PCI COMPLIANCEAn introduction and overview of

AGENDA

An overview of PCI-DSS What is required of you as an employee

of the City of Eden Prairie Potential issues facing the security of

information Necessary steps to protect cardholder

data Information Security is part of your

responsibility If you see this image on a slide, the information is very technical in nature… we’ll breeze through it for most employees.IT employees will focus on this information.

Payment Card Industry Data Security Standard

PurposeTo educate staff on what security measures must be

taken to protect the private information of individuals during any transaction occurring with the use of a credit card or paycard (i.e. Visa, Mastercard, etc.).

Includes:terms you might need to knowyour responsibilitiesvulnerabilities of which you should be awareknowledge you need to help protect cardholder

data.

WHAT IS PCI-DSS

Standards used by all card brands to ensure the security of the cardholder data related to credit, debit and electronic payment cards.

A set of association mandated requirements for the handling of credit card information, classification of merchants, and validation of merchant compliance.

PCI ASSOCIATION Originally developed by Mastercard and Visa

through an alignment of security requirementsMasterCard Site Data Protection (SDP)Visa Cardholder Information Security Plan (CISP)

Formation of the PCI Security Standards CouncilSeptember 2006American Express, Discover Financial Services, JCB,

MasterCard and Visa Current version, 3.0 released in November of

2013

WHY PCI WAS DEVELOPED The payment card industry and merchants lose

billions of dollars each year to fraudulent charges from stolen cards, card numbers and personal identity theft.

The negative public exposure of a reported security breach can cost an organization millions of dollars for even one incident.

For consumers, it helps reduce identity theft. If not prevented, it can cost an individual thousands of dollars and countless hours to correct. The most common type of identity theft is credit card fraud.

6 CATEGORIES12 REQUIREMENTS

Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration

to protect cardholder data. Requirement 2: Do not use vendor- supplied defaults for

system passwords and other security parameters. Protect Cardholder Data

Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data

across open, public networks. Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.  

6 CATEGORIES12 REQUIREMENTS

Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business

need-to-know. Requirement 8: Assign a unique ID to each person with

computer access. Requirement 9: Restrict physical access to cardholder data.

Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network

resources and cardholder data. Requirement 11: Regularly test security systems and

processes. Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.

PCI DSS CLASSIFICATION LEVELS

In addition to the previous security standards, merchants and transaction processors are classified into four categories:

Level 1 – Processes 6 million transactions or more per year; or any merchant that has experienced a breach that resulted in compromised account data.

Level 2 – Merchants that process between 150,000 and 6 million transactions per year.

Level 3 – Merchants that process between 20,000 and 150,000 transactions per year.

Level 4 – Merchants with less than 20,000 transactions per year.

The lower the classification level number, the higher the level of security that must be maintained. What merchant level do you think the City of Eden Prairie is today?

VALIDATION REQUIREMENTS

In addition to personnel training, PCI requires that merchants and service providers undergo periodic reviews of their organizational security.

There are three aspects to these reviews to be validated as PCI compliant. Annual on-site security auditsAnnual self-assessment

questionnaireQuarterly external network

scans

All merchants and service providers are required to have external network security scans performed quarterly by a certified third-party vendor. Scan requirements are rigorous. All 65,535 ports must be scanned, all vulnerabilities detected of level 3-5 severity must be remediated, and two reports must be issued—a technical report that details all vulnerabilities detected with solutions for remediation, and an executive summary report with a PCI-approved compliance statement suitable for submission to acquiring banks for validation.

In lieu of an on-site audit, smaller merchants (levels 2, 3 and 4) and service providers (level 3) are required to complete a self-assessment questionnaire to document their security status.

MasterCard and Visa require the largest merchants (level 1) and service providers (levels 1 and 2) to have a yearly on-site compliance assessment performed by a certified third-party auditor.

CATEGORY 1: BUILD & MAINTAIN A SECURE NETWORKRequirement 1: Install and maintain a firewall configuration to protect cardholder data.

Firewall and router standards should include:

A formal process for testing and approving any network connections or changes.

