Responsibility Matrix

Size: px
Start display at page:

Download "Responsibility Matrix"

Transcription

1 Akamai Technologies Inc. Responsibility Matrix PCI-DSS 3.0 Requirement

2 Table of Contents Purpose... 2 Overview... 2 Disclaimer... 2 Responsibility Matrix... 3

3 Purpose Akamai provides below a detailed matrix of PCI DSS controls, including the description of responsibility for each individual control. Overview Akamai s Secure Content Delivery Network (SCDN) delivers TLS content to end-users on behalf of Akamai's customers. It has been assessed by a Qualified Security Assessor (QSA) from Neohapsis, Inc, against the Payment Card Industry Data Security Standard (PCI DSS) 3.0. This document outlines whether a PCI DSS requirement is handled by Akamai, the customer, a joint responsibility, or not applicable. It is intended to enable Akamai customers to communicate requirements to their own PCI QSA when performing an assessment of their environment, per section Disclaimer This document addresses only data transmitted using Akamai SCDN services. Data held on customer systems and data transmissions that do not involve Akamai s SCDN servers are not Akamai's responsibility to protect. Customers are responsible for meeting all PCI DSS compliance requirements on their own servers and networks.

4 Responsibility Matrix 1.1 Establishandimplementfirewall androuterconfigurationstandards thatincludethefollowing: Aformalprocessforapprovingand testingallnetworkconnections andchangestothefirewalland routerconfigurations Currentdiagramthatidentifiesall networks,networkdevices,and systemcomponents,withall connectionsbetweenthecdeand othernetworks,includingany wirelessnetworks Currentdiagramthatshowsall cardholderdataflowsacross systemsandnetworks Requirementsforafirewallateach Internetconnectionandbetween anydemilitarizedzone(dmz)and theinternalnetworkzone Descriptionofgroups,roles,and responsibilitiesformanagementof networkcomponents

5 1.1.6 Documentationandbusiness justificationforuseofallservices, protocols,andportsallowed, includingdocumentationof securityfeaturesimplementedfor thoseprotocolsconsideredtobe insecure. Examplesofinsecureservices, protocols,orportsincludebutare notlimitedtoftp,telnet,pop3, IMAP,andSNMPv1andv Requirementtoreviewfirewall androuterrulesetsatleastevery sixmonths 1.2 Buildfirewallandrouter configurationsthatrestrict connectionsbetweenuntrusted networksandanysystem componentsinthecardholder dataenvironment. Note:An untrustednetwork is anynetworkthatisexternaltothe networksbelongingtotheentity underreview,and/orwhichisout oftheentity'sabilitytocontrolor manage Restrictinboundandoutbound traffictothatwhichisnecessary forthecardholderdata environment,andspecificallydeny allothertraffic Secureandsynchronizerouter configurationfiles.

6 1.2.3 Installperimeterfirewallsbetween allwirelessnetworksandthe cardholderdataenvironment,and configurethesefirewallstodeny or,iftrafficisnecessaryfor businesspurposes,permitonly authorizedtrafficbetweenthe wirelessenvironmentandthe cardholderdataenvironment. 1.3 Prohibitdirectpublicaccess betweentheinternetandany systemcomponentinthe cardholderdataenvironment ImplementaDMZtolimitinbound traffictoonlysystemcomponents thatprovideauthorizedpublicly accessibleservices,protocols,and ports LimitinboundInternettraffictoIP addresseswithinthedmz Donotallowanydirect connectionsinboundoroutbound fortrafficbetweentheinternet andthecardholderdata environment Implementanti]spoofingmeasures todetectandblockforgedsource IPaddressesfromenteringthe network. (Forexample,blocktraffic originatingfromtheinternetwith aninternalsourceaddress.)

7 1.3.5 Donotallowunauthorized outboundtrafficfromthe cardholderdataenvironmentto theinternet Implementstatefulinspection,also knownasdynamicpacketfiltering. (Thatis,only established connectionsareallowedintothe network.) Placesystemcomponentsthat storecardholderdata(suchasa database)inaninternalnetwork zone,segregatedfromthedmz andotheruntrustednetworks DonotdiscloseprivateIP addressesandroutinginformation tounauthorizedparties. Note:MethodstoobscureIP addressingmayinclude,butare notlimitedto: ]NetworkAddressTranslation (NAT) ]Placingserverscontaining cardholderdatabehindproxy servers/firewalls, ]Removalorfilteringofroute advertisementsforprivate networksthatemployregistered addressing, ]InternaluseofRFC1918address spaceinsteadofregistered addresses.

8 1.4 Installpersonalfirewallsoftware 1.5 onanymobileand/oremployee] owneddevicesthatconnecttothe Internetwhenoutsidethenetwork (forexample,laptopsusedby employees),andwhicharealso usedtoaccessthenetwork. Firewallconfigurationsinclude: ]Specificconfigurationsettingsare definedforpersonalfirewall software. ]Personalfirewallsoftwareis activelyrunning. ]Personalfirewallsoftwareisnot alterablebyusersofmobileand/or employee]owneddevices. Ensurethatsecuritypoliciesand operationalproceduresfor managingfirewallsare documented,inuse,andknownto allaffectedparties. 2.1 Alwayschangevendor]supplied defaultsandremoveordisable unnecessarydefaultaccounts beforeinstallingasystemonthe network. ThisappliestoALLdefault passwords,includingbutnot limitedtothoseusedbyoperating systems,softwarethatprovides securityservices,applicationand systemaccounts,point]of]sale (POS)terminals,SimpleNetwork ManagementProtocol(SNMP) communitystrings,etc.).

