DATA SECURITY & PCI DSS COMPLIANCE PROTECTING CUSTOMER DATA
WHAT IS PCI DSS? PAYMENT CARD INDUSTRY DATA SECURITY STANDARD A SET OF REQUIREMENTS FOR ANY ORGANIZATION OR MERCHANT THAT ACCEPTS, TRANSMITS OR STORES ANY CARDHOLDER DATA. THERE ARE SIX GOALS AND TWELVE REQUIREMENTS.
PCI SCOPE ANY SYSTEM COMPONENT IN OR CONNECTED TO THE CARDHOLDER DATA ENVIRONMENT COMPUTERS REGISTERS SCALES WIRELESS ANY NETWORK DEVICE
NETWORK SEGMENTATION CREATE SEPARATE YET ALSO SECURE NETWORK FOR ROLES AND SERVICES THAT DO NOT NEED TO BE IN THE CARD HOLDER DATA ENVIRONMENT. MANAGER COMPUTERS SCALES CUSTOMER WIRELESS KIOSKS PRINTERS
GOAL 1: BUILD AND MAINTAIN A SECURE NETWORK REQUIREMENT 1:INSTALL AND MAINTAIN A FIREWALL CONFIGURATION TO PROTECT CARDHOLDER DATA. MAKE SURE YOU HAVE PROPER INTERNET SAFEGUARDS. REQUIREMENT 2: DO NOT USE VENDOR SUPPLIED DEFAULTS FOR SYSTEM PASSWORDS AND OTHER SECURITY PARAMETERS. ALWAYS CHANGE PASSWORDS ON ALL NETWORK DEVICES. DO NOT HAVE EASY PASSWORDS
WHAT A FIREWALL DOES ALLOWS GOOD TRAFFIC (EMAIL, WEB, VPN) DENIES BAD TRAFFIC (HACK ATTEMPTS, PORT SCANNING) DETERMINES WHERE GOOD TRAFFIC GOES MONITORS WHO IS TRYING TO BREECH AND FROM WHERE FIRST AND BEST LINE OF DEFENSE
GOAL 2: PROTECT CARDHOLDER DATA REQUIREMENT 3: PROTECT STORED CARDHOLDER DATA. KEEP STORED CARDHOLDER INFORMATION SECURE. IF ONSITE STORAGE NEEDED KEEP IN SECURE DATABASE. DO NOT KEEP IN UNSECURE DOCUMENTS, SUCH AS EXCEL, WORD REQUIREMENT 4: ENCRYPT TRANSMISSION OF CARDHOLDER DATA ACROSS OPEN, PUBLIC NETWORKS. TALK TO POS VENDOR TO MAKE SURE ALL TRANSMISSIONS HAVE PROPER ENCRYPTION. KNOW AT WHAT POINT DATA IS ENCRYPTED, FROM SOURCE TO DESTINATION
WHAT IS ENCRYPTION? THE PROCESS OF ENCODING DATA SO THAT ONLY AUTHORIZED DEVICES CAN READ IT. REQUIRES A ENCRYPTION KEY ON BOTH SIDES OF TRANSMISSION TO SEND AND THEN READ DATA. HARDWARE AND SOFTWARE CAN ENCRYPT. SYMMETRIC OR PUBLIC KEYS. HTTP VS. HTTPS
GOAL 3: MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM REQUIREMENT 5: PROTECT ALL SYSTEMS AGAINST MALWARE AND REGULARLY UPDATE ANTI-VIRUS SOFTWARE OR PROGRAMS. INCLUDES POS DEVICES. IF IT CAN BE INFECTED WITH MALWARE IT NEEDS PROTECTING. REQUIREMENT 6: DEVELOP AND MAINTAIN SECURE SYSTEMS AND APPLICATIONS. KEEP COMPUTERS UP TO DATE ON PATCHES. INVESTIGATE EMERGING SECURITY FLAWS TO MAKE SURE YOU ARE NOT EFFECTED.
GOAL 4: IMPLEMENT STRONG ACCESS CONTROL MEASURES REQUIREMENT 7: RESTRICT ACCESS TO CARDHOLDER DATA BY BUSINESS NEED TO KNOW. KEEP CARDHOLDER DATA OUT OF THE HANDS OF UNAUTHORIZED PERSONNEL. KEEP TO SELECT FEW. REQUIREMENT 8: IDENTIFY AND AUTHENTICATE ACCESS TO SYSTEM COMPONENTS. UNIQUE LOGINS FOR USERS. UNSUCCESSFUL PASSWORD LOCKOUTS. PASSWORD COMPLEXITY. REQUIREMENT 9: RESTRICT PHYSICAL ACCESS TO CARDHOLDER DATA. CAMERAS AND ACCESS CONTROLS TO SENSITIVE AREAS. NO PUBLICLY ACCESSIBLE NETWORK JACKS
GOAL 5: REGULARLY MONITOR AND TEST NETWORKS REQUIREMENT 10: TRACK AND MONITOR ALL ACCESS TO NETWORK RESOURCES AND CARDHOLDER DATA. TURN ON NETWORK AND LOGIN AUDITING. REQUIREMENT 11: REGULARLY TEST SECURITY SYSTEMS AND PROCESSES. HAVE A VENDOR PERFORM QUARTERLY INTERNAL AND EXTERNAL NETWORK SCANS. IDENTIFY POSSIBLE ISSUES. STARTING JAN 1 2015 ALSO INCLUDES PENETRATION TESTING.
GOAL 6: MAINTAIN AN INFORMATION SECURITY POLICY REQUIREMENT 12:MAINTAIN A POLICY THAT ADDRESSES INFORMATION SECURITY FOR ALL PERSONNEL. DOCUMENT PROCEDURES IN YOUR IT ENVIRONMENT. TEST AND REVIEW ON A TIMELY BASIS.
BE PROACTIVE! ANALYZE YOUR RISK. DO SOMETHING BEFORE YOU ARE MADE TO DO SOMETHING. CHECK WITH VENDORS TO MAKE SURE THEY ARE UP TO DATE. TALK WITH PAYMENT PROCESSORS OR BANK ON THEIR LATEST EFFORTS AGAINST BREECHES. MAKE SURE YOU ARE PROTECTED. INSURANCE, BREECH PROTECTION TO COVER FINES, FORENSIC COSTS ETC.
JASON@KCSTECH.COM SALES@KCSTECH.COM