A network diagram that identifies ALL connections between cardholder data and any other system or networks (including wireless).

Required firewalls at each Internet connection. Required firewalls between any DMZ and the internal network zone. A description of all groups and roles for network component management. Documentation showing justification and business need for ALL services,

protocols and open ports. Documentation of the security features of any services, protocols and open

ports. A schedule to review firewall and router rules sets at least every six months.

FIREWALL & ROUTER CONFIGURATION Firewalls and routers should be configured so

that they restrict connections between any system component in the cardholder environment and untrusted networks. Only allow traffic (inbound or outbound) that is necessary for

the cardholder environment. Deny all other traffic. Secure and synchronize all configuration files. Install perimeter firewalls between all wireless networks and

the cardholder environment. Deny all unnecessary traffic.

PROHIBIT DIRECT ACCESS

All public access from the Internet to system components in the cardholder environment should be prohibited. Safeguard steps should include: Limiting inbound traffic by implementing a DMZ. IP address restrictions limiting inbound traffic to authorized DMZ addresses. Denying any direct connections between the Internet and system

components within the cardholder environment. Implementation of anti-spoofing measures. Block all forged source IP addresses from accessing the network. Blocking any unauthorized outbound traffic originating from the cardholder

environment. Utilizing dynamic packet filtering to only allow "established" connections into

the network. Placing any system component that stores cardholder data on the internal

network zone, separate from the DMZ or any untrusted networks. Protecting component IP addresses from any unauthorized distribution or

disclosure.

OTHER CONSIDERATIONS Mobile and Employee Owned Devices

Any device that connects to the network but is also used to access the Internet when outside the

network MUST have personal firewall software installed. Personal firewall software should be: Actively running at all times Configured to the PCI DSS standards defined by the organization. Unable to be changed or disabled by the user.

  Documentation

Document all policies, procedures, and configurations needed for managing firewalls, routers and system components.

Make sure that the documentation remains up to date and is available for any personnel that need it for their job responsibilities. Conversely, secure this documentation from unauthorized access.

Network Scans All merchants and service providers are required to have external network security scans performed quarterly by a certified third-party vendor.  During a PCI network audit, an external scan will be performed on all 65,535 ports. The scan will identify any vulnerabilities. Two reports should be issued. A technical report that details the vulnerabilities detected as well as the solutions for remediation. The second report is an executive summary that outlines the process performed, the findings and the solutions applied along with a PCI approved compliance statement.

Which of these statements is FALSE when configuring a PCI-compliant network?

A) Any cardholder databases should be placed in internal network zones (layered).

B) Unrestricted wireless networks should be used to reduce backbone traffic.

C) Dynamic packet filtering should be used to allow only “established” connections.

D) Router and firewall configuration files must be protected at all times.

POP QUIZ!

As a matter of a fact, wireless networks should be outside the perimeter firewalls, encrypted and require appropriate authentication.

BUILD & MAINTAIN A SECURE NETWORKRequirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.

One of the first things a hacker may try is the use of default passwords for popular security devices, systems or software. Default passwords should be changed before the installation of a device on the network. The passwords should conform to best practice standards of the following:

Use at least ten (10) characters for Administrator passwords. Utilize both letters and numbers. Use special characters, if possible. Use upper- and lower-case letters, if possible. Do not use words found in the dictionary. Combine misspelled words or phrases. Do not use familiar names. Avoid using commonly known facts about yourself.

OTHER CONSIDERATIONSOther Passwords

If you are a System Administrator, it is your responsibility to create strong passwords for other accounts on the system. Do not use any default passwords such as “welcome” or a combination of the user’s last or first name and/or initials. Use the tips on the previous page when creating new account passwords.

Configuration Standards Each server should have ONE primary function (i.e. Web server, DNS, database server). Develop, test and document standards for all system components. Standards should address all known security vulnerabilities and should also be reviewed and

updated at least every six months or as new vulnerabilities are discovered. Sources for security standards include:

ISO     -  International Organization for Standardization NIST    -  National Institute of Standards Technology CIS      -  Center for Internet Security SANS  -  SysAdmin Audit Network Security

As with routers and firewalls, system components should only have required services and protocols configured and running.