9 2.1.1 Forwirelessenvironments connectedtothecardholderdata environmentortransmitting cardholderdata,changeall wirelessvendordefaultsat installation,includingbutnot limitedtodefaultwireless encryptionkeys,passwords,and SNMPcommunitystrings. 2.2 Developconfigurationstandards forallsystemcomponents.assure thatthesestandardsaddressall knownsecurityvulnerabilitiesand areconsistentwithindustry] acceptedsystemhardening standards. Sourcesofindustry]accepted systemhardeningstandardsmay include,butarenotlimitedto: ]CenterforInternetSecurity(CIS) ]InternationalOrganizationfor Standardization(ISO) ]SysAdminAuditNetworkSecurity (SANS)Institute ]NationalInstituteofStandards Technology(NIST).

10 2.2.1 Implementonlyoneprimary functionperservertoprevent functionsthatrequiredifferent securitylevelsfromco]existingon thesameserver.(forexample, webservers,databaseservers,and DNSshouldbeimplementedon separateservers.) Note:Wherevirtualization technologiesareinuse,implement onlyoneprimaryfunctionper virtualsystemcomponent. Enableonlynecessaryservices, protocols,daemons,etc.,as requiredforthefunctionofthe system Implementadditionalsecurity featuresforanyrequiredservices, protocols,ordaemonsthatare consideredtobeinsecure for example,usesecuredtechnologies suchasssh,s]ftp,ssl,oripsec VPNtoprotectinsecureservices suchasnetbios,file]sharing, Telnet,FTP,etc Configuresystemsecurity parameterstopreventmisuse Removeallunnecessary functionality,suchasscripts, drivers,features,subsystems,file systems,andunnecessaryweb servers.

11 2.3 Encryptallnon]console 2.4 administrativeaccessusingstrong cryptography.usetechnologies suchasssh,vpn,orssl/tlsfor web]basedmanagementandother non]consoleadministrativeaccess. Maintainaninventoryofsystem componentsthatareinscopefor PCIDSS 2.5 Ensurethatsecuritypoliciesand operationalproceduresfor managingvendordefaultsand othersecurityparametersare documented,inuse,andknownto allaffectedparties. 2.6 Sharedhostingprovidersmust protecteachentity shosted environmentandcardholderdata. Theseprovidersmustmeet specificrequirementsasdetailed inappendixa:additionalpcidss RequirementsforSharedHosting Providers.

12 3.1 Keepcardholderdatastoragetoa minimumbyimplementingdata retentionanddisposalpolicies, proceduresandprocessesthat includeatleastthefollowingforall cardholderdata(chd)storage: ]Limitingdatastorageamountand retentiontimetothatwhichis requiredforlegal,regulatory,and businessrequirements ]Processesforsecuredeletionof datawhennolongerneeded ]Specificretentionrequirements forcardholderdata ]Aquarterlyprocessfor identifyingandsecurelydeleting storedcardholderdatathat exceedsdefinedretention. 3.2 Donotstoresensitive authenticationdataafter authorization(evenifencrypted). Ifsensitiveauthenticationdatais received,renderalldata unrecoverableuponcompletionof theauthorizationprocess.itis permissibleforissuersand companiesthatsupportissuing servicestostoresensitive authenticationdataif:]thereisa businessjustificationand]the dataisstoredsecurely. Sensitiveauthenticationdata includesthedataascitedinthe followingrequirements3.2.1 through3.2.3:

13 3.2.1 Donotstorethefullcontentsof anytrack(fromthemagnetic stripelocatedonthebackofa card,equivalentdatacontainedon achip,orelsewhere).thisdatais alternativelycalledfulltrack,track, track1,track2,andmagnetic] stripedata. Note:Inthenormalcourseof business,thefollowingdata elementsfromthemagneticstripe mayneedtoberetained: ]Thecardholder sname ]Primaryaccountnumber(PAN) ]Expirationdate ]Servicecode Tominimizerisk,storeonlythese dataelementsasneededfor business Donotstorethecardverification codeorvalue(three]digitorfour] digitnumberprintedonthefront orbackofapaymentcard)usedto verifycard]not]present transactions.

14 3.2.3 Donotstorethepersonal identificationnumber(pin)orthe encryptedpinblock. 3.3 MaskPANwhendisplayed(the firstsixandlastfourdigitsarethe maximumnumberofdigitstobe displayed),suchthatonly personnelwithalegitimate businessneedcanseethefullpan. Note:Thisrequirementdoesnot supersedestricterrequirementsin placefordisplaysofcardholder data forexample,legalor paymentcardbrandrequirements forpoint]of]sale(pos)receipts.

15 3.4 RenderPANunreadableanywhere itisstored(includingonportable digitalmedia,backupmedia,and inlogs)byusinganyofthe followingapproaches: ]One]wayhashesbasedonstrong cryptography,(hashmustbeofthe entirepan) ]Truncation(hashingcannotbe usedtoreplacethetruncated segmentofpan) ]Indextokensandpads(pads mustbesecurelystored) ]Strongcryptographywith associatedkey]management processesandprocedures. Note:Itisarelativelytrivialeffort foramaliciousindividualto reconstructoriginalpandataif theyhaveaccesstoboththe truncatedandhashedversionofa PAN.Wherehashedandtruncated versionsofthesamepanare presentinanentity senvironment, additionalcontrolsshouldbein placetoensurethatthehashed andtruncatedversionscannotbe correlatedtoreconstructthe originalpan.

16 3.4.1 Ifdiskencryptionisused(rather thanfile]orcolumn]leveldatabase encryption),logicalaccessmustbe managedseparatelyand independentlyofnativeoperating systemauthenticationandaccess controlmechanisms(forexample, bynotusinglocaluseraccount databasesorgeneralnetworklogin credentials).decryptionkeysmust notbeassociatedwithuser accounts. 3.5 Documentandimplement procedurestoprotectkeysusedto securestoredcardholderdata againstdisclosureandmisuse: Note:Thisrequirementappliesto keysusedtoencryptstored cardholderdata,andalsoapplies tokey]encryptingkeysusedto protectdata]encryptingkeys suchkey]encryptingkeysmustbe atleastasstrongasthedata] encryptingkey Restrictaccesstocryptographic keystothefewestnumberof custodiansnecessary.

