Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

Size: px
Start display at page:

Download "Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN"

Transcription

1 Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

2 PCI COMPLIANCE COMPLIANCE MATTERS. The PCI Data Security Standard (DSS) was developed by the founding payment brands of the PCI Security Standards Council (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) to help facilitate the broad adoption of consistent data security measures on a global basis. Its primary goal is to provide a standard by which the Payment Card Industry can self-regulate. In addition, a number of initiatives are currently underway from state legislatures and federal regulators to increase the penalties for non-compliant organizations. More so now than ever before compliance matters.

3 Rethinking PCI Compliance PCI DSS is a multi-faceted security standard that includes specific requirements for security management, policies, procedures, network architecture, software design, training and other critical, protective measures. Coupled with Premium PCI Managed and, Masergy s Unified Enterprise Security (UES) systems take a holistic approach to helping customers achieve and maintain PCI compliance, seamlessly integrating process, technology, service and reporting. Key technology elements center around and complement Masergy s patented adaptive behavioral analysis and correlation engine like a complex credit card fraud detection system on steroids. The technology enables the discovery and tracking of odd behaviors over time the kind of activity that eventually makes newspaper headlines providing you with the opportunity to take preemptive action. P Process Policy, Procedure, Assessment, Gap Analysis, Remediation, Vulnerability Scans, Perimeter Scans, PCI Consulting Services Reporting Technology PCI Compliance: Continuous Process Synergistic Approach R Compliance Discovery, Security Alerts, Stealth Attacks, Prioritized Threats, Policy Violations, Access Violations, Audit Trails Service 24/7 Monitoring, Firewall Mgmt & Monitoring, Log File Mgmt & Monitoring, Quarterly Vulnerability Scans, Quarterly Perimeter Scans, Annual Audit, Consulting IDS / IPS, UTM, NBA, AV, AS, CF, Firewalls, Threat Management, Log Management, SIEM T Passive Technology: No Network Latency No Network Changes Unified: Administration 24/7 Monitoring Reporting S

4 PCI COMPLIANCE Make Life Easier. Partner with Masergy, A Certified PCI Vendor. What does all this mean to your organization? The alleviation of business risk (along with demonstrating the expected due care related to storage, processing, and transmission of critical cardholder data as defined by the PCI DSS) is complex and resource-dependent. At Masergy, we understand that compliance depends on a number of critical factors. From auditing to technology, process, and policy, Masergy understands that each organization has different requirements depending on where they currently stand on the compliance path. That s why we approach the challenge of compliance in a holistic fashion, tailoring our services to your organization s current needs and specific requirements. You can be confident that Masergy, one of the few PCI-certified companies, can provide the partnership required to help you efficiently achieve and maintain PCI compliance Best Products & Services Reader s Trust Award Network Products Guide has awarded Masergy the 2009 Best Products and Services - Readers Trust Award for Unified Security Tomorrow s Technology Today Award Masergy is a winner of 2006, 2007, 2008 and 2009 Tomorrow s Technology Today awards from Info Security Products Guide Global Product Excellence - Customer Trust Award Masergy is a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security from Info Security Products Guide Best Deployment Scenario Award Info Security Products Guide has named Masergy a winner of the 2009 Best Deployment Scenario Award for Managed Security Services Product Innovation Award Masergy s Enterprise UTM++ and All-n-One Security Module for Enterprise UTM have received 2008 and 2009 Product Innovation awards for unified security from Network Products Guide.

5 PREDICT AND PROTECT Enterprise UTM A holistic, non-intrusive, layered approach to PCI compliance A fully integrated, highly scalable, passive network security suite with patented behavioral analysis and correlation shared by all applications Unified Administration, Monitoring and Reporting Protect Monitor Alert Report Trusted Computing Base IDS Users Intrusions Discovery Internet IPS NBA AV NAC AS CF Firewall BLOCKING Servers Firewalls Syslogs Switches Routers Policies Threats Suspicious Traffic Viruses Trojans Vulnerabilities Vendor Alerts Stealth Attacks Access Violations Resource Violations Alerts Compliance Prioritized Threats Policy Violations Access Violations Network Traffic Suspicious Traffic Threats Network Behavioral Analysis and Correlation Server

6 PCI COMPLIANCE COMPREHENSIVE PCI COMPLIANCE REPORTING Using the most advanced algorithms in the industry, Masergy automatically analyzes your threat status and continually compiles comprehensive sets of reports on suspicious activity. Specific to PCI compliance, we offer the following reporting services: Vulnerability Scan Reports Current Risk Report Current Risk Summary Ignored Vulnerabilities Report Vulnerability Escalation Report Vulnerability History Report Report by Vulnerability > Detailed description > Consequences > Detailed remediation steps > Risk factor > Links to CVEs, patches, etc. Vulnerability Management Reports Prioritized Vendor Threats Prioritized Network Threats Prioritized Global Threats Prioritized Vulnerabilities Prioritized Threat List (all) Links Threats with: > Threat sources, ports, protocols > Targeted assets > Required remediation steps & patches Rolling 30-day Threat Remediation Report Network Access Policy Violation Report Geographic Origin of Attackers

7 PREDICT AND PROTECT Open Services Reports Identifies/documents external usage of enterprise services and resources Identifies/documents internal usage of external services and resources > Web Usage > Encrypted Web Usage > SMTP Mail Usage > Encrypted SMTP Mail Usage (SSL) > POP3 Mail Usage > Encrypted POP (SSL) Usage > IMAP Mail Usage > Encrypted IMAP Mail Usage > FTP Usage > Telnet Usage > SSH Usage > LDAP Usage > Socks Usage > News Usage > Encrypted News Usage (SSL) > Windows Share Usage (netbios-ssn) > P2P Usage > IM Usage > Proprietary (other)

