A Rackspace White Paper Spring 2010



Similar documents
University of Sunderland Business Assurance PCI Security Policy

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI DSS Requirements - Security Controls and Processes

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Becoming PCI Compliant

March

PCI Requirements Coverage Summary Table

PCI Data Security and Classification Standards Summary

Payment Card Industry - Data Security Standard (PCI-DSS) Security Policy

74% 96 Action Items. Compliance

General Standards for Payment Card Environments at Miami University

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

SonicWALL PCI 1.1 Implementation Guide

PCI Requirements Coverage Summary Table

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry Data Security Standard

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Technology Innovation Programme

The PCI DSS Compliance Guide For Small Business

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

A Decision Maker s Guide to Securing an IT Infrastructure

Implementation Guide

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Did you know your security solution can help with PCI compliance too?

Payment Card Industry Compliance

Network Segmentation

Windows Azure Customer PCI Guide

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry Self-Assessment Questionnaire

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Achieving PCI-Compliance through Cyberoam

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Automate PCI Compliance Monitoring, Investigation & Reporting

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Need to be PCI DSS compliant and reduce the risk of fraud?

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

You Can Survive a PCI-DSS Assessment

Best Practices for PCI DSS V3.0 Network Security Compliance

LogRhythm and PCI Compliance

Miami University. Payment Card Data Security Policy

PCI DSS 3.1 Security Policy

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI DSS v2.0. Compliance Guide

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

The University of Texas at El Paso

Josiah Wilkinson Internal Security Assessor. Nationwide

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

PCI Data Security Standards

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Teleran PCI Customer Case Study

Presented By: Bryan Miller CCIE, CISSP

Payment Card Industry (PCI) Compliance. Management Guidelines

Credit Card Security

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

ISO PCI DSS 2.0 Title Number Requirement

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

PCI Compliance. Top 10 Questions & Answers

Enforcing PCI Data Security Standard Compliance

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Policies and Procedures

Payment Card Industry (PCI) Data Security Standard ROC Reporting Instructions for PCI DSS v2.0

PCI Compliance Top 10 Questions and Answers

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Global Partner Management Notice

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Three Critical Success Factors for PCI Assessment. Seth Peter NetSPI April 21, 2010

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

How to complete the Secure Internet Site Declaration (SISD) form

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

PCI DSS Requirements Version 2.0 Milestone Network Box Comments. 6 Yes

The Comprehensive Guide to PCI Security Standards Compliance

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Payment Card Industry (PCI) Card Production

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Qualified Integrators and Resellers (QIR) Implementation Statement

Overcoming PCI Compliance Challenges

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Transcription:

Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry Security Standards Council (PCI SSC). The purpose of the standard is to reduce credit card fraud. This is achieved through increased controls around data and its exposure to compromise. The standard applies to all organizations which process, store, or transmit cardholder information. The purpose of this guide is to clearly explain which areas of PCI DSS can assist with, and which responsibilities are solely those of the customer. For more information, please contact the home of Fanatical Support Ltd

Introduction Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is mandatory to any e- commerce trader, and finding the right hosting partner is vital to success. While there are many areas of PCI compliance that can assist with, customers should always consult with a Qualified Security Assessor (QSA) to ensure that they meet all the requirements relevant to their business. In June 2009, was accredited by Visa as a Compliant Level 1 Payment Card Industry (PCI) Service Provider. Please note that although is a PCI compliant service provider, this does not automatically make our customers PCI compliant - customers should consult with a Qualified Security Assessor to clarify any PCI obligations and steps to achieve customer compliance. This document will explain each area of PCI compliance that is relevant to a hosted solution at, and outline where the responsibilities for each requirement lie whether with the hosting provider, the customer or if it is shared. Ltd

PCI Compliance Requirements REQUIREMENT 1.1 TO 1.1.1 Formal Process for Approving and Testing all Network Connections and Change to the Network Configuration Implement policies and processes for approving and testing all connections and changes to the network. The policy should list all network devices involved in the data flow. Requirement can be achieved by incorporating the formal process into the customer security policy. Customers are responsible for implementing formal security controls, including a security policy and associated processes and procedures to adhere to the security policy. REQUIREMENT 1.1.2 Current Network Diagram with All Connections to Cardholder Data, Including Wireless Networks Network diagram and topology documents Customer is responsible for mapping the data flow of card holder data across the network. can provide network diagram upon request. REQUIREMENT 1.1.3 Requirement for a Firewall at each Internet Connection and between DMZ Minimise the risk of malicious access to the internal network by implementing a firewall at each internet connection and between DMZ. This should include restricting inbound and outbound traffic to that which is necessary for the cardholder data environment, secure and sync up firewall and router configurations, prohibit internal addresses from being passed to the internet, allow only the necessary protocols, stateful packet inspection, implementing NAT, security of mobile devices connecting to cardholder environment. Customer is responsible for incorporating this requirement as a standard as part of the customer security policy. will configure the firewall for this requirement, upon request from the customer. REQUIREMENT 1.1.4 Description of Groups, Roles and Responsibilities for Logical Management of Network Components Clear assignment of groups, roles and responsibilities can be incorporated into the customer security policy In a typical PCI customer hosted environment, manage the following devices: IDS Load Balancer Firewall (customer can make firewall access rule changes via the customer portal) support team and selected customer personnel also have access to manage the following devices: Servers Any changes to the customer hosted environment should be initiated by the customer via phone or ticket. All changes to the customer environment should be recorded in a ticket by the support team and by the customer. There may be occasions when are required to make changes to the corporate infrastructure which may affect a customer hosted environment, however all changes are communicated prior to any changes being performed. Ltd