17 3.5.2 Storesecretandprivatekeysused toencrypt/decryptcardholder datainone(ormore)ofthe followingformsatalltimes: ]Encryptedwithakey]encrypting keythatisatleastasstrongasthe data]encryptingkey,andthatis storedseparatelyfromthedata] encryptingkey ]Withinasecurecryptographic device(suchasahostsecurity module(hsm)orpts]approved point]of]interactiondevice) ]Asatleasttwofull]lengthkey componentsorkeyshares,in accordancewithanindustry] acceptedmethod Note:Itisnotrequiredthatpublic keysbestoredinoneofthese forms Storecryptographickeysinthe fewestpossiblelocations. 3.6 Fullydocumentandimplementall key]managementprocessesand proceduresforcryptographickeys usedforencryptionofcardholder data,includingthefollowing: Note:Numerousindustry standardsforkeymanagementare availablefromvariousresources includingnist,whichcanbefound athttp://csrc.nist.gov.

18 3.6.1 Generationofstrongcryptographic keys Securecryptographickey distribution Securecryptographickeystorage Cryptographickeychangesforkeys thathavereachedtheendoftheir cryptoperiod(forexample,aftera definedperiodoftimehaspassed and/orafteracertainamountof cipher]texthasbeenproducedby agivenkey),asdefinedbythe associatedapplicationvendoror keyowner,andbasedonindustry bestpracticesandguidelines(for example,nistspecialpublication 800]57).

19 3.6.5 Retirementorreplacement(for example,archiving,destruction, and/orrevocation)ofkeysas deemednecessarywhenthe integrityofthekeyhasbeen weakened(forexample,departure ofanemployeewithknowledgeof aclear]textkeycomponent),or keysaresuspectedofbeing compromised. Note:Ifretiredorreplaced cryptographickeysneedtobe retained,thesekeysmustbe securelyarchived(forexample,by usingakey]encryptionkey). Archivedcryptographickeys shouldonlybeusedfor decryption/verificationpurposes Ifmanualclear]textcryptographic key]managementoperationsare used,theseoperationsmustbe managedusingsplitknowledge anddualcontrol. Note:Examplesofmanualkey] managementoperationsinclude, butarenotlimitedto:key generation,transmission,loading, storageanddestruction Preventionofunauthorized substitutionofcryptographickeys.

20 3.6.8 Requirementforcryptographickey custodianstoformally acknowledgethattheyunderstand andaccepttheirkey]custodian responsibilities. 3.7 Ensurethatsecuritypoliciesand operationalproceduresfor protectingstoredcardholderdata aredocumented,inuse,and knowntoallaffectedparties.

21 4.1 Usestrongcryptographyand securityprotocols(forexample, SSL/TLS,IPSEC,SSH,etc.)to safeguardsensitivecardholder dataduringtransmissionover open,publicnetworks,including thefollowing: ]Onlytrustedkeysandcertificates areaccepted. ]Theprotocolinuseonlysupports secureversionsorconfigurations. ]Theencryptionstrengthis appropriatefortheencryption methodologyinuse. Examplesofopen,publicnetworks includebutarenotlimitedto: ]TheInternet ]Wirelesstechnologies,including andBluetooth ]Cellulartechnologies,for example,globalsystemformobile communications(gsm),code divisionmultipleaccess(cdma) ]GeneralPacketRadioService (GPRS). ]Satellitecommunications.

22 4.1.1 Ensurewirelessnetworks transmittingcardholderdataor connectedtothecardholderdata environment,useindustrybest practices(forexample,ieee i)toimplementstrong encryptionforauthenticationand transmission. Note:TheuseofWEPasasecurity controlisprohibited. 4.2 NeversendunprotectedPANsby end]usermessagingtechnologies (forexample,e]mail,instant messaging,chat,etc.). 4.3 Ensurethatsecuritypoliciesand operationalproceduresfor encryptingtransmissionsof cardholderdataaredocumented, inuse,andknowntoallaffected parties. 5.1 Deployanti]virussoftwareonall systemscommonlyaffectedby malicioussoftware(particularly personalcomputersandservers) Ensurethatanti]virusprograms arecapableofdetecting, removing,andprotectingagainst allknowntypesofmalicious software.

23 5.1.2 Forsystemsconsideredtobenot 5.2 commonlyaffectedbymalicious software,performperiodic evaluationstoidentifyand evaluateevolvingmalwarethreats inordertoconfirmwhethersuch systemscontinuetonotrequire anti]virussoftware. Ensurethatallanti]virus mechanismsaremaintainedas follows: ]Arekeptcurrent, ]Performperiodicscans ]Generateauditlogswhichare retainedperpcidssrequirement Ensurethatanti]virusmechanisms areactivelyrunningandcannotbe disabledoralteredbyusers,unless specificallyauthorizedby managementonacase]by]case basisforalimitedtimeperiod. Note:Anti]virussolutionsmaybe temporarilydisabledonlyifthere islegitimatetechnicalneed,as authorizedbymanagementona case]by]casebasis.ifanti]virus protectionneedstobedisabledfor aspecificpurpose,itmustbe formallyauthorized.additional securitymeasuresmayalsoneed tobeimplementedfortheperiod oftimeduringwhichanti]virus protectionisnotactive.