8 PCI COMPLIANCE Masergy s 12 Steps to PCI Compliance. A. BUILD AND MAINTAIN A SECURE NETWORK 1. We can guide your organization in establishing, optimizing, and maintaining industry best practice firewall configuration standards, as well as install and maintain a firewall configuration to protect cardholder data. This optimizes the protection of all systems from unauthorized Internet access. We ll also share/develop with you industry best practice configuration standards for the rest of your major system components. 2. Monthly configuration scans are performed to ensure your organization is not using vendor-supplied defaults for system passwords or other security parameters. Not only are defaults well known in hacker communities, but they can easily be found in public information making your organization an easy target. B. PROTECT CARDHOLDER DATA 3. Monthly testing and assessments of your cardholder data processing, storage and encryption methodology are performed to ensure the cardholder data is properly protected. 4. Testing and assessment will ensure your organization is using the required strong cryptography and security protocols to protect sensitive information during transmission across open public networks. C. MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM 5. Periodic audits are conducted to assist with the necessary oversight to make sure your organization s anti-virus software or programs are updated. 6. Our Enterprise UTM compliance offering includes an integrated threat management solution to help your organization ensure its network and device vulnerabilities are discovered, prioritized and resolved in an effective manner. D. IMPLEMENT STRONG ACCESS CONTROL MEASURES 7. Our professional services organization can guide your organization related to security process, policy, and technology to ensure access to cardholder data is appropriate based upon business need-to-know. This ensures critical data is untouchable by unauthorized personnel. 8. Our periodic audits and testing make sure a unique ID is assigned to each person with computer access. 9. We also help you confirm that the necessary restrictions are in place regarding physical access to cardholder data, in order to protect hard copies of cardholder information as well as the cardholder information systems themselves. E. REGULARLY MONITOR AND TEST NETWORKS 10. The Enterprise UTM component of our PCI compliance offering tracks and monitors all access to network resources and cardholder data so that the cause of any policy violation can be determined through system alerts and activity logs. 11. As a PCI Approved Scanning Vendor, we will provide the required periodic vulnerability scans and penetration testing of your systems, processes and custom software to ensure security is maintained over time and throughout software changes.

9 PREDICT AND PROTECT F. MAINTAIN AN INFORMATION SECURITY POLICY 12. Based on your specific requirements, the Masergy professional services team can work with your organization to establish and maintain policies that address information security, as well as processes that confirm all employees, contractors, and vendor partners are aware of the sensitivity of your data and their responsibility for protecting it. PCI compliance is a significant undertaking for most organizations. The criticality for organizations that process, store, or transmit cardholder data to achieve and maintain PCI compliance continues to increase. Masergy s Premium PCI Managed Services and Enterprise UTM Technology have the necessary flexibility to meet the specific compliance needs of your organization. PCI compliance We can help make it happen.

10 PCI COMPLIANCE Build and Maintain a Secure Network REQUIREMENT 1: INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA. Firewalls are computer devices that control computer traffic allowed into and out of a company s network, as well as traffic into more sensitive areas within a company s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized Internet access, whether entering the system as e- commerce, employees Internet-based access through desktop browsers, or employees access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy has developed a formal process for approving and testing all external network connections and changes to the firewall configuration Formal Change Approval Process All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop a formal process for approving and testing all external network connections and changes to the firewall configuration. Working with your organization, the Masergy professional services team will develop a formal process for approving and testing all external network connections and changes to the firewall configuration Current Network Diagram Working as an extension of your organization, Masergy will develop a current network diagram with all connections to cardholder data, including any wireless networks Firewall Requirements Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

11 PREDICT AND PROTECT Firewall Requirements All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will develop formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone. Based upon your IT infrastructure/business requirements, the Masergy professional services team will define formal requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network Groups, Roles, Responsibilities Working with your team, Masergy will develop a current description of groups, roles, and responsibilities for logical management of network components. Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC (Security Control Center) Services, Ports Necessary for Business All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) automatically detect and document services and ports necessary for business. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC. Based on your required business applications, the Masergy professional services team will document a list of services and ports necessary for business.

12 PCI COMPLIANCE Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request. A specific report is available at any time by simply contacting the SCC Justification for Non-Standard Protocols All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, even those besides hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN). This information is always up-to-date and readily available upon request. A specific report is available at any time by simply contacting the SCC. Masergy will work with your organization to identify non-standard protocols in use. We will be responsible for developing a formal justification for required nonstandard protocols Justification for Risky Protocols (e.g., FTP) Behavioral Intrusion Detection /Prevention Security Monitoring Service Requires A-5000-G Behavioral Correlation Module (BCM) Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP). There are also several reports that catalog the use of FTP and other risky protocols. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC.