Remove all unnecessary functionality such as scripts, drivers, features and services.

Any administrative access that is not performed directly at the console should be encrypted using VPN, SSH or SSL/TLS.

CATEGORY 2: PROTECT CARDHOLDER DATA

Requirement 3: Protect stored cardholder data. Minimize cardholder data storage by

implementing data storage, retention and disposal policies, procedures and processes. Limit data storage to what is necessary

for business requirements or what is required legally via laws or regulatory requirements.

Securely delete or dispose of data as soon as it is no longer needed.

Review data that is retained quarterly to identify anything that exceeds defined retention needs.

ELEMENTS OF CARDHOLDER DATA

  Data Element StoragePermitted

ProtectionRequired

PCI DSS3.4 Required

CardholderData

Primary Account Number (PAN)

Yes Yes Yes

Cardholder Name Yes Yes * No

Service Code Yes Yes * No

Expiration Date Yes Yes * No

SensitiveAuthenticationData **

Full Magnetic Stripe No n/a n/a

CVC2/CID No n/a n/a

PIN/PIN Block No n/a n/a

* These elements must be protected if stored in conjunction with the PAN. This protection must be consistent with PCI DSS required standards. ** Sensitive authentication data must not be stored subsequent to authentication (even if encrypted).

SENSITIVE AUTHENTICATION DATA

Cardholder Information Storage

Sensitive authentication data must NEVER be stored after the transaction authorization process. These data items include the full magnetic stripe, the card validation code (CVC or CID), or the PIN or encrypted PIN block. Storage of these data elements is strictly forbidden, even in encrypted form.

Data elements that can be stored include the Primary Account Number (PAN), the cardholder name, the service code and the expiration date. While these items are permitted to be stored, they must be protected at all times. The PAN must be rendered unreadable through the use of cryptography, strong one-way hash algorithms, or truncation.

In addition, anytime the PAN is displayed or printed (point of sale receipt) the full number must not be shown and should be masked. Example: **** **** **** 2936

Other data elements must also be stored in protected form if stored with the PAN.

Do NOT store the card verification code (CVC/CID/CAV2, etc.) used to verify card-not-present transactions.

Do NOT store the PIN or even the encrypted PIN block.

Which of these items should NOT be stored after a credit card transaction?A) PIN

B) Magnetic Stripe Data

C) CVC.CID

D) Encrypted PIN Block

E) All of the above

POP QUIZ!

All of these items are sensitive in nature and should not be stored after the transaction.

ENCRYPTION MANAGEMENT If encryption is used to protect cardholder information, the following requirements apply:

Restrict access to keys to the fewest people necessary. Store keys securely. Generate strong keys. Change keys at least annually if not more frequent. Properly destroy old keys. Immediately replace any key that is known or suspected of compromise. Have key custodians sign a policy form acknowledging their responsibilities. Fully document the processes for each of the items above.

If disk encryption is used instead of file or column-level database encryption, then access must be managed separately and independently of operating system authentication and access control.

Key protection procedures must be implemented and documented.   Key management and access must be limited to a few personnel as possible on an as

needed basis only. Keys must be stored utilizing one (or more) of the following forms at all times:

Encrypted with a key-encrypting key that is at least as strong as the data encrypting key (This key must be stored separately from the data-encrypting key)

Within a separate and secure cryptographic device; and/or As at least two full-length key components or key shares

(in accordance with industry accepted methods)

Important: Store cryptographic keys in the fewest possible locations.

PROTECT CARDHOLDER DATACardholder information storage should be for the minimum time necessary for the business function or for legal/regulatory compliance purposes. A policy should be developed to outline the data retention period and disposal policy and procedure.

Requirement 4: Encrypt transmission of cardholder data across open, public network.

Transmitting any information across a public network such as the Internet can allow its interception or modification by hackers.

Encrypt any sensitive information and use secure protocols such as SSL/TLS and IPSEC (Internet Protocol Security). This will help safeguard cardholder information that must be transmitted.