24 5.4 Ensurethatsecuritypoliciesand operationalproceduresfor protectingsystemsagainst malwarearedocumented,inuse, andknowntoallaffectedparties. 6.1 Establishaprocesstoidentify securityvulnerabilities,using reputableoutsidesourcesfor securityvulnerabilityinformation, andassignariskranking(for example,as high, medium, or low )tonewlydiscovered securityvulnerabilities. 6.2 Ensurethatallsystemcomponents andsoftwareareprotectedfrom knownvulnerabilitiesbyinstalling applicablevendor]supplied securitypatches.installcritical securitypatcheswithinonemonth ofrelease. Note:Criticalsecuritypatches shouldbeidentifiedaccordingto theriskrankingprocessdefinedin Requirement6.1.

25 6.3 Developinternalandexternal softwareapplications(including web]basedadministrativeaccess toapplications)securely,as follows: ]InaccordancewithPCIDSS(for example,secureauthentication andlogging) ]Basedonindustrystandards and/orbestpractices. ]Incorporatinginformation securitythroughoutthesoftware] developmentlifecycle Note:thisappliestoallsoftware developedinternallyaswellas bespokeorcustomsoftware developedbyathirdparty Removedevelopment,testand/or customapplicationaccounts,user IDs,andpasswordsbefore applicationsbecomeactiveorare releasedtocustomers.

26 6.3.2 Reviewcustomcodepriorto releasetoproductionorcustomers inordertoidentifyanypotential codingvulnerability(usingeither manualorautomatedprocesses) toincludeatleastthefollowing: ]Codechangesarereviewedby individualsotherthanthe originatingcodeauthor,andby individualsknowledgeableabout code]reviewtechniquesand securecodingpractices. ]Codereviewsensurecodeis developedaccordingtosecure codingguidelines ]Appropriatecorrectionsare implementedpriortorelease. ]Code]reviewresultsarereviewed andapprovedbymanagement priortorelease. Note:Thisrequirementforcode reviewsappliestoallcustomcode (bothinternalandpublic]facing), aspartofthesystemdevelopment lifecycle. Codereviewscanbeconductedby knowledgeableinternalpersonnel orthirdparties.public]facingweb applicationsarealsosubjectto additionalcontrols,toaddress ongoingthreatsandvulnerabilities afterimplementation,asdefined atpcidssrequirement6.6.

27 6.4 Followchangecontrolprocesses andproceduresforallchangesto systemcomponents.the processesmustincludethe following: Separatedevelopment/test environmentsfromproduction environments,andenforcethe separationwithaccesscontrols Separationofdutiesbetween development/testandproduction environments Productiondata(livePANs)arenot usedfortestingordevelopment Removaloftestdataandaccounts beforeproductionsystems becomeactive

28 6.4.5 Changecontrolproceduresforthe implementationofsecurity patchesandsoftware modificationsmustincludethe following: Documentationofimpact Documentedchangeapprovalby authorizedparties Functionalitytestingtoverifythat thechangedoesnotadversely impactthesecurityofthesystem Back]outprocedures.

29 6.5 Addresscommoncoding vulnerabilitiesinsoftware] developmentprocessesasfollows: ]Traindevelopersinsecurecoding techniques,includinghowtoavoid commoncodingvulnerabilities, andunderstandinghowsensitive dataishandledinmemory. ]Developapplicationsbasedon securecodingguidelines. Note:Thevulnerabilitieslistedat 6.5.1through6.5.10werecurrent withindustrybestpracticeswhen thisversionofpcidsswas published.however,asindustry bestpracticesforvulnerability managementareupdated(for example,theowaspguide,sans CWETop25,CERTSecureCoding, etc.),thecurrentbestpractices mustbeusedforthese requirements Injectionflaws,particularlySQL injection.alsoconsideros CommandInjection,LDAPand XPathinjectionflawsaswellas otherinjectionflaws.

30 6.5.2 Bufferoverflows Insecurecryptographicstorage Insecurecommunications Impropererrorhandling

31 6.5.6 All highrisk vulnerabilities identifiedinthevulnerability identificationprocess(asdefined inpcidssrequirement6.1) Cross]sitescripting(XSS) Improperaccesscontrol(suchas insecuredirectobjectreferences, failuretorestricturlaccess, directorytraversal,andfailureto restrictuseraccesstofunctions) Cross]siterequestforgery(CSRF) Brokenauthenticationandsession managementnote:requirement isabestpracticeuntilJune 30,2015,afterwhichitbecomesa requirement.

32 6.6 Forpublic]facingwebapplications, 6.7 addressnewthreatsand vulnerabilitiesonanongoingbasis andensuretheseapplicationsare protectedagainstknownattacks byeitherofthefollowing methods: ]Reviewingpublic]facingweb applicationsviamanualor automatedapplication vulnerabilitysecurityassessment toolsormethods,atleastannually andafteranychangesnote:this assessmentisnotthesameasthe vulnerabilityscansperformedfor Requirement11.2. ]Installinganautomatedtechnical solutionthatdetectsandprevents web]basedattacks(forexample,a web]applicationfirewall)infront ofpublic]facingwebapplications, tocontinuallycheckalltraffic. Ensurethatsecuritypoliciesand operationalproceduresfor developingandmaintainingsecure systemsandapplicationsare documented,inuse,andknownto allaffectedparties.

33 7.1 Limitaccesstosystemcomponents andcardholderdatatoonlythose individualswhosejobrequires suchaccess Defineaccessneedsforeachrole, including: ]Systemcomponentsanddata resourcesthateachroleneedsto accessfortheirjobfunction ]Levelofprivilegerequired(for example,user,administrator,etc.) foraccessingresources Restrictaccesstoprivilegeduser IDstoleastprivilegesnecessaryto performjobresponsibilities Assignaccessbasedonindividual personnel sjobclassificationand function.