13 PREDICT AND PROTECT Justification for Risky Protocols (e.g., FTP) All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Requires A-2500-G Behavioral Correlation Module Software Systems configured with the Behavioral Correlation Module (BCM) will automatically detect and document services and ports necessary for business, including any risky protocols allowed such as file transfer protocol (FTP). There are also several reports that catalog the use of FTP and other risky protocols. Since the system is adaptive in nature, new services and ports are automatically detected, verified, and documented. Thus, you are assured that this information is always up-to-date and readily available upon request. A specific report can be requested at any time by simply contacting the SCC. Masergy will work with your organization to identify risky protocols in use. We will be responsible for developing a formal justification for required risky protocols. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report Quarterly Review of FW & Router Rules All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will perform a quarterly review of firewall and router rule sets for any device under service, and issue a complete report. The Masergy professional services team will perform a quarterly review of the firewall and router rule sets Router Configuration Standards Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy offers industry best practice configuration standards for routers. The Masergy professional services team will provide a complete report of industry best practice configuration standards for routers.

14 PCI COMPLIANCE Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy builds a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy builds a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. 1.2 FW Rules to Deny Untrusted Networks & Hosts Network Access Monitoring via Network Security Zones Enterprise UTM++ Configurations, Requires Z-1000-G Software ASM Configurations, Requires Z-2500-G Software Network Security Zones (NSZ) is the first network access monitoring (NAM) solution based solely on behavioral network analysis and correlation. Each Network Security Zone is a user-defined network access policy comprised of specific network resource objects: users, systems, applications, date/time, etc. with secure boundaries for specific systems, applications and users. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. The Masergy professional services team offers a recommended firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment.

15 PREDICT AND PROTECT Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements FW Rules to Restrict Connections All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements The Masergy professional services team will build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration will include requirements Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy restricts inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Ingress Filters All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will restrict inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters). Based upon your business environment, the Masergy professional services team will deliver a recommended configuration design, restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) Inhibit Internal Address from Reaching Internet via DMZ Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will not allow internal addresses to pass from the Internet into the DMZ.

16 PCI COMPLIANCE Inhibit Internal Address from Reaching Internet via DMZ All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will not allow internal addresses to pass from the Internet into the DMZ. Working with your particular infrastructure, the Masergy professional services team will recommend a design and not allow internal addresses to pass from the Internet into the DMZ. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network) Implement Stateful Inspection All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will implement stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network). The Masergy professional services team will offer a design and periodically verify that stateful inspection, also known as dynamic packet filtering (that is, only established connections are allowed into the network), is properly implemented Segregate DMZ and Database(s) Firewall Management & Monitoring Service Syslog Module All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb As part of the service, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will ensure the firewall configuration logically places any database(s) in an internal network zone, segregated from the DMZ.

17 PREDICT AND PROTECT Segregate DMZ and Database(s) Network Security Zones For UTM++ Configurations, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies are established to logically place database(s) in an internal network zone, segregated from the DMZ. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will recommend a design and periodically verify that the database is in an internal network zone, segregated from the DMZ. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Restrict I/O Traffic All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb Network Security Zones For UTM++ Configurations, Requires Z-1000-G Network Security Zones Feature For ASM Configurations, Requires Z-2500-G Network Security Zones Feature No Additional HW or SW Agents are Required. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, Masergy will logically configure network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console where trained security analysts perform incident response.

18 PCI COMPLIANCE Restrict I/O Traffic Network Security Zones NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will offer a design and periodically confirm that network access to restrict inbound and outbound traffic to that which is necessary for the cardholder data environment is properly implemented Secure & Synch Router Configuration Files Firewall Management & Monitoring Service Syslog Module As part of the NSZ capability and service, secure computing policies can logically restrict inbound and outbound traffic to that which is necessary for the cardholder data environment. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. As part of the service, Masergy will periodically confirm the security and synchronization router of configuration files. For example, running configuration files (for normal functioning of the routers) and start-up configuration files (when machines are re-booted), and ensuring all have the same secure configuration. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will configure network access to deny all other inbound and outbound traffic not specifically allowed Deny all Other Nonessential I/O Traffic Network Security Zones Requires Z-1000-G Network Security Zones Feature Syslog Module to Block/ Deny NSZ Policy Violations No Additional HW or SW Agents are Required. As part of the NSZ capability and service, secure computing policies can be established to deny all other inbound and outbound traffic not specifically allowed. Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected.

19 PREDICT AND PROTECT Deny all Other Nonessential I/O Traffic Network Security Zones NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will offer a design and periodically confirm that network access to deny all other inbound and outbound traffic not specifically allowed is properly implemented Install Perimeter FW Between Wireless Networks and PCI Data Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes). As part of the service, Masergy will install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) Install PC FW on any Mobile and Employee-Owned Computers with Direct Internet Connections Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will monitor personal firewall software on any mobile and employeeowned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Requires software syslog agent be installed on each monitored laptop that will transmit to FSM, or syslog output from PC FW management/ administration console. As part of the service, Masergy will periodically confirm the appropriate installation of personal firewall software on any mobile and employeeowned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Customer must supply the personal firewall software.

20 PCI COMPLIANCE Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). 1.4 Prohibit Direct Public Access to any PCI Data Network Security Zones Requires Z-1000-G Network Security Zones Feature No Additional HW or SW Agents are Required. Syslog Module to Enable Blocking at Firewalls and/or Switches and Routers. As part of the NSZ capability and service, secure computing policies will prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Where systems are configured with N G Firewall Syslog Module, the system can be configured to automatically block/deny traffic at firewalls and/or switches and routers when policy violations are detected. NSZ policy violations are reported as alerts to the monitoring console, where trained security analysts perform incident response. NSZ alerts include date/time of the offense, perpetrator, targeted asset, and complete forensics of the session that triggered the alert. Network Security Zone (NSZ) is a separate purchase or subscription option to behavioral intrusion detection/prevention service. As part of the service, Masergy will recommend a design to logically configure network access to prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic Prohibit Direct Routes in the DMZ All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic.

21 PREDICT AND PROTECT Prohibit Direct Routes in the DMZ Restrict Outbound Traffic from PCI Applications in the DMZ Firewall Management & Monitoring Service Syslog Module All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb As part of the service, Masergy will offer a detailed design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic. As part of the service, Masergy will restrict outbound traffic from payment card applications to IP addresses within the DMZ. The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to filter and screen all traffic and prohibit direct routes for inbound and outbound Internet traffic. As part of the service, Masergy will offer a detailed design to implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic. Firewall Management & Monitoring Service Syslog Module As part of the service, Masergy will implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). 1.5 Implement IP Masquerading All-n-One Security Module (ASM) N-2500-S 10/100/1000Mb N-2501-S 10Mb N-2510-S 100Mb N-2520-S 1000Mb The All-n-One Security Module (ASM) has a built-in firewall service. For ASM devices under Contractual Managed Services, the built-in firewall service will be configured to implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). As part of the service, Masergy will offer a design and periodically confirm that IP masquerading to prevent internal addresses from being translated and revealed on the Internet is properly implemented, and use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).

22 PCI COMPLIANCE Build and Maintain a Secure Network REQUIREMENT 2: DO NOT USE VENDOR-SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS. Hackers (both external and internal to a company) often use vendor default passwords and other vendor default settings to compromise systems. These passwords and settings are well known in hacker communities and easily determined via public information. 2.1 Change Vendor-Supplied Defaults for New Systems Change Wireless Vendor Defaults for New Systems 2.2 Configuration Standards for all System Components Requires V-3001-G Vulnerability Scanner Module Requires V-3001-G Vulnerability Scanner Module Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). Periodically scan and provide suggested system remediation for detected vulnerabilities. As part of the service, Masergy will audit any newly installed system for vendor-supplied defaults for wireless environments, including but not limited to wired equivalent privacy (WEP) keys, default service set identifier (SSID), passwords, SNMP community strings, as well as disable SSID broadcasts and enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable. Periodically scan and provide suggested system remediation for detected vulnerabilities. As part of the service, Masergy will offer recommended configuration standards for all system components, assure that these standards address all known security vulnerabilities, and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS) Implement Only One Primary Function per PCI Server Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will periodically audit to ensure only one primary function per server (for example, Web servers, database servers, and DNS should be implemented on separate servers). Periodically scan and provide suggested system remediation for detected vulnerabilities.

23 PREDICT AND PROTECT Disable all Unnecessary and Insecure Services for all PCI System Components Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will disable all unnecessary and insecure services and protocols (services and protocols not directly needed to perform the devices specified function). Periodically scan and provide suggested system remediation for detected vulnerabilities Configure System Security Parameters to Prevent Misuse for all PCI System Components Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will audit and recommend the optimal system security parameters to prevent misuse. Periodically scan and provide suggested system remediation for detected vulnerabilities Remove all Unnecessary Functionality for all PCI System Components Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will identify unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers. Periodically scan and provide suggested system remediation for detected vulnerabilities. 2.3 Encrypt all Non-Console Administrative Access Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will identify and recommend appropriate encryption methods for all non-console administrative access, and implement technologies such as SSH, VPN, or SSL/TLS (transport layer security) for Web-based management and other non-console administrative access. Periodically scan and provide suggested system remediation for detected vulnerabilities. 2.4 Hosting Providers Requirements As part of the service, Masergy audits any hosting providers to ensure protection of each entity s hosted environment and data, to ensure providers must meet the specific requirements as detailed in Appendix A: PCI DSS Applicability for Hosting Providers.

24 PCI COMPLIANCE Protect Cardholder Data REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA. Encryption is a critical component of cardholder data protection. If an intruder circumvents other network security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. Other effective methods of protecting stored data should be considered as potential risk mitigation opportunities. For example, methods for minimizing risk include not storing cardholder data unless absolutely necessary, truncating cardholder data if full primary account number (PAN) is not needed, and not sending PAN in unencrypted s. 3.1 Minimize Cardholder Data Storage As part of the service, Masergy will audit cardholder data storage minimum requirements, and make recommendations for cardholder data storage reductions. Working with your organization, we will develop a data retention and disposal policy. Establish storage amount limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 Sensitive Authentication Data Policy As part of the service, Masergy will audit PCI server authentication implementation(s) to ensure sensitive authentication data subsequent to authorization is not stored anywhere (even if encrypted). Working with your organization, we will develop a compliant authentication and disposal policy. Sensitive authentication data includes the data as cited in the following Requirements Magnetic Stripe Data Handling Policy Working as an extension of your organization, Masergy will develop and implement policies to ensure there is no storage of the full contents of any track from the magnetic stripe (that is on the back of a card, in a chip or elsewhere). This data is alternatively called full track, track, track 1, track 2, and magnetic stripe data.

25 PREDICT AND PROTECT Magnetic Stripe Data Handling Policy Card-Validation Code Handling Policy In the normal course of business, the following data elements from the magnetic stripe may need to be retained: the account holder s name, primary account number (PAN), expiration date, and service code. To minimize risk, store only those data elements needed for business. NEVER store the card verification code or value or personal identification number (PIN) verification value data elements. As part of the service, Masergy will audit cardholder PIN usage and retention practices and identify corrective measures to ensure PCI compliance. Working with your organization, we will develop PIN retention and disposal policy. Establish personal identification number (PIN) limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.3 PAN Masking Policy As part of the service, Masergy will audit cardholder PAN usage, retention, and practices, and identify corrective measures to ensure PCI compliance. Develop primary account number (PAN) usage policy and practices to ensure masking the PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). Establish primary account number (PAN) limitation(s) and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.4 PAN Rendering Policy As part of the service, Masergy will audit cardholder PAN rendering usage, retention, and practices, and identify corrective measures to ensure PCI compliance.

