150 likes | 290 Views
Payment Card Industry (PCI) Data Security Standard. 12 standards over six areas. Build & Maintain Secure Network(2) Protect Cardholder Data(2) Maintain a Vulnerability Management Program(2) Implement Strong Access Control Measures(3) Regularly Monitor and Test Networks(2)
E N D
12 standards over six areas • Build & Maintain Secure Network(2) • Protect Cardholder Data(2) • Maintain a Vulnerability Management Program(2) • Implement Strong Access Control Measures(3) • Regularly Monitor and Test Networks(2) • Maintain an Information Security Policy(1)
1) Build & Maintain Secure Network • Install and maintain a firewall configuration to protect cardholder data • Establish firewall configuration standards • Process for testing external connections & changes to firewall • Network diagram with all connections to cardholder data • Document all services & ports necessary for business • Justify any protocol besides Http, Https, VPN • Justification of risky protocols such as FTP, reasons for use and security measures implemented to deal with them • Quarterly review of firewall and router rule sets • Configuration standards for routers
Build firewall configuration that denies all traffic from untrusted networks & hosts, except for protocols necessary for the card holder data environment
Firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data • Restrict inbound & outbound traffic to that which is necessary for cardholder data environment • Deny all other inbound & outbound traffic
Do not use vendor-supplied defaults for system passwords and other security parameters • Develop configuration standards for components • Assure that standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards • Hosting providers must protect each entity’s hosted environment & data • Comply with PCI DSS for hosting providers
2) Protect Cardholder Data • Protect Card holder data • Keep cardholder storage to a minimum • Data retention Policy • Only as long as needed for • Business • Legal and/or • Regulatory purposes • Do not store sensitive authentication data subsequent to authorization, even if encrypted • Do not store full contents of any track from magnetic stripe
Commonly used elements of cardholder and sensitive authentication data
Mask PAN when displayed • First six or last 4 are the max • Protect encryption keys used for encryption of cardholder data • Restrict access to keys • Secure storage of keys
Encrypt transmission of cardholder data across open, public networks • Use strong cryptology & security protocols • For wireless, use WPA or WPA2 • If you must use WEP, additional security measures needed such as minimum 104 bit encryption, Restrict access base on MAC address • Never send unencrypted PANs by email
3) Maintain a Vulnerability Management Program • Use and regularly update anti-virus software • Deploy on all systems commonly affected by viruses(especially personal computers and servers)
Develop and maintain secure systems and applications • Latest patches installed • Develop software apps based on industry best practices • Change control procedures
4) Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Account management • Restrict physical access to cardholder data
5) Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Automated assessment trails • Regularly test security systems and processes • Test controls on regular basis • Run internal & external vulnerability scans • Penetration test at least once per year
6) Maintain an Information Security Policy • Maintain a policy that addresses information security for employees & contractors • Document, maintain and disseminate • Ensure policies clearly define security responsibilities for all employees & contractors • Establish formal security awareness program • Screen potential employees • Implement incident response team