PCI DATA SECURITY STANDARD OVERVIEW



Similar documents
La règlementation VisaCard, MasterCard PCI-DSS

Two Approaches to PCI-DSS Compliance

Josiah Wilkinson Internal Security Assessor. Nationwide

Achieving Compliance with the PCI Data Security Standard

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

How To Protect Your Business From A Hacker Attack

PCI Compliance Top 10 Questions and Answers

How To Comply With The Pci Ds.S.A.S

PCI Compliance. Top 10 Questions & Answers

Payment Card Industry Data Security Standard (PCI DSS) v1.2

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

Payment Card Industry Data Security Standards.

Payment Card Industry Data Security Standard Explained

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Payment Card Industry Data Security Standards

How To Protect Your Credit Card Information From Being Stolen

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

PCI Security Compliance

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

PCI Standards: A Banking Perspective

PCI Compliance Can Make Your Organization Stronger and Fitter. Brent Harman Manager, Systems Consultant Team West NetPro Computing, Inc.

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

Accepting Payment Cards and ecommerce Payments

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

It Won t Happen To Me! A Network and PCI Security Webinar Presented By FMS and VendorSafe

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Continuous compliance through good governance

PCI Compliance for Cloud Applications

Frequently Asked Questions

How To Protect Visa Account Information

Presented By: Bryan Miller CCIE, CISSP

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI v2.0 Compliance for Wireless LAN

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

IT Security Compliance PCI DSS FOR MERCHANTS THE PAYMENT CARD INDUSTRY DATE SECURITY STANDARD WHITE PAPER

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Compliance Overview

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.1)

PCI Compliance: Protection Against Data Breaches

GFI White Paper PCI-DSS compliance and GFI Software products

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI COMPLIANCE FOR HIGHER EDUCATION BEST PRACTICES CHECKLIST. Presented By: The Treasury Institute for Higher Education.

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI DSS COMPLIANCE DATA

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Becoming PCI Compliant

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

Project Title slide Project: PCI. Are You At Risk?

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

PCI DSS. Payment Card Industry Data Security Standard.

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Your Compliance Classification Level and What it Means

PCI Requirements Coverage Summary Table

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

PCI Data Security Standards

PCI DSS Presentation University of Cincinnati

The Cyber Attack and Hacking Epidemic A Legal and Business Survival Guide

PAYMENT CARD INDUSTRY (PCI) COMPLIANCE HISTORY & OVERVIEW

A PCI Journey with Wichita State University

Payment Card Industry Compliance

March

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

COLUMBUS STATE COMMUNITY COLLEGE POLICY AND PROCEDURES MANUAL

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

What are the PCI DSS requirements? PCI DSS comprises twelve requirements, often referred to as the digital dozen. These define the need to:

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

PCI DSS Compliance Guide

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

HOW SECURE IS YOUR PAYMENT CARD DATA?

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI DSS Compliance for Cloud-Based Contact Centers Mitigating Liability through the Standardization of Processes for cloud-based contact centers.

Transcription:

PCI DATA SECURITY STANDARD OVERVIEW According to Visa, All members, merchants and service providers must adhere to the Payment Card Industry (PCI) Data Security Standard. In order to be PCI compliant, an organization and all its systems involved in the storage, transmission or processing of cardholder information must meet all of the requirements and sub-requirements outlined in the PCI Data Security Standard. Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored data Requirement 4: Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 1

REMINGTON PCI SERVICES OVERVIEW Remington Associates is an information security consulting firm with a consultative and client-service focused approach to information security. As a Qualified Data Security Company (QDSC), Remington is fully authorized to perform PCI compliance audits on behalf of all major credit card brands. Remington s PCI compliance and validation services are made up of five components: PCI Counseling and Advisory Services PCI Compliance Gap Assessment Services PCI Vulnerability Scanning Services PCI Readiness and Remediation Services PCI On-Site Audit Services Our clients may use any combination of these services to suit their particular needs. Remington s focus as an organization is 100 percent information security and security regulation compliance. PCI validation and compliance can be the sole focus or part of a larger scope of information security requirements. PCI COUNSELING AND ADVISORY SERVICES Often, the biggest challenge in achieving PCI compliance is interpreting the specific requirements in the PCI Data Security Standard and determining whether or not a given security control or configuration would be considered compliant. Remington Associates will assign a QDSP (Qualified Data Security Professional) to work with your internal team to better understand the intent of each requirement of the PCI Data Security Standard. Through a cooperative review of existing controls, we can provide guidance on whether or not each control or configuration would comply with the Data Security Standard. PCI Counseling and Advisory services are designed to be flexible with the primary intent being to help clarify aspects of the PCI Data Security Standard and compliance requirements. These services are collaborative and educational in nature, designed to help prepare your organization to move into the more formalized aspects of PCI compliance auditing. 2