26 PCI COMPLIANCE 3.4 PAN Rendering Policy Develop primary account number (PAN) rendering policy and practices to ensure rendered PAN, at minimum, is unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches: > Strong one-way hash functions (hashed indexes) > Truncation > Index tokens and pads (pads must be securely stored) > Strong cryptography with associated key management processes and procedures Disk Encryption Policy As part of the service, Masergy will audit disk encryption usage, practices, and identify corrective measures to ensure PCI compliance. Develop disk encryption usage policy and practices to ensure logical access is managed independently of native operating system access control mechanisms (for example, by not using local system or Active Directory accounts), and that decryption keys are not tied to user accounts. Establish disk encryption application(s)/ implementation(s) required for business, legal, and/or regulatory purposes, as documented in the disk encryption usage policy. 3.5 Encryption Key Protection Policy ( ) As part of the service, Masergy will audit protection of encryption keys used for encryption of cardholder data against both disclosure and misuse. Develop encryption key protection policy and practices to ensure against data compromise by both disclosure and misuse. Establish and document applications and practices required for business, legal, and/or regulatory purposes, utilizing encryption keys: > Restrict access to keys to the fewest number of custodians necessary. > Store keys securely in the fewest possible locations and forms.

27 PREDICT AND PROTECT 3.6 Encryption Key Management Procedures ( ) As part of the service, Masergy will audit all key management processes and procedures for keys used for encryption of cardholder data, and identify corrective measures to ensure PCI compliance. Masergy will develop, fully document, and implement all key management processes and procedures for keys used for encryption of cardholder data, including: > Generation of strong keys > Secure key distribution > Secure key storage > Periodic changing of keys as deemed necessary and recommended by the associated application (for example, re-keying); preferably automatically, or at least annually > Destruction of old keys > Split knowledge and establishment of dual control of keys (so that it requires two or three people, each knowing only their part of the key, to reconstruct the whole key) > Prevention of unauthorized substitution of keys > Replacement of known or suspected compromised keys > Revocation of old or invalid keys > Requirement for key custodians to sign a form stating that they understand and accept their key-custodian responsibilities

28 PCI COMPLIANCE Protect Cardholder Data REQUIREMENT 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS. Sensitive information must be encrypted during transmission over networks that are easy and common for a hacker to intercept, modify, and 4.1 Use Strong Cryptography and Security Protocols As part of the service, Masergy will audit use of cryptography and security protocols intended to safeguard sensitive cardholder data during transmission over open public networks and identify corrective measures to ensure PCI compliance. Examples of open, public networks that are in scope of the PCI DSS are the Internet, WiFi (IEEE x), global system for mobile communications (GSM), and general packet radio service (GPRS). Develop and document strong cryptography and security protocol policy and procedures required to safeguard sensitive cardholder data during transmission over open public networks. Establish and document all application(s)/ implementation(s) transmitting sensitive cardholder data over open public networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy Wireless Networks Transmitting Cardholder Data As part of the service, Masergy will audit use of cryptography and security protocols intended to safeguard sensitive cardholder data during transmission over wireless networks and identify corrective measures to ensure PCI compliance. Develop and document strong cryptography and security protocol policy and procedures for wireless networks transmitting cardholder data, including methods to encrypt the transmissions by using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Establish and document all application(s)/ implementation(s) transmitting sensitive cardholder data over wireless networks that may be required for business, legal, and/or regulatory purposes, as documented in the cryptography and security protocol usage policy.

29 PREDICT AND PROTECT 4.2 PAN Usage Policy As part of the service, Masergy will audit cardholder primary account number (PAN) usage, retention, and practices, and identify corrective measures to ensure PCI compliance. Develop primary account number (PAN) transmission policy and practices to ensure unencrypted PANs are never sent by . Establish and document all application(s) transmitting sensitive cardholder data via that may be required for business, legal, and/or regulatory purposes, as documented in the PAN e- mail usage policy. Maintain Vulnerability Management Program REQUIREMENT 5: USE AND REGULARLY UPDATE ANTI-VIRUS SOFTWARE OR PROGRAMS Many vulnerabilities and malicious viruses enter the network via employees activities. Anti-virus software must be used on all systems commonly affected by viruses to protect systems from malicious software Anti-Virus Software Policy Requires V-3001-G Vulnerability Scanner Module As part of the service, Masergy will audit antivirus software usage and practices for all servers, desktops, laptops, and mobile devices, and identify corrective measures to ensure PCI compliance. Develop and document anti-virus software policy and practices to: > Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. > Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. Identify and document all application(s)/systems using anti-malware that may be required for business, legal, and/or regulatory purposes, as documented in the anti-virus software policy.