Never send a PAN via unencrypted e-mail.

WIRELESS NETWORK TRANSMISSION

Do not use WEP to protect cardholder information transmitted on a wireless network.

Instead, use IEEE 802.11i standardized methods such as WPA2.

Never send unprotected PANs via unsecured and unencrypted methods such as e-mail, instant messaging or chat applications.

All security policies and/or procedures for encrypting transmissions of cardholder data should be fully documented, implemented and known to all affected parties.

Did you know? LTE

(Long-Term Evolution);

GSM (Global System for Mobile

communication);

WiFi (Wireless networks);

and GPRS(General Packet Radio Service)

are also forms of public networks.

CATEGORY 3: MAINTAIN A VULNERABILITY PROGRAM Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.

With the dawn of e-mail, it quickly became the vehicle of choice for virus distribution. Now, virus authors are also creating malicious code that can be distributed through other means such as seemingly innocuous web sites, mini-applications such as games and even graphic pictures. Because of these vulnerabilities, it is important to maintain effective and up- to-date anti-virus software.

Deploy Anti-Virus Software on All Systems Every personal computer, server or any other machine that could be

infected within our networks must have our standard anti-virus software installed before it is allowed to be connected to the network. Ensure that all anti-virus software is actively running, includes current

updates and can produce an audit log, if necessary. It is important that anti-virus programs cannot be disabled by end-users.

SYSTEMS & APPLICATIONSRequirement 6: Develop and maintain secure systems and applications.

Hackers will attempt to gain access to a network or system by utilizing vulnerabilities in software applications. We must maintain our applications at the highest level of security possible.

Commercial Software It would be nice if all software was fully secure before release, but we all know that is almost never the case. Therefore, vendors release patches or updates when new vulnerabilities are discovered.

A security patch is considered safe to install once it has been evaluated and tested to ensure it does not conflict with any other software or security configurations.

It is imperative that all software and system components have the latest security patches deemed safe. The PCI Security Standards Council recommends that these should be installed within one month of release.

New Vulnerabilities

We must be on constant watch for new vulnerabilities. There are many sources for this type of information. There are many industry newsletters or e-mail lists available that can help. Subscribe to e-mail alerts from organizations such as SANS and CERT. Some of the information security magazines also offer e-news or alerts as well. System vendors may also have e-mail alert lists. Be sure to ask if this is available as it could be the earliest warning available. Our security standards should be updated as new vulnerabilities are discovered.

SOFTWARE DEVELOPMENTThere are a number of things to keep in mind when developing our own software. Security vulnerabilities can be kept to a minimum by following industry best practices. These measures include: Separate environments for

development, test and production. Separation of duties between

development, test and production. Secondary review of all code for

possible vulnerabilities. Never use real data (PANs) for testing. Remove all test data before moving to

production. Remove any test accounts or

passwords before moving to production.

Applications should be developed in a separate environment from testing and production. Similarly,  once developed, applications should be tested in a separate environment so as not to affect live data (production) or the development area. And of course, development and testing should NEVER be done on any system in the production environment or even connected to production systems or networks.

The application development team should not take active part of the production deployment.  

Someone other than the development group should review each application or application change. This third party process helps ensure that vulnerabilities have not slipped into the development process. An extra set of eyes always helps!

Use mock-up data for testing. Never use live PANs or account information.

Be sure to remove all test data before moving to production. This will help protect the integrity of the application data.

When moving to production, start with a clean account list. Test accounts or passwords that remain could provide unauthorized access.

OTHER DEVELOPMENT CONSIDERATIONS

Protection Against Known Attacks

Developers should be trained in secure coding practices and be continually updated on new vulnerabilities and secure coding techniques.

All custom developed web-based applications should be reviewed by an outside organization that specializes in application security. They will help determine if any known vulnerabilities exist in the code.  An application layer firewall should be installed between any web-based applications and the Internet.

Change Control

Almost every application developed evolves at some point. It is important that these changes occur with a formal and controlled process, including:

Code changes must be reviewed by someone other than the originating code author; Code reviews ensure code is developed to secure code guidelines; Sign off by the appropriate management; Testing the change(s); Documenting the change request and the impact it will have; and Complete back-out procedures.

CATEGORY 4: IMPLEMENT STRONG ACCESS CONTROLRequirement 7: Restrict access to cardholder data by business need-to-know.

Cardholder information should only be accessible to those individuals who need it to perform their job.

Default access rights to cardholder data should be “Deny All” unless a user or group is specifically allowed. This access should be reviewed periodically for “need to know” applicability.

Access Control Assign access based on individual personnel job function. All access requests should be reviewed and approved by authorized parties. Access restrictions should cover all system components. Security policies and procedures should be developed for requesting, granting,

revoking and documenting all access. These policies should be known to and readily available to all affected parties.

AUTHENTICATION & PASSWORDSAs with all systems, unique access identification provides control and accountability. PCI DSS provides strict requirements for system account or ID creation.

For local system access, each user should be assigned a unique user account or ID. Each ID is required to employ at least one of the following for authentication:

Strong passwords Minimum of eight characters Utilize both upper- and lower-case letters Utilize both letters and numbers Use special characters, if the system permits

Biometrics Fingerprints Retinal or Iris scan Facial Scan Voice recognition

Token devices SecureID Certificates PKI

MANAGING USER AUTHENTICATION AND PASSWORDS

PCI DSS provides stringent requirements for account and password management. These apply to all non-consumer users as well as administrator accounts.

PCI DSS specifies that we: Properly manage and control the addition, deletion or modification of user ID’s. Verify user identity before processing password reset requests. Utilize unique passwords during account/password creation or subsequent password changes. Immediately remove access for terminated users. Review and remove inactive accounts at least every 90 days. Require strong passwords.

○ Minimum of 8 characters utilizing upper- and lower-case letters, numbers and special characters (if system permits)

Users should be prohibited from re- using a password for four (4) password change cycles. Limit invalid login attempts to six then lock account for a minimum of 30 minutes (or admin reset) Disconnect login sessions that have been inactive for more than 15 minutes. Password required to re-

activate connection. All cardholder database access must be authenticated, including users, administrators and applications.

Use strong cryptography and/or render all authentication credentials unreadable during transmission and storage on all systems.

Verify user identity before modifying any authentication credential (ie. password resets, generating new keys)

Set passwords/phrases for first-time and upon reset to a unique value for each user and require a password/phrase change at first use.

CONTROLLING PHYSICAL ACCESS

Requirement 9: Restrict physical access to cardholder data

Systems or printed reports that contain cardholder information must be physically secured at all times. Physical access must be controlled and provided based on  job requirements. Uncontrolled access could provide the opportunity for unauthorized viewing, manipulating or even theft of this sensitive data.

PCI DSS requires that video surveillance be utilized to monitor areas containing cardholder systems or work areas where this information may be handled or processed. The video media must be retained for at least three months unless otherwise restricted by law.

Never allow public access to wired network jacks or wireless access points for networks that connect to cardholder systems.

DATA CLASSIFICATION & LABELING Data should be classified and labeled so it can be

handled adequately. Any information that is considered sensitive should be given appropriate status and labeled as such.  This classification would include any form cardholder information. Any media (electronic or paper) that contains classified information should be physically secured, logged and tracked.

Any classified media transport should be performed through a secured courier that can be accurately tracked.

Any storage or access to media with cardholder information should be strictly controlled and monitored.

GOVERNMENT DATA CLASSIFICATION “Confidential data on individuals” is inaccessible to the

public or to the individual subject of the data.

“Private data on individuals” is inaccessible to the public, but is accessible to the individual subject of the data.

“Protected nonpublic data” is data not on individuals that is inaccessible to the public or the subject of the data, if any.

“Nonpublic data” is data not on individuals that is inaccessible to the public, but accessible to the subject of the data, if any.

In which classification category does credit card data belong?

