< All PCI/DSS Notes

Raul | PCI/DSS | PCI/DSS

By: Raul Pop | Related Course: PCI/DSS | Published: May 7, 2017 | Modified: May 7, 2017
Join Cybrary

NotepadPCI DSS

PCI DSS

Payment Card Industry Data security Standard

Build and maintain a secure network

 

1)Install and maintain a firewall and router configuration to protect cardholder data

-Standards for configuration and testing

-”Deny all” from unstrusted networks

-Prohibit direct public access between the internet and any system component in the cardholder data environment

-Personal firewall software be installed on mobile devices and or employee owned computers used to access the organization’s network

 

2)Do not use vendor-supplied defaults for system password and other security parameters

-Most vendor default are simple and easy to guess

-Frequently designed for ease-of-use

-Passwords and other default settings should be changed before connected installing on network

-Define and apply system base-lines and standard configurations addressing known vulnerabilities

-Encrypt all non-console administrative access

 

3)Protect stored cardholder data

-Limit storage and retention

-Don’t store sensitive authentication information after authorization

-Mask the PAN(Primary Account Number)when displayed (1st six or last 4)

-If stored the PAN should always be unreadable

-Protect keys used for encryption

-Document and manage all key management processes and procedures

 

4)Encrypt Transmission of CardHolder Data

-Use strong cryptography and transport protocols like SSL/TLS or IPSEC for transmission over open,public networks(Internet,wireless)

-Never send PANs unecrypted by end-user messaging technologies

 

5)Use and regularly update anti-virus software or programs

-Deploy anti-virus software on all system affected by malicious software

-Ensure that all anti-virus software is current,actively running and capable of generating audit logs

 

6)Develop and maintain secure systems and applications

-Ensure all system components and software have the lates vendor-supplied patches

-Enstablish a process to indentify new vulnerabilities

-Develop software applications in accordance with PCI/DSS based on industry best practices and incorporate information security throughout the software develipment life cycle

-Follow Change Control procedures for all changes to system components

-Develop web-based applications based on secure coding guidelines

-Ensure all public web-facing applications are protected


NotepadPCI DSS Part 2

Well Known Attacks

-2012 about 40 millions sets of PCI were compromised by a hack of Adobe System

-Between 27 Nov 2013-15 Dec 2013 a breanch of system at Target Corporation 40 millions card were exposed

-16-30 Oct 2-13 Neiman-Marcus attack

-8 September 56 million credit card numbers were disclosed as a result (The Home Depot confirmation)

Source of attacks

 

1)Source

Outsiders=64%

-Insiders/accident=24%

-Insiders-malicious=7%

 

2) Type

-Stolen laptop or computers=27%

-Exposure on Internet or email=17%

-Hack=16%

-Documents lost in mail or on disposal=9%

-Scams and social engineering=8%

 

3)Information to protect

-Magnetic Stripe

-Chip Magnetic

-CID

-Expiration Date

-CAV2/CID/CV2/CVV2

 

 

 


NotepadPCI DSS-Goals

-Payment Card Industry Data Security Standards

-The goal of the PCI DSS is to proect cardholder data that is processed stored or transmitted by merchants

-The security controls and processes required by PCI DSS are vital for protecting cardholder account data,including the PAN-the primary account number printed on the front of a payment card


NotepadPCS DSS -Tools

1)PCI SSC-offers robuts and comprehensive standards and support materiels to enhance payment card security

2)PCI DSS-which provides an actionable framework for developing a robyst payment card data security process-including prevention,detection and appropriatereaction to security incidents

-Qualified Security Assesors:QSAs are approved by the Council to assess compliance with the PCI DSS

-Self-Assessment Questionnaire:The ”SAQ” is a validation tool for organizations that are not required to undergo an on-site assessment PCI DSS compliance


< All PCI/DSS Notes
Join Cybrary

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel