1 Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services
2 About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project management for national and international firms. Engagement experience includes: Development of security mgt. programs, policies and procedures. Risk and compliance assessments Remediation planning for global corporations. Technical engagements include: Vulnerability assessments Penetration, application and database security testing.
3 Top Ten PCI Concerns 1. Scope Management 2. Auditing and Logging 3. Understanding Compensating Controls 4. Virtualization 5. Proof of Compliance 6. Stored Cardholder Data 7. Developing Secure Software 8. Compliance Validation 9. Outsourcing 10.Incident Response
4 Payment Card Industry Introduction to PCI
5 An Introduction to the PCI Council The PCI Council was formed in 2006 to safeguard customer information. Members include: American Express Discover Financial Services JCB International MasterCard Worldwide Visa International
6 An Open Global Forum Rules of Participation: Pay annual dues For additional information, link to the following URL: anization_rules.pdf How to join: Application URL address: ship_application.shtml
7 Secure Card Data (Account Data)? Card Data includes: 1. Cardholder Data. 2. Sensitive Authentication Data.
8 What is Card Data (Account Data)? Card Data includes: 1. Cardholder Data. 2. Sensitive Authentication Data. Cardholder Data Sensitive Authentication Data Credit Card Number AKA (PAN) Primary Account Number Full magnetic stripe data or equivalent on a chip Cardholder Name CAV2/CVC2/CVV2/CID Expiration Date PINs/PIN blocks Service Code
9 10 Top Ten PCI Concerns
10 1 - Scope Management Managing scope facilitates compliance and reduces risks and costs
11 Scope Management Key Issues & Impact Under-scoping PCI scope environment is not accurately defined: Systems left out of scope do not process cardholder data, BUT connected to card-processing environment. This is common with Level 2, 3 & 4 merchants. Easily identified when independently audited by card companies. Organizations have not effectively segmented their PCI or card data systems.
12 Scope Management Recommendations Understand your enterprise architecture. Education ensure security design. authorities understand the impact of PCI and any changes to PCI requirements. Isolate card-processing environments: At network layer. At application layer. At process layer.
13 PCI Scope Criteria The Cardholder Data Environment (CDE) is comprised of people, processes and technology that store, process, transmit or handle card data.
14 PCI Scope Criteria The Cardholder Data Environment (CDE) is comprised of people, processes and technology that store, process, transmit or handle card data. Systems that can make (initiate) an IP connection to the CDE, even though they may not have access to card data or have administrative access to system components.
15 PCI Scope Criteria The Cardholder Data Environment (CDE) is comprised of people, processes and technology that store, process, transmit or handle card data. Systems that can make (initiate) an IP connection to the CDE, even though they may not have access to card data or have administrative access to system components. Groups of people that have access to card data or administrative access to system components.
16 PCI Scope Criteria The Cardholder Data Environment (CDE) is comprised of people, processes and technology that store, process, transmit or handle card data. Systems that can make (initiate) an IP connection to the CDE, but do not have access to card data or have administrative access to system components. Groups of people that have access to card data or administrative access to system components. Processes that involve the handling of card data.
17 PCI Scope Criteria The Cardholder Data Environment (CDE) is comprised of people, processes and technology that store, process, transmit or handle card data. Systems that can make (initiate) an IP connection to the CDE, but do not have access to card data or have administrative access to system components. Groups of people that have access to card data or administrative access to system components. Processes that involve the handling of card data.
18 PCI Scope Criteria
19 Scope Management Inventory & Scoping: Is cardholder data stored, processed, or transmitted? Where is the cardholder data stored? What systems process or transmit cardholder data? System Info Application: compete this section or the database section below Application Name Batch or Realtime Developed by (internal, off the shelf, outsourced) URL Database: compete this section or the application section above SQL, Oracal, MySQL, etc Encryption System (PGP, host, system, None) Encrypted fields, columns, entire database, whole disk encryption Authentication with Active Directory, LDAP, or Internal non-system credentials Host Info Host Name OS (Windows/Linux/Main Frame, etc) IP Address Physical Location (Building name) Address City, State, Zip Third Party Facility? (If yes, please provide name)
20 2 - Auditing and Logging Central Event Correlation
21 Auditing and Logging Key Issues & Impact Auditing and logging are conducted as an Ad-Hoc solution. Lack of centralized and/or enterprise framework. Smaller organizations heavily dependent on manual review of log data. Logs are not adequately reviewed. Organization that have a great log management system, fail to establish adequate logging parameters. Only log successful system logon events.