SECURING COMPUTERS & MEDIA

Any form of device or media that contains cardholder information must be secured and tracked at all times. This includes: ComputersMobile DevicesPortable MediaPaper files, reports or

receipts

Computers should be physically secured to the work area, if possible. Each device should have an asset tag or ID tag. There should be an auditable log of to whom each device is assigned.

PDA’s and other devices that could contain cardholder information should be reviewed for necessity in the workplace. If deemed necessary, these devices need to adhere to the access and encryption standards for PCI DSS. A strict inventory and control system should be put in place prior to distribution or use. They should be physically secured at all times when not in use.

As with mobile devices, the use of portable media should be thoroughly reviewed for necessity before being implemented. If deemed necessary, these devices need to adhere to the access and encryption standards for PCI DSS. A strict inventory and control system should be put in place prior to distribution or use. They should be physically secured at all times when not in use.

Physically secure any paper- based media that contains cardholder information. Ensure that these items are also properly destroyed when discarded.

VISITORS It is important to be able to quickly identify and tell between

employees and visitors. Access control badges are a good example of this type of system.

Be sure that visitor access is only granted after verified authorization. Access badges should be dated, logged and provided for a specified and expiring time period. The badges should be visible at all times and must be returned to the controlling authority, prior to leaving the physical premises.

All access should be logged for audit and investigation purposes. If necessary. These logs should be maintained for at least 3 months.

DATA DESTRUCTION

Proper disposal of classified or sensitive information is essential to its security. Paper media should be either shredded using a crosscut shredder, incinerated, or pulped. Records Destruction Form

Electronic media should be purged, degaussed or otherwise destroyed so as to not be re-constructable.

CREDIT CARD READER DEVICES PCI DSS Section 9.9 is new and states that you should protect devices that

capture payment card data via direct physical interaction with the card from tampering or substitution.

Maintain an up-to-date inventory of devices. The list should include Make and model of device Location of device Device serial number or other unique identifier

  Devices should be periodically inspected for signs of tampering or substitution.

Look for indications of changed security labels, attached cables, broken casing, etc.

Train personnel to be aware of attempted tampering or device replacement.

This includes being aware of suspicious behavior of individuals near devices, verifying anyone attempting to "repair" or "maintain" devices, and reporting any such suspicious behavior to the appropriate personnel (supervisor or security officer).

CATEGORY 5: REGULARLY MONITOR AND TEST NETWORKS

Requirement 10: Track and monitor all access to network resources and cardholder data.

System logs that document user access and activities are imperative in the event that cardholder information is compromised. PCI provides strict rules for the implementation of these logs.

Audit Logs

For potential investigative purposes, an automated audit log facility should be implemented to identify:

Individual user access to cardholder data. Any action by a user with root or admin access. Access to audit logs. Invalid access attempts. Use of ID and authentication. Initialization, stopping or pausing of audit logs. Creation and/or deletion of system-level objects.

RECORDING DETAILS

Forensic investigation is often the only method available for identifying the cause or origin of a security breach. It is important that as much information be recorded as possible to help this process.

For each type of event, a minimum of the following items should be recorded:

Type of event Date and time Success or failure message User identification IP address or other indicator of event origin

In addition, to accurately track events, all system clocks should be synchronized.

SECURING THE AUDIT TRAILBecause your audit trail may be your only evidence in the event of a breach, it is important that this information be safeguarded accordingly.

The viewing of audit logs should be limited to job function. There should not be any unauthorized modification or deletion of the audit logs. Also, backup the audit logs to a central location (if possible) and use a media platform that is not easily altered, such as optical disk or tape.

It is also important to track wireless network access. These logs should be copied to a server on the physical LAN.  

Use some form of file integrity checking to ensure that no unauthorized changes take place.

Log Review and Accessibility

Logs should be reviewed at least daily for each system component. When reviewing the logs, be sure to include security function servers such as intrusion detection or authentication (ie. RADIUS).

Logs should be available to authorized individuals for online access for at least three months. Retain all logs for a total of at least one year.

TESTING AND SCANNINGRequirement 11: Regularly test security systems and processes.

