1 / 14

PCI Compliance Technical Overview

PCI Compliance Technical Overview. RM PCI Calendar. Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release Sept 2006: Validation Report sent to VISA Jan 2007: VISA approves certification. Card Data Compromises.

idola
Download Presentation

PCI Compliance Technical Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCI ComplianceTechnical Overview

  2. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release Sept 2006: Validation Report sent to VISA Jan 2007: VISA approves certification

  3. Card Data Compromises • 40% of all compromises involve a restaurant • Top 5 compromises: • Full track data retention • Default accounts • Insecure remote access • Non-use of security tools (antivirus, encryption) • SQL injection

  4. Terms and Definitions • PCI DSS: Payment Card Industry Data Security Standard • PABP: Payment Application Best Practices • RM is a validated payment application that meets the PCI PABP • So what is “PCI Compliance”? Hint: It’s not simply installing RM 15.1.

  5. The PCI Compliant Site Restaurant must use PCI PABP validated POS application, properly configured, implementing proper procedures, and installed following all site-specific PCI guidelines and rules. That’s 4 areas needing attention: • Use PABP validated applications • Proper configuration • Proper procedures • Follow site guidelines

  6. 1. Use PABP validated applications • Use RM 15.1 (final release Sept 2006 or later) • Use certified credit card processing gateways (e.g. Mercury Payment Systems, PC Charge, Datacap)

  7. 2. Proper Configuration • Follow ASI PCI configuration guidelines: • RM and Reseller PCI Guidance Doc • Logging, Audit Trail • Admin Password Expiration

  8. 3. Proper Procedures • Enforcing limited access to RM Server machine. • Internet use from Server machine • Remote access (allowed only during incident) • No emailing of card data

  9. 4. Site Guidelines • Secure RM Server (credit card server) • Physical access • Logical access (open ports) • Firewalled • Network • Remote Access 2-factor authentication (VPN + PCAnywhere passwords) • And Wireless …

  10. 4. Site Guidelines (WiFi) • Enable WPA with key rotation • Change SSID from default • Turn off SSID broadcast • Implement MAC address filtering • Install firewall services between APs and RM Server • Port/Service Restrictions • Only: TCP 80, DNS 53, ICMP

  11. Internet Basic Network

  12. Internet Network w/ WiFi

  13. Internet Network w/ WiFi Symbol WS2000

  14. Thank you Questions?

More Related