REQUIREMENT 1.1.5 Documentation and Business Justification for Use of All Services, Protocols and Ports Allowed Customers should determine and clearly document and justify the services, protocols and ports necessary for the business. Customer is responsible for incorporating this requirement as part of the customer security policy. REQUIREMENT 1.1.6 Requirements to Review Firewall and Router Rule Sets at least Every Six (6) Months Implementing a policy to review firewall and router rule sets and procedures for performing this task every 6 months as a minimum. Customer is responsible for incorporating this requirement as part of the customer security policy. can assist with the review process by providing a dump of the firewall configuration upon request. REQUIREMENT 1.2 TO 1.4 Requirements 1.2 to 1.4, relating to firewall and DMZ configurations, can be achieved by successfully implementing requirement 1.1.3 Requirement 1.2.3 - Wireless networks are not permitted in the customer hosted environment. are responsible for complying and regularly auditing this requirement. REQUIREMENT 2.1 TO 2.4 Configuration Standards for All System Components Policy and Procedures Configuration standards should address weaknesses with operating systems, databases and all installed applications and should be configured to fix any known vulnerabilities, employing industry best practises and recommendations for hardening systems, including patching and removal of unnecessary services and applications and changing vendor supplied defaults. Customer is responsible for incorporating a configuration standard in the customer security policy. are able to assist customers by providing guidance and advice on hardening systems. Requirement 2.1.1 Wireless environments Wireless networks are not permitted in the customer hosted environment. are responsible for complying and regularly auditing this requirement. Ltd

REQUIREMENT 3.1 TO 3.2.3 Data Retention and Disposal Policy and Procedures Description of data and scope for cardholder environment, description of key terms and phrases, types of data, electronic media, hardcopy format, procedures for obtaining data, procedures for protecting data, procedures for accessing, modifying or transferring cardholder data, provisions and procedures for retaining data, provisions and procedures for disposing of and destroying data, responsible parties for data retention activities, responsible parties for data disposal activities Types of data and retention periods for legal, regulatory and business requirements Customer should document description of data and scope for the cardholder environment, with appropriate controls for processing, transmitting and storing of data. This requirement should be incorporated into the customer security policy. REQUIREMENT 3.3 TO 3.5.2 Primary Account Number (PAN) Policy and Procedures for Displaying the PAN Digits Mask PAN when displaying on items such as computer screens, payment card receipts, faxes or paper reports. If PANs are stored on the server, they need to be encrypted to the level required to be compliant with PCI regulations using industry tested and accepted algorithms. Customer is responsible for ensuring that all card holder data that is processed, transmitted or stored is protected and the policies and procedures for protecting the cardholder data are documented and incorporated in the customer security policy. REQUIREMENT 3.6 TO 3.6.8 Key Management Policy and Procedures General description of system components that incorporate, key management procedures, generation of strong keys, secure key storage, periodic key changes at least annually, retirement and destruction of old keys, replacement of known or suspected comprised keys, key management compromise plan (KMCP), split knowledge and dual control of keys, prevention of unauthorized substitution of keys, key custodians to sign form specifying that they understand and accept their key custodian responsibilities Customer is responsible for documenting policies and procedures for key management which should be incorporated in the customer security policy. REQUIREMENT 4.1 TO 4.2 Unencrypted Primary Account Numbers (PAN) Policy and Procedures PANs must be encrypted when transmitting over the public network. Customer is responsible for ensuring card holder data is encrypted when transmitted over the public network. are an authorised reseller with Thawte and Verisign Certificate Authorities and can facilitate the attainment and installation of an SSL Certificate. Ltd