New vulnerabilities are being discovered almost daily. Hackers and security researchers are continuously looking for new ways to break into systems. System updates can also introduce new vulnerabilities.

Each server, network component, and software system should be tested frequently to ensure that security is maintained.

Test all security controls at least annually to ensure adequate ability to identify and to stop unauthorized access attempts.

Use a wireless analyzer to inventory and identify all wireless devices detected, whether connected to a network or not.

VULNERABILITY SCANNING A hacker does it and so should you! Run

internal and external vulnerability scans. Scans must be performed by qualified individuals.

This should be done at least quarterly or immediately after any system modifications or upgrades.

Re-scans must be performed if vulnerabilities were identified and corrected. Quarterly external scans must be done by an Approved Scanning Vendor. This is a qualified organization or individual approved by the PCI Security Council.

PENETRATION TESTING Develop and implement a methodology for penetration testing that

includes the following:

Is based on industry-accepted penetration testing approaches (ie. NIST SP800-115);

Includes coverage of the entire CDE perimeter and critical systems; Includes testing from both inside and outside the network; Includes testing to validate any segmentation and scope reduction controls; Defines application-layer penetration tests identified in requirement 6.5; Defines network-layer penetration tests including components that support

network functions as well as operating systems; Includes review and consideration of threats and vulnerabilities experienced in

the last 12 months; and Specifies retention of penetration testing results and remediation activities.

External and internal penetration testing must be done at least annually and after any infrastructure or application changes.

  Vulnerabilities found during testing should be corrected and testing

repeated.

NETWORK & SERVER MONITORING All system traffic and activities must be monitored for intruders.

Utilize intrusion detection and intrusion prevention systems that can alert appropriate personnel of suspected violations.

Critical system or content files should be monitored for unauthorized changes. Utilize integrity monitoring software that can alert appropriate personnel of any changes. Configure this monitoring system to compare critical files at least once a week.

Critical files are typically not changed and a modification could indicate a compromise. Most integrity monitoring systems come pre- configured with a list of critical files respective to the related operating system. Custom application files should be added to this configuration.

CATEGORY 6: MAINTAIN AN INFORMATION SECURITY POLICYRequirement 12: Maintain a policy that addresses information security for employees and contractors.

The backbone of security within any organization is the security policy. This document sets forth the rules by which employees, contractors and even vendors must conduct themselves when it comes to the security of our information resources.

A good security policy is clear, strong and supports the goals of the organization. It educates employees about the importance of information security and most importantly, their responsibility.

PCI DSS requires that organizations establish, publish and maintain a security policy. These policies must be communicated to affected personnel.

Security policies must be reviewed and updated at least annually or if there are any environmental changes.

The security policy should address the PCI DSS requirements, identify threats and vulnerabilities, and be reviewed at least once a year. Security policies should clearly identify responsibility areas for all employees and contractors.

In addition, the security policy should call for an annual formal risk assessment .

RISK ASSESSMENT AND OPERATIONAL PROCEDURES Risk Assessment

Implement a risk assessment process that is performed at least annually.  

It should identify critical assets, threats and vulnerabilities. Risk assessment methodologies are available from NIST (SP 800-

30), ISO (27005) and others.

Operational Procedures Daily operational procedures should be developed to reflect the

requirements of the PCI DSS specifications.

These procedures should include such things as user account maintenance, backup practices, log reviews, physical security, etc.

USAGE POLICIES

We are required to create and maintain usage policies for employee available technologies such as modems and wireless access. These policies should include:

Management approval to use; Authentication for connection technologies; A maintained inventory of the devices and personnel with access; Labeling of each device identifying the owner and contact

information; Acceptable usage; Permitted network locations; A list of approved products; Automatic disconnect configurations; Vendor connection guidelines; and Local data storage requirements.

INFORMATION SECURITY MANAGEMENTAny organization under PCI requirements should designate an individual or team with the following responsibilities:

The development and documentation of the organization’s security policies. These policies should be distributed or made available to all employees. 

Monitor and review all security alerts. Notify appropriate personnel as needed. 

