwords and other security parameters
Develop configuration standards for components Assure that standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards Hosting providers must protect each entity’s hosted environment & data Comply with PCI DSS for hosting providers

7 2) Protect Cardholder Data
Keep cardholder storage to a minimum Data retention Policy Only as long as needed for Business Legal and/or Regulatory purposes Do not store sensitive authentication data subsequent to authorization, even if encrypted Do not store full contents of any track from magnetic stripe

8 Commonly used elements of cardholder and sensitive authentication data

9 Mask PAN when displayed
First six or last 4 are the max Protect encryption keys used for encryption of cardholder data Restrict access to keys Secure storage of keys

10 Encrypt transmission of cardholder data across open, public networks
Use strong cryptology & security protocols For wireless, use WPA or WPA2 If you must use WEP, additional security measures needed such as minimum 104 bit encryption, Restrict access base on MAC address Never send unencrypted PANs by

11 3) Maintain a Vulnerability Management Program
Use and regularly update anti-virus software Deploy on all systems commonly affected by viruses(especially personal computers and servers)

12 Develop and maintain secure systems and applications
Latest patches installed Develop software apps based on industry best practices Change control procedures

13 4) Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Account management Restrict physical access to cardholder data

14 5) Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data Automated assessment trails Regularly test security systems and processes Test controls on regular basis Run internal & external vulnerability scans Penetration test at least once per year

15 6) Maintain an Information Security Policy
Maintain a policy that addresses information security for employees & contractors Document, maintain and disseminate Ensure policies clearly define security responsibilities for all employees & contractors Establish formal security awareness program Screen potential employees Implement incident response team

Download ppt "Payment Card Industry (PCI) Data Security Standard"

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Protecting Credit Card Information

Protecting Credit Card Information
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
Information Security Policies and Standards

Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.

Wireless Security Ysabel Bravo Fall 2004 Montclair State University - NJ.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS
Northern KY University Merchant Training

Northern KY University Merchant Training
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material.

Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Installing and Configuring a Secure Web Server COEN 351 David Papay.

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Similar presentations

Ads by Google