34 7.1.4 Requiredocumentedapprovalby authorizedpartiesspecifying requiredprivileges. 7.2 Establishanaccesscontrolsystem forsystemscomponentsthat restrictsaccessbasedonauser s needtoknow,andissetto deny all unlessspecificallyallowed. Thisaccesscontrolsystemmust includethefollowing: Coverageofallsystem components Assignmentofprivilegesto individualsbasedonjob classificationandfunction Default deny]all setting. 7.3 Ensurethatsecuritypoliciesand operationalproceduresfor restrictingaccesstocardholder dataaredocumented,inuse,and knowntoallaffectedparties. 8.1 Defineandimplementpoliciesand procedurestoensureproperuser identificationmanagementfor non]consumerusersand administratorsonallsystem componentsasfollows: AssignallusersauniqueIDbefore allowingthemtoaccesssystem componentsorcardholderdata.

35 8.1.2 Controladdition,deletion,and modificationofuserids, credentials,andotheridentifier objects Immediatelyrevokeaccessforany terminatedusers Remove/disableinactiveuser accountsatleastevery90days ManageIDsusedbyvendorsto access,support,ormaintain systemcomponentsviaremote accessasfollows: ]Enabledonlyduringthetime periodneededanddisabledwhen notinuse. ]Monitoredwheninuse Limitrepeatedaccessattemptsby lockingouttheuseridafternot morethansixattempts Setthelockoutdurationtoa minimumof30minutesoruntilan administratorenablestheuserid.

36 8.1.8 Ifasessionhasbeenidleformore than15minutes,requiretheuser tore]authenticatetore]activate theterminalorsession. 8.2 Inadditiontoassigningaunique ID,ensureproperuser] authenticationmanagementfor non]consumerusersand administratorsonallsystem componentsbyemployingatleast oneofthefollowingmethodsto authenticateallusers: ]Somethingyouknow,suchasa passwordorpassphrase ]Somethingyouhave,suchasa tokendeviceorsmartcard ]Somethingyouare,suchasa biometric Usingstrongcryptography,render allauthenticationcredentials(such aspasswords/phrases)unreadable duringtransmissionandstorageon allsystemcomponents Verifyuseridentitybefore modifyinganyauthentication credential forexample, performingpasswordresets, provisioningnewtokens,or generatingnewkeys.

37 8.2.3 Passwords/phrasesmustmeetthe following: ]Requireaminimumlengthofat leastsevencharacters. ]Containbothnumericand alphabeticcharacters. Alternatively,the passwords/phrasesmusthave complexityandstrengthatleast equivalenttotheparameters specifiedabove Changeuser passwords/passphrasesatleast every90days Donotallowanindividualto submitanewpassword/phrase thatisthesameasanyofthelast fourpasswords/phrasesheorshe hasused.

38 8.2.6 Setpasswords/phrasesforfirst] timeuseanduponresettoa uniquevalueforeachuser,and changeimmediatelyafterthefirst use. 8.3 Incorporatetwo]factor authenticationforremotenetwork accessoriginatingfromoutsidethe networkbypersonnel(including usersandadministrators)andall thirdparties,(includingvendor accessforsupportor maintenance). Note:Two]factorauthentication requiresthattwoofthethree authenticationmethods(see Requirement8.2fordescriptions ofauthenticationmethods)be usedforauthentication.usingone factortwice(forexample,using twoseparatepasswords)isnot consideredtwo]factor authentication.examplesoftwo] factortechnologiesincluderemote authenticationanddial]inservice (RADIUS)withtokens;terminal accesscontrolleraccesscontrol system(tacacs)withtokens;and othertechnologiesthatfacilitate two]factorauthentication.

39 8.4 Documentandcommunicate 8.5 authenticationproceduresand policiestoallusersincluding: ]Guidanceonselectingstrong authenticationcredentials ]Guidanceforhowusersshould protecttheirauthentication credentials ]Instructionsnottoreuse previouslyusedpasswords ]Instructionstochangepasswords ifthereisanysuspicionthe passwordcouldbecompromised. Donotusegroup,shared,or genericids,passwords,orother authenticationmethodsasfollows: ]GenericuserIDsaredisabledor removed. ]ShareduserIDsdonotexistfor systemadministrationandother criticalfunctions. ]SharedandgenericuserIDsare notusedtoadministeranysystem components.

40 8.5.1 Additionalrequirementforservice providers:serviceproviderswith remoteaccesstocustomer premises(forexample,forsupport ofpossystemsorservers)must useauniqueauthentication credential(suchasa password/phrase)foreach customer. Note:Thisrequirementisnot intendedtoapplytoshared hostingprovidersaccessingtheir ownhostingenvironment,where multiplecustomerenvironments arehosted. Note:Requirement8.5.1isabest practiceuntiljune30,2015,after whichitbecomesarequirement.

41 8.6 Whereotherauthentication 8.7 mechanismsareused(for example,physicalorlogical securitytokens,smartcards, certificates,etc.),useofthese mechanismsmustbeassignedas follows: ]Authenticationmechanismsmust beassignedtoanindividual accountandnotsharedamong multipleaccounts. ]Physicaland/orlogicalcontrols mustbeinplacetoensureonlythe intendedaccountcanusethat mechanismtogainaccess. Allaccesstoanydatabase containingcardholderdata (includingaccessbyapplications, administrators,andallotherusers) isrestrictedasfollows: ]Alluseraccessto,userqueriesof, anduseractionsondatabasesare throughprogrammaticmethods. ]Onlydatabaseadministrators havetheabilitytodirectlyaccess orquerydatabases. ]ApplicationIDsfordatabase applicationscanonlybeusedby theapplications(andnotby individualusersorothernon] applicationprocesses).