22 Auditing and Logging - Recommendations System administrator should have a strong understanding of PCI-DSS requirements to ensure they have configured system correctly. Establish a formal process for auditing and log management (i.e., a framework). Establish central log management system: Effectively segmented from rest of the network. Establish separation of duties. Sys Admins should not manage the central log management system. Automate log review process with central event correlation systems: Auto log parsing. Auto report generation. Alerting function using multiple channels. , Pager, or Text to cell phone.
23 3 - Understanding Compensating Controls When required controls cannot be deployed, counter measures can be used
24 Compensating Controls Key Issues & Impact Limited knowledge of the purpose and the requirements of compensating controls. Belief that the implementation of a compensating control removes the requirements from future assessments. Formal risk analysis not performed: Controls selected based on convenience, rather than security. Easily identified when independently audited by card companies.
25 Compensating Controls - Recommendations Work closely with your acquirer and QSA to validate your compensating controls (CCs). Some QSA Companies have a more mature process. Some reject all CCs. Some realize that they are a vital component for compliance. Once compensating controls are accepted, implement a plan to meet the original requirement. Or CCs will need annual validation. Perform a formal risk assessment. Based on industry standards such as NIST , OCTAVE, ISO Select compensating controls based on risk assessment.
26 4 - Virtualization
27 Virtualization Key Issues & Impact Virtualization and Segmentation A hypervisor in an environment. A hypervisor hosting any PCI systems is a PCI environment. All systems in a PCI Environment are in scope. Security and Virtualization Many administrators do not configure the hypervisor securely. Access rights are Over-Assigned on Hypervisors Virtual Machines (VMs) typically do not follow the same change management processes VMs are easy to copy and install Large increase in "Rogue" installations.
28 Virtualization Recommendations Understand the security architecture of the products you are using. For PCI systems, use a dedicated hardware server. Ensure all systems (including VMs) are hardened to a high security level standard. Increase VM security training. Ensure that planning has included the whole team; including the network, security, and storage teams. Ensure security assessments on all servers (including VMs) are conducted periodically. Monitor for "Rogue" VMs on Desktops and Laptops.
29 5 - Proof of Compliance Generate reports on compliance activities
30 Proof of Compliance Key Issues & Impacts Lack of documentation: Policies & Procedures (SOP) Security Operating Procedures. Reports documenting required activities Code review documentation/report. Firewall review report. Third-Party compliance reports Limited Human Resources: Staff to create and maintain documentation. Costs associated with human resources. Limited tools for generating compliance information: Automated tools to investigate potential policy violations.
31 Proof of Compliance Recommendations Create processes and procedures to include and maintain documentation: Firewall rule set reviews. Risk assessments. Change management (record the process). Security control testing. Utilize native features: HIPS and file integrity products. Firewalls, IDS/IPS systems. Budget for increased work requirements.
32 6 - Stored Cardholder Data Protect stored cardholder data
33 Stored Cardholder Data Key Issues & Impact More data collected than required. Data is retained too long. Encrypted data is in-scope unless keys are isolated. papers/foundstone/wp-key-isolation.pdf Sensitive authentication data (i.e., magnetic strip data) is collected and stored. Data has leaked into other systems. Data encryption is not fully implemented for files and databases containing card account numbers. Temporary files lack encryption. Dump files are not purged, Encryption requires the establishment of a key management program compliant with 3.5 and 3.6.
34 Stored Cardholder Data Recommendations Ensure your organization maintains and implements a Card Data retention policy that limits data retention. Use strong cryptography: Example AES with at least a 128 bit key. See NIST Special Publication parts 1-3, March, Ensure all application are encrypting temporary and/or spooled data files. Process to purge temporary files (debug files). Protect the data encryption keys by encrypting them with key encryption keys. Implement all requirements in 3.5 and 3.6. Use mainstream encryption systems with associated key management.
35 7 - Develop Secure Software Develop and maintain secure systems and applications
36 Developing Secure Software Key Issues & Impact Security is not integrated into the Software Development Lifecycle (SDLC) program. Out of the box SLDCs such as Agile are built for speed. Development staff lack security knowledge and are not aware of the security vulnerabilities and impact of exploits. Lack of testing tools and/or the knowledge to use these tools. Testing is limited to functional and business requirement testing.
37 Developing Secure Software Recommendations Incorporate information security throughout the SDLC: Secure Coding standards and education. Implement a risk assessment and threat modeling strategy. Develop software applications based on industry best practices such as OWASP: Develop and test software in an environment that is separate from production (restricted access to production). Use access controls to enforce the separation. Code reviews must be documented (app, list revisions, issues/corrections, reviewer and developer names, etc.). Test for security issues (can be automated). Testers must not be part of development team. Implement a post test clean up process to remove test accounts and test data.