REQUIREMENT 5.1 TO 5.2 Anti-Virus Policy and Procedures Implementation of anti-virus software to protect against ALL types of malicious software. Implement an anti-virus policy for signature updates and procedures for auditing. Customer is responsible for incorporating an anti-virus policy in the customer security policy. are resellers of Sophos and Symantec anti-virus software (dependent on if the customer is in the Managed or Intensive segment) and can facilitate the installation of an anti-virus software with scheduled signature updates. Customers can also choose to manage the updates and logging for their own requirements. REQUIREMENT 6.1 TO 6.2 Security Patch Management Installation Policy and Procedures Security patch management program, with a comprehensive inventory of all systems components directly and not directly associated with the Cardholder Environment. Establish a process for identifying newly discovered security vulnerabilities utilising industry-leading security sources and additional supporting resources to secure operating systems, firmware and applications. Implement test procedures for testing patches before deployment into production environments. Customer is responsible for implementing patching policies and incorporating into the customer security policy. subscribes to and monitors operating system vulnerabilities and will implement critical updates as a matter of urgency using our WSUS or Red Hat Update server. perform testing of all patches in a contained environment prior to deployment, however due to the varying nature of customer solutions, the testing does not cover all scenarios and against all services and applications. Customers have the option to opt out of the patching scheduled and perform their own patching. Customer is responsible for managing all other application vulnerabilities. REQUIREMENT 6.3 TO 6.3.7 Software Development Life Cycle Processes Ensure information security is incorporated throughout the software development life cycle process in accordance with the PCI DSS best practices, which including design, implementation, quality assurance, release for production, maintenance and patching (coding vulnerabilities). Customer is responsible for implementing this requirement and incorporating into the customer security policy. Customer should liaise with developers to ensure information security is incorporated throughout the software development life cycle process. REQUIREMENT 6.4 TO 6.4.4 Change Control Policy and Procedures Implement change control management procedure which comprises a formal request for change, categorise and prioritise the change, justification and analysis of the change, approving and implementation of the change with rollback procedures in place. Customer is responsible for implementing a change management process in accordance with the PCI DSS requirements. Ltd

REQUIREMENT 6.5 TO 6.6 Software Development Processes for any Web-Based Applications Ensure information security is incorporated throughout the software development life cycle process in accordance with the PCI DSS best practices, which including design, implementation, quality assurance, release for production, maintenance and patching (coding vulnerabilities). Employ manual and automated vulnerability assessment tools and methods to review applications to ensure compliance. Customer is responsible for implementing this requirement and incorporating into the customer security policy. Customer should liaise with developers to ensure information security is incorporated throughout the software development life cycle process. REQUIREMENT 7.1 TO 7.2.3 Data Control & Access Control Policy and Procedures Implement data & access control policy and processes, restricting access to fewest privileges necessary to perform a job need to know or restricting access to fewest privileges for individuals based on job functions role based access control. Customer is responsible for implementing a data & access control policy which is incorporated as part of the customer security policy. REQUIREMENT 8.1 TO 8.4 Unique I.D. & Authentication Methods Policy and Procedures Assignment of unique I.D. and password, two-factor authentication, transmission and storage of passwords. Customer is responsible for implementing authentication policies and incorporating as part of the customer security policy. REQUIREMENT 8.5 TO 8.5.16 Proper Authentication & Password Management Policy and Procedures Implementation of proper authentication and password management policy including: authorization form, password resets, first-time passwords, terminated employees, inactive accounts, vendor accounts, generic user I.D.s and shared user I.D.s and passwords, password parameters, familiarity and acknowledgement of password policy and procedures. Customer is responsible for implementing an authentication and password management policy to incorporate as part of the customer security policy. can assist with setting up local security policies including password complexity requirements, regular password changes and workstation/server lockout policies. Ltd

REQUIREMENT 9.1 TO 9.6 Restrict Physical Access to Cardholder Data Appropriate physical controls should be in place to restrict unauthorised individuals to gain access to devices or data. is responsible for ensuring adequate physical controls are in place. is Service Provider Level 1 PCI DSS certified and ISO 27001 certified. Both standards require strict physical controls, which are audited regularly under SAS70 requirements. REQUIREMENT 9.7 TO 9.10.2 Media Distribution and Classification Policy and Procedures Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. Customer is responsible for implementing controls around media distribution; this should be incorporated as part of the customer security policy. is responsible for maintaining strict controls around backup media. All managed backup media is encrypted and moved to a security vault with security mechanisms in place throughout the transportation of backup media. All other media is prohibited in the data centre, unless otherwise authorised by the customer through the correct procedures. also have a data destruction procedure in place, your account manager can provide further information about this. REQUIREMENT 10.1 TO 10.7 Audit Trail History & Log Retention Policy and Procedures Establish a process to log all access to system components and the retention and management of the logs. Customer is responsible to implementing a policy for the retention and management of log files. can facilitate a log management solution; alternatively the customer can setup their own log management software/hardware. REQUIREMENT 11.1 Test for Presence of Wireless Networks Documented policies and procedures to detecting wireless networks Wireless networks are not permitted in the customer hosted environment. are responsible for complying and regularly auditing this requirement. REQUIREMENT 11.2 TO 11.5 Regularly Test Security Systems and Processes Implementation of policies and procedures for network and application layer penetration testing. Deployment of an IDS to monitor all traffic in the cardholder environment and alert personnel to suspected compromises. Deployment of file-integrity monitoring software. Customer is responsible for implementing policy and procedures for performing penetration testing and deployment of appropriate measures to monitor and alert to suspected compromises. can facilitate the deployment of IDS and provide referrals to partners or recommend third party software to achieve this requirement. Ltd

REQUIREMENT 12.1 TO 12.9.6 Information Security Policy Establish a customer security policy which addresses all PCI DSS requirements. This should include a security awareness program, processes for performing background checks on all new employees, monitoring service providers compliance status, and implementation of an incident response plan. Customer is responsible for establishing an information security policy (customer security policy). are Service Provider Level 1 PCI DSS certified. While customers drive PCI DSS compliance for their own respective solutions, can assist with many aspects of the 12 PCI DSS requirements. Ltd

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information