PCI Compliance We Can Help Make it Happen

PCI Compliance We Can Help Make it Happen We Can Help Make it Happen Compliance Matters The Data Security Standard (DSS) was developed by the founding payment brands of the Security Standards Council (American Express, Discover Financial Services,

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2 Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2 An in-depth look at Payment Card Industry Data Security Standard Requirements 1, 2, 3, 4 Alex

More information

PCI DSS Requirements - Security Controls and Processes

PCI DSS Requirements - Security Controls and Processes 1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment. REQUIREMENT 1 Install and Maintain a Firewall Configuration to Protect Cardholder Data Firewalls are devices that control computer traffic allowed between an entity s networks (internal) and untrusted

More information

Payment Card Industry (PCI) Data Security Standard. Version 1.1

Payment Card Industry (PCI) Data Security Standard. Version 1.1 Payment Card Industry (PCI) Data Security Standard Version 1.1 Release: September, 2006 Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Payment Card Industry (PCI) Data Security Standard. Version 1.1

Payment Card Industry (PCI) Data Security Standard. Version 1.1 Payment Card Industry (PCI) Data Security Standard Version 1.1 Release: September, 2006 Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to

More information

TABLE OF CONTENTS. Compensating Controls Worksheet... 51. ReymannGroup, Inc. PCI DSS SAQ Tool Version 2009 Page 1 of 51

TABLE OF CONTENTS. Compensating Controls Worksheet... 51. ReymannGroup, Inc. PCI DSS SAQ Tool Version 2009 Page 1 of 51 TABLE OF CONTENTS Purpose of this Tool... 2 How to Get the Most Value from this Tool... 2 Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data...

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

PCI PA - DSS. Point BKX Implementation Guide. Version 2.01. Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core PCI PA - DSS Point BKX Implementation Guide Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core Version 2.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566

More information

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

More information

Enforcing PCI Data Security Standard Compliance

Enforcing PCI Data Security Standard Compliance Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The

More information

Secure Auditor PCI Compliance Statement

Secure Auditor PCI Compliance Statement Payment Card Industry (PCI) Data Security Standard is an international information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created

More information

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core

PCI PA - DSS. Point ipos Implementation Guide. Version 1.01. VeriFone Vx820 using the Point ipos Payment Core PCI PA - DSS Point ipos Implementation Guide VeriFone Vx820 using the Point ipos Payment Core Version 1.01 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Security Audit Procedures Version 1.1 Release: September 2006 Table of Contents Security Audit Procedures... 1 Version 1.1... 1 Table of Contents... 2

More information

General Standards for Payment Card Environments at Miami University

General Standards for Payment Card Environments at Miami University General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,

More information

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Tripwire PCI DSS Solutions: Automated, Continuous Compliance Tripwire PCI DSS Solutions: Automated, Continuous Compliance white paper Configuration Control for Virtual and Physical Infrastructures Contents Contents 3 Introduction 4 Meeting Requirements with Tripwire

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults

More information

CLOUD GUARD UNIFIED ENTERPRISE

CLOUD GUARD UNIFIED ENTERPRISE Unified Security Anywhere CLOUD SECURITY CLOUD GUARD UNIFIED ENTERPRISE CLOUD SECURITY UNIFIED CLOUD SECURITY Cloudy with a 90% Chance of Attacks How secure is your cloud computing environment? If you

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 1.2.1 July 2009 Document Changes Date Version Description Pages October 2008 July 2009 1.2 1.2.1

More information

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance REDSEAL NETWORKS SOLUTION BRIEF Proactive Network Intelligence Solutions For PCI DSS Compliance Overview PCI DSS has become a global requirement for all entities handling cardholder data. A company processing,

More information

Did you know your security solution can help with PCI compliance too?

Did you know your security solution can help with PCI compliance too? Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment

More information

Credit Card Security

Credit Card Security Credit Card Security Created 16 Apr 2014 Revised 16 Apr 2014 Reviewed 16 Apr 2014 Purpose This policy is intended to ensure customer personal information, particularly credit card information and primary

More information

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00 PCI PA - DSS Point XSA Implementation Guide Atos Worldline Banksys XENTA SA Version 1.00 POINT TRANSACTION SYSTEMS AB Box 92031, 120 06 Stockholm, Tel. +46 8 566 287 00 www.point.se Page number 2 (16)

More information

Achieving PCI Compliance Using F5 Products

Achieving PCI Compliance Using F5 Products Achieving PCI Compliance Using F5 Products Overview In April 2000, Visa launched its Cardholder Information Security Program (CISP) -- a set of mandates designed to protect its cardholders from identity

More information

University of Sunderland Business Assurance PCI Security Policy

University of Sunderland Business Assurance PCI Security Policy University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Chief Financial

More information

Payment Card Industry (PCI) Compliance. Management Guidelines

Payment Card Industry (PCI) Compliance. Management Guidelines Page 1 thehelpdeskllc.com 855-336-7435 Payment Card Industry (PCI) Compliance Management Guidelines About PCI Compliance Payment Card Industry (PCI) compliance is a requirement for all businesses that

More information

Understanding the Intent of the Requirements

Understanding the Intent of the Requirements Payment Card Industry (PCI) Data Security Standard Navigating PCI DSS Understanding the Intent of the Requirements Version 1.1 February 2008 Table of Contents Cardholder Data and Sensitive Authentication

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Security Audit Procedures Version 1.1 Release: September 2006 Table of Contents Introduction... 3 PCI DSS Applicability Information... 4 Scope of Assessment

More information

Using Skybox Solutions to Achieve PCI Compliance

Using Skybox Solutions to Achieve PCI Compliance Using Skybox Solutions to Achieve PCI Compliance Achieve Efficient and Effective PCI Compliance by Automating Many Required Controls and Processes Skybox Security whitepaper August 2011 1 Executive Summary

More information

Payment Card Industry Self-Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire How to Complete the Questionnaire The questionnaire is divided into six sections. Each section focuses on a specific area of security, based on the requirements included in the PCI Data Security Standard.