Establish and implement a security incident response plan. These plans should include an escalation procedure for timely handling of any situation. 

Administer user authentication accounts. This includes adding new users, modifying existing users, and deleting users. 

Monitor, evaluate and control all access to sensitive data.

EMPLOYEE SCREENING

Employees that could have access to volumes of cardholder information should be screened with background and criminal checks. This is not required for individuals such as

store clerks that only handle one card at a time, however it is still recommended.  

Also evaluate and verify previous employment.

INCIDENT RESPONSE

Speedy response to a system breach can often reduce the impact of the incident.

Implement a solid incident response plan that addresses procedures, response personnel, contact information, roles and responsibilities, business continuity and notification processes.

Test this plan at least once a year.

Make sure that specific individuals are assigned with alert monitoring, are available 24/7 and are trained appropriately.

The response team should receive alerts from intrusion detection, intrusion prevention, file integrity and physical security systems.

SHARING DATA WITH SERVICE PROVIDERSThird Party Data Sharing   If cardholder information must be shared with a third party service

provider, then a contract should be put in place requiring that they comply with and adhere to the PCI DSS standards.

They must also provide an official agreement that they accept responsibility for the security of the cardholder information.

Connections Any service provider or card transaction processor must have policies

in place to manage connected entities. These policies must include the following: Maintain a list of connected entities; Ensure proper due diligence is performed before any entity is connected; Ensure that each connecting entity is PCI DSS compliant; and Establish a procedure for connecting and disconnecting entities.

SUMMARY The Payment Card Industry Data Security Standards

are stringent rules for anyone handling cardholder information. PCI DSS was developed to help protect cardholder information, thus preventing financial losses due to the growth of identity theft and fraudulent card transactions.

Our customers are trusting us to ensure that their information is kept secure and to help prevent their identity theft.

It our responsibility as a service provider to uphold these requirements and follow the properguidelines.

How many requirements are there for PCI Compliance?a) Six

b) Twelve

c) Seventeen

d) Too many to keep track

There are 12 requirements for PCI Compliance. (Slides 7 & 8)

PCI Data Security Standards were created to help: A)  Reduce the monetary losses to companies and consumers.

B)  Protect consumers from identity theft.

C)  Both A and B

D)  Encourage consumers to use cash

E) Make life difficult for retailers and their IT staff.

The general idea is to protect companies and consumers alike. (Slide 6)

According to PCI requirements, each server in a cardholder information environment should have:

A)  Multiple functions

B)  Only one function

C)  Stainless steel casing

D)  None of the above

Each server should only handle one function in a PCI environment. (Slide 17)

Portable devices, laptops, or other employee-owned equipment on PCI networks do not need to have a personal firewall installed.

A) Sometimes

B) Never

C) Always

Portable devices connecting to a PCI network MUST have a personal firewall installed. (Slide 14)

PCI encryption management requires that you properly _________ old keys. A)  Destroy

B)  Distribute

C)  Detangle

D)  Decrypt

Old keys must be destroyed. (Slide 22)

To protect cardholder information on wireless networks you should use: A)  WEP (Wired Equivalent Privacy)

B)  WPA/WPA2 (WiFi Protected Access)

C)  Decoder rings

D)  None of the above

WPA/WPA2 (Slide 24)

You should always keep your anti-virus software: A)  Installed and running

B)  Current and up-to-date

C)  Installed but not running

D)  Both A and B

Antivirus software should be installed, up to date and running at all times. (Slide 25)

In software development, Separation of Duties means that someone from _______ should not also be part of _______________.

A)  Application development / production deployment

B)  Burger King / McDonalds

C)  Accounting / Finance

D)  Marketing / Housekeeping

Team members responsibilities should be separated for proper checks and balances. (Slide 27)

Systems should be configured to disconnect inactive sessions after: A)  30 minutes

B)  90 minutes

C)  10 minutes

D)  15 minutes

Only 15 minutes. (Slide 31)

Video surveillance must be utilized to monitor areas containing cardholder systems or work areas where this information may be handled or processed.

A)  True

B)  False

True. (Slide 32)