Docstoc

Pci Dss Business Continuity Template - PowerPoint

Document Sample
Pci Dss Business Continuity Template - PowerPoint Powered By Docstoc
					PCI Data Security Standard
    Presenter: Hadi Jaafarawi
  Managing Director – Kuwait Office
                           Agenda
    1   What is PCI DSS?

    2   What is Cardholder data?

    3   Who must comply with PCI DSS?

    4   PCI DSS Requirements

    5   PCI DSS Scenario




2
                           What is PCI DSS?
• PCI-DSS stands for
      – “Payment Card Industry Data Security Standard”
      – A collaborative effort to achieve a common set of security
        standards for use by entities that Process, Store or Transport
        cardholder data.


• Multiple Credit Card Organizations participated in PCI
  efforts
      –   American Express (Amex)
      –   Discover Financial Services
      –   JCB International
      –   MasterCard Worldwide
      –   Visa Inc International


  3
               What is “cardholder data”?

• All information from a credit/debit card used in a
  transaction
                                               - pcianswers.com


   – Cardholder data elements
      • Primary Account Number (PAN)                        1234

      • Cardholder name
      • Expiration date


   – Sensitive Authentication Data (SAD)
      • Magnetic stripe data                              123


      • Card Validation Code (CVC)
      • Personal identification number (PIN)
    Who Must Comply with PCI DSS?




5
             What about the Cardholder Data?
• What is allowed to be stored, transmitted, or
  processed?
      – Primary Account Number (PAN), expiration date, and name.

• How should the PAN be protected when stored?
      – Encrypted, hashed or truncated.

• What must NOT be stored post-authorization?
      – Full track data, Track 1, Track 2, CVV2/CVC2, PIN Block.




  6
                               PCI DSS Applicability Information

                                                                                                    Storage                      Protection                      PCI DSS
                                                    Data Element
                                                                                                   Permitted                     Required                        Req. 3.4

                                          Primary Account Number
                                                                                                           Yes                           Yes                           Yes
                                                   (PAN)

      Cardholder Data                          Cardholder Name [1]                                         Yes                         Yes 1                            No
                                                     Service Code 1                                        Yes                         Yes 1                            No
                                                  Expiration Date 1                                        Yes                         Yes 1                            No
                                          Full Magnetic Stripe Data
                                                                  [3]                                      No                            N/A                           N/A
        Sensitive
      Authentication
                                             CAV2/CVC2/CVV2/CID                                            No                            N/A                           N/A
         Data [2]
                                                     PIN/PIN Block                                         No                            N/A                           N/A
[1] These data elements must be protected if stored in conjunction with the PAN. This protection should be per PCI DSS requirements for general protection of the cardholder
data environment. Additionally, other legislation (e.g., related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this
data, or proper disclosure of a company's practices if consumer-related personal data is being collected during the course of business. PCI DSS, however, does not apply if
PANs are not stored, processed, or transmitted.
[2] Sensitive authentication data must not be stored after authorization (even if encrypted).
[3] Full track data from the magnetic stripe, magnetic stripe image on the chip, or elsewhere.
                  Why Comply with the PCI DSS?
• The payment brands continually monitor cases of account data
  compromise. These compromises cover the full spectrum of
  organizations, from the very small to very large merchants and service
  providers
• A security breach and subsequent compromise of payment card data
  has far-reaching consequences for affected organizations, including:
      –   Regulatory notification requirements
      –   Loss or reputation
      –   Loss of customers
      –   Potential financial liabilities (e.g., regulatory & other fees/fines)
      –   Litigation




  8
                         PCI DSS Requirements
Build/Maintain    Install, maintain a firewall configuration to protect cardholder data
a Secure          Do not use vendor-supplied defaults for system passwords and
Network            other security parameters
Protect Data      Protect stored cardholder data
                  Encrypt transmission of data across open/public networks
Maintain a        Use and regularly update anti-virus software
Vulnerability     Develop and maintain secure systems and applications
Mgt Program
Implement      Restrict access to cardholder data by business need-to-know
Strong Access  Assign a unique ID to each person with computer access
Controls
                  Restrict physical access to cardholder data
Regularly         Track, monitor access to network resources and cardholder data
Monitor and       Regularly test security systems and processes
Test Networks
Maintain an       Maintain a policy that addresses information security
IS Policy
                                            Requirement 1
 1
     Install and maintain a
     Firewall configuration



                                            DMZ



                                                                Server
                        Internet
                                                                Subnet



Customer




            Remote
           Employee                Business Partners

                                                       Users
                                                       Subnet

     10
                                           Requirement 2
 2
     Do not use vendor-supplied
     defaults for system
     passwords