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

STATE OF NEW JERSEY IT CIRCULAR

STATE OF NEW JERSEY IT CIRCULAR NJ Office of Information Technology P.O. Box 212 www.nj.gov/it/ps/ Jon S. Corzine, Governor 300 Riverview Plaza Adel Ebeid, Chief Technology Officer Trenton, NJ 08625-0212 STATE OF NEW JERSEY IT CIRCULAR

More information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 2.0 October 2010 Document Changes Date Version Description Pages October 2008 July 2009 October

More information

Catapult PCI Compliance

Catapult PCI Compliance Catapult PCI Compliance Table of Contents Catapult PCI Compliance...1 Table of Contents...1 Overview Catapult (PCI)...2 Support and Contact Information...2 Dealer Support...2 End User Support...2 Catapult

More information

Information about this New Document

Information about this New Document Information about this New Document New Document This Payment Card Industry Data Security Standard, dated January 2005, is an entirely new document. Contents This manual contains security requirements

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

PCI Security Audit Procedures Version 1.0 December 2004

PCI Security Audit Procedures Version 1.0 December 2004 PCI Security Audit Procedures Version 1.0 December 2004 Payment Card Industry Security Audit Procedures Disclaimer The Payment Card Industry (PCI) Security Audit Procedure is to be used as a guideline

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Controls for the Credit Card Environment Edit Date: May 17, 2007

Controls for the Credit Card Environment Edit Date: May 17, 2007 Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit

More information

LogRhythm and PCI Compliance

LogRhythm and PCI Compliance LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent

More information

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment

More information

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish firewall and router configuration standards that include the following: 1.1.1 A formal process for

More information

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX FEBRUARY 2008 Introduction Over the past few years there have been several high profile security breaches that have resulted in the loss

More information

The University of Texas at El Paso

The University of Texas at El Paso The University of Texas at El Paso Payment Card Industry Standards and Procedures Standards, Procedures, and Forms That Conform to PCI DSS version 2.0 Policy Version 2.0 March 2012 About this Document

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Windows Azure Customer PCI Guide

Windows Azure Customer PCI Guide Windows Azure PCI Guide January 2014 Version 1.0 Prepared by: Neohapsis, Inc. 217 North Jefferson St., Suite 200 Chicago, IL 60661 New York Chicago Dallas Seattle PCI Guide January 2014 This document contains

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage Version

More information

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs White Paper Meeting PCI Data Security Standards with Juniper Networks SECURE ANALYTICS When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright 2013, Juniper Networks,

More information

PCI Data Security and Classification Standards Summary

PCI Data Security and Classification Standards Summary PCI Data Security and Classification Standards Summary Data security should be a key component of all system policies and practices related to payment acceptance and transaction processing. As customers

More information

Thoughts on PCI DSS 3.0. September, 2014

Thoughts on PCI DSS 3.0. September, 2014 Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology

More information

Payment Card Industry Security Audit Procedures. January 2005

Payment Card Industry Security Audit Procedures. January 2005 Payment Card Industry Security Audit Procedures January 2005 Copyright The information contained in this manual is proprietary and confidential to MasterCard International Incorporated (MasterCard) and

More information

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance

More information

Technology Innovation Programme

Technology Innovation Programme FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk

More information

Achieving PCI DSS Compliance with Cinxi

Achieving PCI DSS Compliance with Cinxi www.netforensics.com NETFORENSICS SOLUTION GUIDE Achieving PCI DSS Compliance with Cinxi Compliance with PCI is complex. It forces you to deploy and monitor dozens of security controls and processes. Data

More information

The Comprehensive Guide to PCI Security Standards Compliance

The Comprehensive Guide to PCI Security Standards Compliance The Comprehensive Guide to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

ISO 27001 PCI DSS 2.0 Title Number Requirement

ISO 27001 PCI DSS 2.0 Title Number Requirement ISO 27001 PCI DSS 2.0 Title Number Requirement 4 Information security management system 4.1 General requirements 4.2 Establishing and managing the ISMS 4.2.1 Establish the ISMS 4.2.1.a 4.2.1.b 4.2.1.b.1

More information

Demystifying the Payment Card Industry - Data Security Standard

Demystifying the Payment Card Industry - Data Security Standard Demystifying the Payment Card Industry - Data Security Standard Does ADTRAN Comply? What is the PCI DSS? In short, the Payment Card Industry (PCI) Data Security Standard (DSS) is a stringent set of requirements

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers SAQ-Eligible Service Providers Version 3.0 February 2014 Document

More information

Complying with PCI Data Security

Complying with PCI Data Security Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring

More information

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards A Websense Research Brief Prevent Loss and Comply with Payment Card Industry Security Standards Prevent Loss and Comply with Payment Card Industry Security Standards Standards for Credit Card Security

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard Introduction Purpose Audience Implications Sensitive Digital Data Management In an effort to protect credit card information from unauthorized access, disclosure

More information

CorreLog Alignment to PCI Security Standards Compliance

CorreLog Alignment to PCI Security Standards Compliance CorreLog Alignment to PCI Security Standards Compliance Achieving PCI DSS compliance is a process. There are many systems and countless moving parts that all need to come together to keep user payment

More information

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com What What is PCI A global forum launched in September 2006 for ongoing enhancement