38 8 Compliance Validation Requirements
39 Compliance Validation Key Issues & Impact Organizations do not know what level of compliance their organization is at. Most 2-4 level organizations do not understand the PCI DSS requirements, producing an inaccurate Self-Assessment survey. Many 3-4 level organizations do not understand that they must comply with all applicable PCI DSS requirements regardless of level.
40 MasterCard Compliance Validation
41 9 - Outsourcing Reducing the Risk
42 Outsourcing Key Issues & impact A Service Provider is a business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data. This also includes companies that provide services that control or could affect the security of cardholder data. Managed service providers that provide managed firewalls, IDS and other security services as well as hosting providers and other entities. Contracts with service providers DO NOT specifically include PCI-DSS compliance as a condition of business. Believe that once a cardholder data task has been outsourced, the PCI requirement has been relieved. Members, merchants, and service providers must ensure that service provider handling cardholder data on their behalf are PCI-DSS compliant.
43 Outsourcing Recommendations Maintain and implement policies and procedures to manage service providers. Ensure there is an established process for engaging service providers including proper due diligence prior to engagement. Maintain a list of service providers. Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of: Cardholder data the service providers possess. System components that the service provider manages. That services provided will be compliant with the PCI DSS. Maintain a program to monitor service providers PCI compliance status at least annually.
44 10 Incident Response Plan Policy Plan - Procedures
45 Incident Response Requirements Roles, responsibilities, and communication strategies in the event of a compromise including notification of the payment brands. Specific incident response procedures. Business recovery and continuity procedures. Data back-up processes. Analysis of legal requirements for reporting compromises (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise for any business with California residents in their database). Coverage and responses for all critical system components. Reference or inclusion of incident response procedures from the payment brands.
46 Incident Response Recommendations Maintain and implement policy, plan and procedures. Assign program responsibilities to a Director level position. Create a CIRT and assign responsibility to a Manager. Create a triage team consisting of frontline administrators. Establish triage, reporting and escalation procedures. Provide training. Incorporate system and network monitoring into CIRT notification. Notify CIRT of unauthorized wireless access point detection. Contract with experts. Control external communications.
47 Top Ten PCI Concerns 1. Scope Management 2. Auditing and Logging 3. Understanding Compensating Controls 4. Virtualization 5. Proof of Compliance 6. Stored Cardholder Data 7. Developing Secure Software 8. Compliance Validation 9. Outsourcing 10.Incident Response
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance March 29, 2012 1:00 p.m. ET If you experience any technical difficulties, please contact 888.228.0988 or email@example.com
Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
cliftonlarsonallen.com PCI Compliance What is New in Payment Card Industry Compliance Standards October 2015 Overview PCI DSS In the beginning Each major card brand had its own separate criteria for implementing
Payment Cardholder Data Handling Procedures (required to accept any credit card payments) Introduction: The Procedures that follow will allow the University to be in compliance with the Payment Card Industry
What is the PCI standards council? The Payment Card Industry Standards Council is an institution set-up by American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International
2015 CliftonLarsonAllen LLP PCI Compliance How to Meet Payment Card Industry Compliance Standards May 2015 cliftonlarsonallen.com Overview PCI DSS In the beginning Each major card brand had its own separate
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
A PCI Journey with Wichita State University Blaine Linehan System Software Analyst III Financial Operations & Business Technology Division of Administration & Finance 1 Question #1 How many of you know
Why Is Compliance with PCI DSS Important? The members of PCI Security Standards Council (American Express, Discover, JCB, MasterCard, and Visa) continually monitor cases of account data compromise. These
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed
A division of Sikich LLP Four Keys to Preparing for a PCI DSS 3.0 Assessment Jeff Tucker, QSA firstname.lastname@example.org September 16, 2014 NEbraskaCERT Cyber Security Forum About 403 Labs 403 Labs, a division
CyberSource Payment Security Compliance The PCI Security Standards Council has published guidelines on tokenization, providing all merchants who store, process, or transmit cardholder data with guidance
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor email@example.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
Page 2 of 7 POLICY TITLE Section Subsection Responsible Office PCI DSS Compliance Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Administration
Technical breakout session Small leaks sink great ships Managing data security, fraud and privacy risks Tarlok Birdi, Deloitte Ron Borsholm, WTS May 27, 2009 Agenda 1. PCI overview: the technical intent
Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008 What is the PCI DSS? And what do the acronyms CISP, SDP, DSOP and DISC stand for? The PCI DSS is a set of comprehensive requirements
What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers
PCI DSS Payment Card Industry Data Security Standard www.tuv.com/id What Is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is the common security standard of all major credit cards brands.the
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 2.0 October 2010 Document Changes Date Version Description October 1, 2008 1.2 October
Teleran PCI Customer Case Study Written by Director of Credit Card Systems for Large Credit Card Issuer Customer Case Study Summary A large credit card issuer was engaged in a Payment Card Industry Data
PCI Compliance Frequently Asked Questions Table of Content GENERAL INFORMATION... 2 PAYMENT CARD INDUSTRY DATA SECURITY STANDARD (PCI DSS)...2 Are all merchants and service providers required to comply
PC-DSS Compliance Strategies 2011 NDUS CIO Retreat July 27, 2011 Theresa Semmens, CISA True or False Now that my institution has outsourced credit card processing, I don t have to worry about compliance?