                                           DMZ



                                                               Server
                       Internet
                                                               Subnet



Customer




            Remote
           Employee               Business Partners

                                                      Users
                                                      Subnet

     11
                                          Requirement 3
3
    Protect Stored Cardholder
    data



                                          DMZ



                                                              Server
                      Internet
                                                              Subnet



Customer




            Remote
           Employee              Business Partners

                                                     Users
                                                     Subnet

    12
                                           Requirement 4
 4
     Encrypt transmission of
     Cardholder data across
     open public networks


                                           DMZ



                                                               Server
                       Internet
                                                               Subnet



Customer




            Remote
           Employee               Business Partners

                                                      Users
                                                      Subnet

     13
                                           Requirement 5
 5
     Use and regularly update
     anti-virus software



                                           DMZ



                                                               Server
                       Internet
                                                               Subnet



Customer




            Remote
           Employee               Business Partners

                                                      Users
                                                      Subnet

     14
                                          Requirement 6
 6
     Develop and maintain
     secure systems and
     applications


                                          DMZ



                                                              Server
                      Internet
                                                              Subnet



Customer




            Remote
           Employee              Business Partners

                                                     Users
                                                     Subnet

     15
                                           Requirement 7
 7                                                               Firewall
     Restrict Access to                                        Administrator
     Cardholder data by business
     need-to-know


                                           DMZ



                                                                           Server
                       Internet
                                                                           Subnet



Customer




            Remote
           Employee               Business Partners

                                                      Users
                                                      Subnet

     16
                                           Requirement 8
 8
     Assign a unique ID to each
     person with computer
     access


                                           DMZ



                                                               Server
                       Internet
                                                               Subnet



Customer




            Remote
           Employee               Business Partners

                                                      Users
                                                      Subnet

     17
                                             Requirement 9
 9
     Restrict physical access to
     cardholder data



                                             DMZ



                                                                 Server
                         Internet
                                                                 Subnet



Customer




             Remote
            Employee                Business Partners

                                                        Users
                                                        Subnet

     18
                                        Requirement 10
10                                                               Log
   Track and monitor all access                               Management
   to network resources and
   cardholder data


                                          DMZ



                                                                  Server
                      Internet
                                                                  Subnet



Customer




            Remote
           Employee              Business Partners

                                                     Users
                                                     Subnet

   19
                                        Requirement 11
11                                                                  Yearly Penetration
                                                                    Quarterly VA by
                                                                     Testing by a ASV
                                                                         a ASV
   Regularly test security
   systems and processes



                                          DMZ



                                                                           Server
                      Internet
                                                                           Subnet



Customer



                                                     IDS
            Remote
           Employee              Business Partners

                                                           Users
                                                           Subnet

   20
                                        Requirement 12
12
   Maintain an Information
   Security Policy


                     Policies
                                                                       Procedures
                                              DMZ
    Information Security Policy.
                                                      Risk Assessment.
    Risk Management Policy.
                                                      Change Management Procedure.
    Organizing Information Security Policy.
                                                      Patch Management Procedure.                 Server
    Asset Management Policy.
                         Internet                     User Access Management Procedure.          Subnet
    Human Resources Security Policy.
                                                      Backup and Restoration Procedure.
    Physical and Environmental Security Policy.
                                                      Management Review Procedure.
    Communications and Network Security Policy.
                                                      Application System Acquisition Development
    Access
Customer Control Policy.
                                                      and Maintenance Procedure.
    Information Systems Acquisition, Development
                                                      Personnel Security Procedure.
    and Operation Policy.
                                                      Server Security Procedure.
    Information Security Incident Management
                                                      ΙΤ Asset Classification and Valuation Procedure.
    Policy.
             Remote
    Business Continuity Management Policy.
            Employee              Business Partners
    Compliance with Legal & Contractual
    Framework Policy.
                                                                 Users
                                                                 Subnet

    21
                                More Information
PCI DSS Security Standards Council Website contains all published documents
www.pcisecuritystandards.org

       –   PCI Data Security Standard v1.2 (released October 2008)
       –   PCI Security Audit Procedures
       –   PCI Security Scanning Procedures
       –   PCI Self-Assessment Questionnaire
       –   Qualified Security Assessor (QSA) Validation Requirements
       –   Approved Scanning Vendor (ASV) Technical and Operational Requirements
       –   ASV Validation Requirements
       –   Feedback Forms

MasterCard Website: www.mastercard.com/sdp

Visa Website: www.visa.com/cisp




  22
Securing The Middle East’s IT Infrastructure
 23

				
DOCUMENT INFO
Description: Pci Dss Business Continuity Template document sample