42 8.8 Ensurethatsecuritypoliciesand operationalproceduresfor identificationandauthentication aredocumented,inuse,and knowntoallaffectedparties. 9.1 Useappropriatefacilityentry controlstolimitandmonitor physicalaccesstosystemsinthe cardholderdataenvironment Usevideocamerasand/oraccess controlmechanismstomonitor individualphysicalaccessto sensitiveareas.reviewcollected dataandcorrelatewithother entries.storeforatleastthree months,unlessotherwise restrictedbylaw.note: Sensitive areas referstoanydatacenter, serverroomoranyareathat housessystemsthatstore, process,ortransmitcardholder data.thisexcludespublic]facing areaswhereonlypoint]of]sale terminalsarepresent,suchasthe cashierareasinaretailstore.

43 9.1.2 Implementphysicaland/orlogical controlstorestrictaccessto publiclyaccessiblenetworkjacks. Forexample,networkjacks locatedinpublicareasandareas accessibletovisitorscouldbe disabledandonlyenabledwhen networkaccessisexplicitly authorized.alternatively, processescouldbeimplemented toensurethatvisitorsareescorted atalltimesinareaswithactive networkjacks. Restrictphysicalaccesstowireless accesspoints,gateways,handheld devices, networking/communications hardware,andtelecommunication lines. 9.2 Developprocedurestoeasily distinguishbetweenonsite personnelandvisitors,toinclude: ]Identifyingnewonsitepersonnel orvisitors(forexample,assigning badges) ]Changestoaccessrequirements ]Revokingorterminatingonsite personnelandexpiredvisitor identification(suchasidbadges).

44 9.3 Controlphysicalaccessforonsite 9.4.x personneltothesensitiveareasas follows: ]Accessmustbeauthorizedand basedonindividualjobfunction. ]Accessisrevokedimmediately upontermination,andallphysical accessmechanisms,suchaskeys, accesscards,etc.,arereturnedor disabled. Implementprocedurestoidentify andauthorizevisitors. Proceduresshouldincludethe following: Visitorsareauthorizedbefore entering,andescortedatalltimes within,areaswherecardholder dataisprocessedormaintained Visitorsareidentifiedandgivena badgeorotheridentificationthat expiresandthatvisibly distinguishesthevisitorsfrom onsitepersonnel Visitorsareaskedtosurrenderthe badgeoridentificationbefore leavingthefacilityoratthedateof expiration.

45 9.4.4 Avisitorlogisusedtomaintaina 9.5 physicalaudittrailofvisitor activitytothefacilityaswellas computerroomsanddatacenters wherecardholderdataisstoredor transmitted. Documentthevisitor sname,the firmrepresented,andtheonsite personnelauthorizingphysical accessonthelog. Retainthislogforaminimumof threemonths,unlessotherwise restrictedbylaw. Physicallysecureallmedia Storemediabackupsinasecure location,preferablyanoff]site facility,suchasanalternateor backupsite,oracommercial storagefacility.reviewthe location ssecurityatleast annually. 9.6 Maintainstrictcontroloverthe internalorexternaldistributionof anykindofmedia,includingthe following: Classifymediasothesensitivityof thedatacanbedetermined Sendthemediabysecuredcourier orotherdeliverymethodthatcan beaccuratelytracked Ensuremanagementapprovesany andallmediathatismovedfroma securedarea(includingwhen mediaisdistributedtoindividuals).

46 9.7 Maintainstrictcontroloverthe storageandaccessibilityofmedia Properlymaintaininventorylogsof allmediaandconductmedia inventoriesatleastannually. 9.8 Destroymediawhenitisnolonger neededforbusinessorlegal reasonsasfollows: Shred,incinerate,orpulphard] copymaterialssothatcardholder datacannotbereconstructed. Securestoragecontainersusedfor materialsthataretobedestroyed Rendercardholderdataon electronicmediaunrecoverableso thatcardholderdatacannotbe reconstructed. 9.9 Protectdevicesthatcapture paymentcarddataviadirect physicalinteractionwiththecard fromtamperingandsubstitution. Note:Theserequirementsapplyto card]readingdevicesusedincard] presenttransactions(thatis,card swipeordip)atthepointofsale. Thisrequirementisnotintended toapplytomanualkey]entry componentssuchascomputer keyboardsandposkeypads. Note:Requirement9.9isabest practiceuntiljune30,2015,after whichitbecomesarequirement.

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Windows Azure Customer PCI Guide

Windows Azure Customer PCI Guide Windows Azure PCI Guide January 2014 Version 1.0 Prepared by: Neohapsis, Inc. 217 North Jefferson St., Suite 200 Chicago, IL 60661 New York Chicago Dallas Seattle PCI Guide January 2014 This document contains

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

PCI DSS 3.1 Security Policy

PCI DSS 3.1 Security Policy PCI DSS 3.1 Security Policy Purpose This document outlines all of the policy items required by PCI to be compliant with the current PCI DSS 3.1 standard and that it is the University of Northern Colorado

More information

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Managed Hosting & Datacentre PCI DSS v2.0 Obligations Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version

More information

Technology Innovation Programme

Technology Innovation Programme FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0 Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally

More information

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance

More information

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment. REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted

More information

General Standards for Payment Card Environments at Miami University

General Standards for Payment Card Environments at Miami University General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,

More information

Catapult PCI Compliance

Catapult PCI Compliance Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0 Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview

More information

Project Title slide Project: PCI. Are You At Risk?