PCI COMPLIANCE GAP ASSESSMENT SERVICES A PCI Compliance Gap Assessment is designed to uncover elements of the existing environment and security controls that are not in line with the PCI Data Security Standard, without undergoing an in-depth on-site audit. Using the PCI audit framework as a general guide, this assessment consists primarily of data gathering and interview-style reviews of the existing environment. Normally, hands-on analysis of systems and compliance validation are not included as part of a PCI Compliance Gap Assessment. By gathering information about the present configuration of systems and security controls, Remington can advise as to which aspects are likely to be found non-compliant according to the PCI Data Security Standard. Deliverables from the PCI Compliance Gap Assessment will include recommendations for appropriate remediation efforts to bring the PCI-related IT segment into compliance with the PCI Data Security Standard. 3

PCI VULNERABILITY SCANNING SERVICES In accordance with PCI compliance validation requirements, Remington can provide quarterly vulnerability scanning of all publicly accessible systems. Remington is available to test (scan) and re-scan your systems with three days advance notice. Upon confirmation of dates and URL(s), Remington will: Perform vulnerability scanning using automated tools on target URL(s) Perform platform, perimeter and application level testing from external view Identify patterns in scan results and evaluate associated risks Perform some manual testing of systems and services with focus on reported vulnerabilities (the objective is to reduce false positives) Summarize findings and report Package deliverables and report and submit to MasterCard as proof of compliance Generally speaking, the scope of vulnerability scanning should include, at a minimum, all systems that are accessible via the Internet, whether for public use or for authenticated employees only. Remington uses the following guidelines taken directly from the Payment Card Industry Security Scanning Procedures document, published by MasterCard: Scan all filtering devices such as firewalls or external routers Scan all Web servers Scan application servers if present Scan all custom Web applications Scan Domain Name Servers (DNS) Scan mail servers Scan all load balancers Scan virtual hosts Scan wireless access points in wireless LANs (WLANs) Configure the IDS/IPS to accept the originating IP address of Remington Associates 4

PCI READINESS AND REMEDIATION SERVICES Upon completion of a PCI Gap Assessment or Counseling Services, Remington s Audit Team will communicate recommendations and transition work efforts to Remington s Remediation Team. The Remediation Team then provides assistance in implementing appropriate security controls or configuration changes to best prepare your organization for compliance validation, specifically for the Self- Assessment Questionnaire, Quarterly Scan or On-Site Security Audit. The Remington Remediation Team s experience and familiarity with best-in-class security controls combined with our Project Management Office (PMO) ensures smooth implementation of security controls and the changes deemed necessary to bring the PCI segment into compliance. Remington s PMO is highly trained in the use of its unique Professional Services Framework to implement highly effective security controls and solutions. With Remington s PMO, you receive: PMP, CISSP, CISA and QDSP credentials Single point of contact for the engagement Reduced and managed risk to your projects Penta-Constraint management: Scope/Time/Budget/Quality/Risk Integrated security management and awareness Regulatory and best practice compliance Identified accountability for high profile, critical projects 5

PCI ON-SITE AUDIT SERVICES For merchants and service providers that require an annual PCI On-Site Audit for PCI compliance validation, Remington is fully qualified and certified to provide this service on behalf of all major credit card brands, including: Visa, MasterCard, American Express, Discover and Diner s Club. Remington s Audit Team will review all aspects of the environment that store, process or transmit cardholder data to ensure compliance with the PCI Data Security Standard. The auditors will collect data/evidence and perform testing as outlined in the CISP Security Audit Procedures and Reporting document (SAP-R), which is designed to ensure compliance with the PCI Data Security Standard. Upon completion of the PCI On-Site Audit, Remington will provide full documentation of the results, including the preparation of the Report on Compliance (ROC) for the Visa CISP program. The PCI On-Site Audit requires the results of the last four quarterly vulnerability scans; therefore, scanning may need to be performed in parallel with Remington s PCI On-Site Audit. The PCI On-Site Audit usually follows a PCI Compliance Gap Assessment and/or PCI Readiness and Remediation Services for best results. 6

Counseling and Advisory Risk Discovery On-Site Audit PCI Services Gap Assessment Legal Liabilities Analysis Readiness and Remediation Vulnerability Scanning CONFIDENTIALITY Enterprise Assessment Rapid Risk Assessment PCI Services Monitoring & Management COMPLIANCE Regulation & Compliance Incident Response Asset ID & Classification DR/BC Planning Policies & Procedures AVAILABILITY Network Security Controls Application Security Identity & Access Management INTEGRITY Chicago Madison Milwaukee Schaumburg 847.221.0200 www.remingtonltd.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information