More information

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness CISP BULLETIN Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness November 21, 2006 To support compliance with the Cardholder Information Security Program (CISP), Visa USA

More information

Automate PCI Compliance Monitoring, Investigation & Reporting

Automate PCI Compliance Monitoring, Investigation & Reporting Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

More information

New Boundary Technologies. The Payment Card Industry (PCI) Security Guide. New Boundary Technologies PCI Security Configuration Guide

New Boundary Technologies. The Payment Card Industry (PCI) Security Guide. New Boundary Technologies PCI Security Configuration Guide New Boundary Technologies The Payment Card Industry (PCI) Security Guide New Boundary Technologies PCI Security Configuration Guide October 2006 CONTENTS 1.0......Executive Summary 2.0.....The PCI Data

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group Meeting PCI-DSS v1.2.1 Compliance Requirements By Compliance Research Group Table of Contents Technical Security Controls and PCI DSS Compliance...1 Mapping PCI Requirements to Product Functionality...2

More information

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP)

Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP) Visa Asia Pacific Account Information Security (AIS) Program Payment Application Best Practices (PABP) This document is to be used for payment application vendors to validate that the payment application

More information

PCI Compliance. Top 10 Questions & Answers

PCI Compliance. Top 10 Questions & Answers PCI Compliance Top 10 Questions & Answers 1. What is PCI Compliance and PCI DSS? 2. Who needs to follow the PCI Data Security Standard? 3. What happens if I don t comply? 4. What are the basic requirements

More information

Meeting PCI Data Security Standards with

Meeting PCI Data Security Standards with WHITE PAPER Meeting PCI Data Security Standards with Juniper Networks STRM Series Security Threat Response Managers When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright

More information

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.1 February 2008 Table

More information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 1.2.1 to 2.0 Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

How Reflection Software Facilitates PCI DSS Compliance

How Reflection Software Facilitates PCI DSS Compliance Reflection How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance How Reflection Software Facilitates PCI DSS Compliance In 2004, the major credit

More information

Firewall and Router Policy

Firewall and Router Policy Firewall and Router Policy Approved By: \S\ James Palmer CSC Loss Prevention Director PCI Policy # 1600 Version # 1.1 Effective Date: 12/31/2011 Revision Date: 12/31/2014 December 31, 2011 Date 1.0 Purpose:

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity) PCI Compliance Reporting Solution Brief Automating Regulatory Compliance and IT Best Practices Reporting Automating Compliance Reporting for PCI Data Security Standard version 1.1 The PCI Data Security

More information

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking SUMMARY The Payment Card Industry Data Security Standard (PCI DSS) defines 12 high-level security requirements directed

More information

Josiah Wilkinson Internal Security Assessor. Nationwide

Josiah Wilkinson Internal Security Assessor. Nationwide Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges

More information

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows: What is PCI DSS? PCI DSS is an acronym for Payment Card Industry Data Security Standards. PCI DSS is a global initiative intent on securing credit and banking transactions by merchants & service providers

More information

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM)

Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM) White Paper Meeting PCI Data Security Standards with Juniper Networks Security Threat Response Manager (STRM) When It Comes To Monitoring and Validation It Takes More Than Just Collecting Logs Juniper

More information

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage

More information

PCI Compliance Top 10 Questions and Answers

PCI Compliance Top 10 Questions and Answers Where every interaction matters. PCI Compliance Top 10 Questions and Answers White Paper October 2013 By: Peer 1 Hosting Product Team www.peer1.com Contents What is PCI Compliance and PCI DSS? 3 Who needs

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Implementation Guide

Implementation Guide Implementation Guide PayLINK Implementation Guide Version 2.1.252 Released September 17, 2013 Copyright 2011-2013, BridgePay Network Solutions, Inc. All rights reserved. The information contained herein

More information

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR AUTHOR: UDIT PATHAK SENIOR SECURITY ANALYST udit.pathak@niiconsulting.com Public Network Intelligence India 1 Contents 1. Background... 3 2. PCI Compliance

More information

An Oracle White Paper January 2010. Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance

An Oracle White Paper January 2010. Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance An Oracle White Paper January 2010 Using Oracle Enterprise Manager Configuration Management Pack for PCI Compliance Disclaimer The following is intended to outline our general product direction. It is

More information

PCI Data Security Standards (DSS)

PCI Data Security Standards (DSS) ENTERPRISE APPLICATION WHITELISTING SOLUTION Achieving PCI Compliance at the Point of Sale Using Bit9 Parity TM to Protect Cardholder Data PCI: Protecting Cardholder Data As the technology used by merchants

More information

PCI and PA DSS Compliance Assurance with LogRhythm

PCI and PA DSS Compliance Assurance with LogRhythm WHITEPAPER PCI and PA DSS Compliance Assurance PCI and PA DSS Compliance Assurance with LogRhythm MAY 2014 PCI and PA DSS Compliance Assurance with LogRhythm The Payment Card Industry (PCI) Data Security

More information

PCI DSS 3.1 Security Policy

PCI DSS 3.1 Security Policy PCI DSS 3.1 Security Policy Purpose This document outlines all of the policy items required by PCI to be compliant with the current PCI DSS 3.1 standard and that it is the University of Northern Colorado

More information

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures 1. Introduction 1.1. Purpose and Background 1.2. Central Coordinator Contact 1.3. Payment Card Industry Data Security Standards (PCI-DSS) High Level Overview 2. PCI-DSS Guidelines - Division of Responsibilities

More information