Project Title slide Project: PCI. Are You At Risk? Blank slide Project Title slide Project: PCI Are You At Risk? Agenda Are You At Risk? Video What is the PCI SSC? Agenda What are the requirements of the PCI DSS? What Steps Can You Take? Available Services

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

The Prioritized Approach to Pursue PCI DSS Compliance

The Prioritized Approach to Pursue PCI DSS Compliance PCI DSS PCI Prioritized DSS Approach for for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 1 requirements

More information

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October 2015. cliftonlarsonallen.com. 2015 CliftonLarsonAllen LLP cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing for Sage MAS 90 and 200 ERP Credit Card Processing Version 4.30.0.18 and 4.40.0.1 - January 28, 2010 Sage, the Sage logos and the Sage product and service names mentioned herein are registered trademarks

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters

www.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing

More information

Implementation Guide

Implementation Guide Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein

More information

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed

More information

So you want to take Credit Cards!

So you want to take Credit Cards! So you want to take Credit Cards! Payment Card Industry - Data Security Standard: (PCI-DSS) Doug Cox GSEC, CPTE, PCI/ISA, MBA dcox@umich.edu Data Security Analyst University of Michigan PCI in Higher Ed

More information

PCI 3.0 and Managed Security:

PCI 3.0 and Managed Security: PCI 3.0 and Managed Security: How Network Box can help you with PCI compliance COPYRIGHT 2013 NETWORK BOX USA, INC. 1 COPYRIGHT 2013 NETWORK BOX USA, INC. 2825 WILCREST DRIVE, SUITE 259 HOUSTON, TX 77042

More information

BRAND-NAME is What COUNTS!!!

BRAND-NAME is What COUNTS!!! BRAND-NAME is What COUNTS!!! USE PCI-DSS and make a name for your business Amit Jain Lead Solution Architect Aug 2015 Who We Are WHO WE ARE Company facts and figures ESTABLISHED TRUSTED 1995 BY MORE THAN

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Policy Pack Cross Reference to PCI DSS Version 3.1

Policy Pack Cross Reference to PCI DSS Version 3.1 Policy Pack Cross Reference to PCI DSS Version 3.1 Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish and implement firewall and router configuration

More information

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard

Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard White Paper Using PowerBroker Identity Services to Comply with the PCI DSS Security Standard Abstract This document describes how PowerBroker Identity Services Enterprise and Microsoft Active Directory

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder

More information

New PCI Standards Enhance Security of Cardholder Data

New PCI Standards Enhance Security of Cardholder Data December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target

More information

Clark University's PCI Compliance Policy

Clark University's PCI Compliance Policy ï» Clark University's PCI Compliance Policy Who Should Read this Policy: All persons who have access to credit card information, including: Every employee that accesses handles or maintains credit card

More information

PCI DSS Compliance Guide

PCI DSS Compliance Guide PCI DSS Compliance Guide 2009 Rapid7 PCI DSS Compliance Guide What is the PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As a result,

More information

PCI & the Contact Centre The Acquirer Perspective

PCI & the Contact Centre The Acquirer Perspective PCI & the Contact Centre The Acquirer Perspective 17 September2014 Michael Christodoulides Personal Introduction Telephony Contact Centres are integral to the security of the payment card industry ecosystem.

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 1: Install and maintain a firewall configuration to protect cardholder data Mapping PCI DSS 3.0 to Instant PCI Policy Below are the requirements from the PCI Data Security Standard, version 3.0. Each requirement is followed by a bullet point that tells exactly where that requirement

More information

ISO 27001 PCI DSS 2.0 Title Number Requirement

ISO 27001 PCI DSS 2.0 Title Number Requirement ISO 27001 PCI DSS 2.0 Title Number Requirement 4 Information security management system 4.1 General requirements 4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS 4.2.1.a 4.2.1.b 4.2.1.b.1

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard

PCI Overview. PCI-DSS: Payment Card Industry Data Security Standard PCI-DSS: Payment Card Industry Data Security Standard Why is this important? Cardholder data and personally identifying information are easy money That we work with this information makes us a target That

More information

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E

PCI DSS 3.0 Changes & Challenges P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges EVAN FRANCEN, CISSP CISM P R E S I D E N T/ C O - F O U N D E R F R S EC U R E PCI DSS 3.0 Changes & Challenges Topics FRSecure, the company Introduction to PCI-DSS Recent

More information

PCI DSS 3.2 PRIORITIZED CHECKLIST

PCI DSS 3.2 PRIORITIZED CHECKLIST CONFIDENCE: SECURED BUSINESS INTELLIGENCE CHECKLIST PCI DSS 3.2 PRIORITIZED CHECKLIST uuwhereas Qualified Security Assessors (QSAs) found PCI DSS 3.0 compliance audits challenging on many fronts, those

More information

North Carolina Office of the State Controller Technology Meeting

North Carolina Office of the State Controller Technology Meeting PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security

More information

Two Approaches to PCI-DSS Compliance

Two Approaches to PCI-DSS Compliance Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,

More information

Qualified Integrators and Resellers (QIR) Implementation Statement

Qualified Integrators and Resellers (QIR) Implementation Statement Qualified Integrators and Resellers (QIR) Implementation Statement For each Qualified Installation performed, the QIR Employee must complete this document and confirm whether the validated payment application

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing

More information

PCI Standards: A Banking Perspective

PCI Standards: A Banking Perspective Slide 1 PCI Standards: A Banking Perspective Bob Brown, CISSP Wachovia Corporate Information Security Slide 2 Agenda 1. Payment Card Initiative History 2. Description of the Industry 3. PCI-DSS Control

More information

Parallels Plesk Panel

Parallels Plesk Panel Parallels Plesk Panel Copyright Notice Parallels Holdings, Ltd. c/o Parallels International GmbH Vordergasse 59 CH-Schaffhausen Switzerland Phone: +41-526320-411 Fax: +41-52672-2010 Copyright 1999-2011

More information

Mobile Payment Security

Mobile Payment Security Mobile Payment Security Gill Woodcock 2014 About the PCI Council Founded in 2006 - Guiding open standards for payment card security Development Management Education Awareness PCI Security Standards Suite

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security

Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security Payment Card Industry Data Security Standard PCI-DSS #SA7D, Platform Database, Tuning & Security John Mason Slides & Code - labs.fusionlink.com Blog - www.codfusion.com What is PCI-DSS? Created by the

More information

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI

More information

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application

More information

Why Is Compliance with PCI DSS Important?