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
Network Segmentation The clues to switch a PCI DSS compliance s nightmare into an easy path Although best security practices should be implemented in all systems of an organization, whether critical or
Retour d'expérience PCI DSS Frédéric Charpentier OSSIR : Retour d'expérience PCI DSS - 1 XMCO PARTNERS : Who are we? Xmco Partners is a consulting company specialized in IT security and advisory Xmco Partners
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements
1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities
CardControl 3.0 Credit Card Processing Overview Overview Credit card processing is a very complex and important system for anyone that sells goods. This guide will hopefully help educate and inform new
Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application
TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No. 08-01 MERCHANT DEBIT AND CREDIT CARD RECEIPTS 1. Introduction Debit and Credit Card Receipt Standards apply to the administration
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 1.1 February 2008 Table of Contents About this Document... 1 PCI Data Security Standard
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
PCI DSS: PCI DSS is a set of technical and operational mandates designed to ensure that all organizations that process, store or transmit credit card information maintain a secure environment and safeguard
Page 1 of 7 Proposed Policy Number and Title: 457 PCI DSS Compliance Existing Policy Number and Title: Not applicable Approval Process* X Regular Temporary Emergency Expedited X New New New Revision Revision
- Cloud based SaaS Single repository for regulations and standards Centralized repository for compliance related organizational data Electronic workflow to speed up communications between various entries
Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it
Closing Wireless Loopholes for PCI Compliance and Security Personal information is under attack by hackers, and credit card information is among the most valuable. While enterprises have had years to develop
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
PCI DSS COMPLIANCE DATA AND PROTECTION EagleHeaps FROM CONTENTS Overview... 2 The Basics of PCI DSS... 2 PCI DSS Compliance... 4 The Solution Provider Role (and Accountability).... 4 Concerns and Opportunities
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues August 16, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
Data Security Initiatives The Layered Approach Melissa Perisce Regional Director, Global Services, South Asia April 25, 2010 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Intel Case Study Asia North
Effective Date: August 2008 Approval: December 17, 2015 PCI General Policy Maintenance of Policy: Office of Student Accounts PURPOSE: To protect against the exposure and possible theft of account and personal
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Instructions and Guidelines Version 3.2 May 2016 Document Changes Date Version Description October 1, 2008 1.2 October 28,
Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review Prepared for: Coalfire Systems, Inc. March 2, 2012 Table of Contents EXECUTIVE SUMMARY... 3 DETAILED PROJECT OVERVIEW...
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
White Paper Guide to PCI Application Security Compliance for Merchants and Service Providers Contents Overview... 3 I. The PCI DSS Requirements... 3 II. Compliance and Validation Requirements... 4 III.
P07 - Third Parties Policy Document Reference P07 - Third Parties Policy Date 8th October 2014 Document Status Final Version 3.0 Revision History 1.0 9 November 2009: Initial release. 1.1 17 November 2009:
WHITE PAPER You Can Survive a PCI-DSS Assessment A QSA Primer on Best Practices for Overcoming Challenges and Achieving Compliance The Payment Card Industry Data Security Standard or PCI-DSS ensures the
CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA
Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC firstname.lastname@example.org SecureState Founded in 2001, Based on Cleveland Specialized
Credit Cards and Oracle: How to Comply with PCI DSS Stephen Kost Integrigy Corporation Session #600 Background Speaker Stephen Kost CTO and Founder 16 years working with Oracle 12 years focused on Oracle
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS) The mandatory guide for storing, processing or transmitting cardholder information Overview and applicability Any application
Appendix 1 Payment Card Industry Data Security Standards Program PCI security standards are technical and operational requirements set by the Payment Card Industry Security Standards Council to protect
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other SAQ-Eligible Merchants and Service Providers Version 2.0 October 2010 Document
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
BROWN UNIVERSITY University Policy Accepting and Handling Payment Cards to Conduct University Business Table of Contents Purpose... 2 Scope... 2 Authorization... 2 Establishing a new account... 2 Policy
Preparing an RFI for Protecting cardholder data is a critical and mandatory requirement for all organizations that process, store or transmit information on credit or debit cards. Requirements and guidelines