Why Is Compliance with PCI DSS Important? Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These

More information

PCI and PA DSS Compliance Assurance with LogRhythm

PCI and PA DSS Compliance Assurance with LogRhythm WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security

More information

PCI DSS impacts to your company

PCI DSS impacts to your company PCI DSS impacts to your company If an organization is involved in the storage, processing or transmission of cardholder data, then it is subject to the requirements of PCI DSS (Payment Card Industry Data

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA

PC-DSS Compliance Strategies. 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?

More information

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

paypoint implementation guide

paypoint implementation guide paypoint implementation guide PCI PA-DSS Implementation guide 1. Introduction This PA-DSS Implementation Guide contains information for proper use of the paypoint application. Point Transaction Systems

More information

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015

Safe and Sound Processing Telephone Payments Securely. A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Safe and Sound Processing Telephone Payments Securely A white paper from Barclaycard and Visa Europe leading the way in secure payments April 2015 Executive summary The following information and guidance

More information

How To Achieve Pca Compliance With Redhat Enterprise Linux

How To Achieve Pca Compliance With Redhat Enterprise Linux Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

CONTENTS. PCI DSS Compliance Guide

CONTENTS. PCI DSS Compliance Guide CONTENTS PCI DSS COMPLIANCE FOR YOUR WEBSITE BUILD AND MAINTAIN A SECURE NETWORK AND SYSTEMS Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not

More information

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Office of the State Treasurer Ryan Pitroff Banking Services Manager Ryan.Pitroff@tre.wa.gov PCI-DSS A common set of industry tools and measurements to help

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC MANAGE SECURITY AT THE SPEED OF BUSINESS AlgoSec Whitepaper Simplifying PCI-DSS Audits and Ensuring Continuous Compliance with AlgoSec

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission

More information

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems

Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems Detailed Analysis Achieving PCI Compliance with SkyView Partners Products for Open Systems The Payment Card Industry has a published set of Data Security Standards to which organization s accepting and

More information

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data PCI Training for Retail Jamboree Staff Volunteers Securing Cardholder Data Securing Cardholder Data Introduction This PowerPoint presentation is designed to educate Retail Jamboree Staff volunteers on

More information

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard

Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard Conformance of Avaya Aura Workforce Optimization Quality Monitoring Recording Solution with the PCI Data Security Standard August 2014 Table of Contents Introduction... 1 PCI Data Security Standard...

More information

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage

More information

PCI Compliance Training

PCI Compliance Training PCI Compliance Training 1 PCI Training Topics Applicable PCI Standards Compliance Requirements Compliance of Unitec products Requirements for compliant installation and use of products 2 PCI Standards

More information

Introduction to PCI DSS

Introduction to PCI DSS Month-Year Introduction to PCI DSS March 2015 Agenda PCI DSS History What is PCI DSS? / PCI DSS Requirements What is Cardholder Data? What does PCI DSS apply to? Payment Ecosystem How is PCI DSS Enforced?

More information

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase PCI DSS Overview By Kishor Vaswani CEO, ControlCase Agenda About PCI DSS PCI DSS Applicability to Banks, Merchants and Service Providers PCI DSS Technical Requirements Overview of PCI DSS 3.0 Changes Key

More information

PCI DSS. CollectorSolutions, Incorporated

PCI DSS. CollectorSolutions, Incorporated PCI DSS Robert Cothran President CollectorSolutions www.collectorsolutions.com CollectorSolutions, Incorporated Founded as Florida C corporation in 1999 Approximately 235 clients in 35 states Targeted

More information

Payment Card Industry Data Security Standard Explained

Payment Card Industry Data Security Standard Explained Payment Card Industry Data Security Standard Explained Agenda Overview of PCI DSS Compliance Levels and Requirements PCI DSS in More Detail Discussion, Questions and Clarifications Overview of PCI-DSS

More information

INFORMATION TECHNOLOGY FLASH REPORT

INFORMATION TECHNOLOGY FLASH REPORT INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release

More information

Achieving PCI Compliance for Your Site in Acquia Cloud

Achieving PCI Compliance for Your Site in Acquia Cloud Achieving PCI Compliance for Your Site in Acquia Cloud Introduction PCI Compliance applies to any organization that stores, transmits, or transacts credit card data. PCI Compliance is important; failure

More information

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010 Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010 atsec information security, 2010 About This Presentation About PCI assessment

More information

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect

More information

How To Protect Visa Account Information

How To Protect Visa Account Information Account Information Security Merchant Guide At Visa, protecting our cardholders is at the core of everything we do. One of the many reasons people trust our brand is that we make buying and selling safer

More information

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing Contents PCI DSS Quick Reference

More information

PCI Compliance Considerations

PCI Compliance Considerations PCI Compliance Considerations This article outlines implementation considerations when deploying the Barracuda Load Balancer ADC in an environment subject to PCI Data Security Standard (PCI DSS) compliance.

More information

Remediation, a Key Approach to Reducing Scope

Remediation, a Key Approach to Reducing Scope Remediation, a Key Approach to Reducing Scope Keeping it as simple as possible to minimize cost and complexity. Dennis Self, CISSP Director, IT Security & Compliance Samford University Truth is not democratic.

More information

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS The PCI Security Standards Council http://www.pcisecuritystandards.org The OWASP Foundation http://www.owasp.org Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS Omar F. Khandaker,

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 DRAFT November 2013 Document Changes Date Version Description Pages October 2008 1.2 July

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information