3.1 PCI/DSS Goals and Requirements

00:00

Welcome to the cyber ery course on D mystifying PC Idea says compliance.

00:06

This model focuses on the goals of the P C I. D. Assessing the requirements associated with

00:11

this course is designed so that you can pick and choose the modules or portions that you may have specific questions about that I hope to address.

00:20

In general, you don't need to understand requirement for toe, understand requirement five.

00:25

So you don't necessarily need to review each video sequentially unless you want to.

00:30

This video is an introduction to the requirements of the P. C. I. B. S s.

00:35

And the learning objective of this video is to identify the six goals of the P C i. D. Assess and the corresponding requirements.

00:44

The P C I S S C developed six goals that drive the requirements associated with operating a secure cardholder data environment.

00:52

Let's start with a gold of building and maintaining of secure networks.

00:58

This is a generic gold, but its place at the forefront

01:00

because companies must do the due diligence to secure the systems that they're operating.

01:06

Requirements associated with this goal employ some of the bare minimum controls necessary to limit and protect the attack surface of your environment.

01:15

The second goal is to protect cardholder data.

01:18

Cardholder data refers to any information printed process transmitted or stored in any form that is related to a payment car.

01:26

This is another generic goal that is meant to protect the sensitivity of data associated with cards.

01:33

Merchants are to do what they can to prevent unauthorized use.

01:37

Whether the data is printed and stored locally or transmitted over an internal or public network to a remote server or a service provider, the merchant must provide protections.

01:49

The third goal is for the merchant to make sure that they have implemented a vulnerability management program.

01:56

Vulnerability Management. It's a process of systematically and continuously finding weaknesses in the entities payment card infrastructure.

02:05

The merchant is directed to be proactive in discovering the potential points of the data environment that could be exploited.

02:12

This includes security procedures, system designed implementation or internal controls that could be exploited in any way to violate the system security.

02:23

Fourth goal is putting in place access controls,

02:28

access controls, air designed to allow merchants to permit or deny the use of physical or technical means. The access sensitive cardholder data

02:36

be intent behind this. Access control is toe limit access toe only. Those who requirement to perform their job function

02:44

access controls consists of physical, a logical tools to deny access to those who do not have a need to know.

02:52

The fifth goal is to regularly monitor and test the security controls of your cardholder data environment.

02:59

Processes of controls that were put in police have to be tested to validate their effectiveness.

03:06

They also must be tested over time because the environment changes and the threats here environment evolved.

03:12

Ah control that was previously effective may lo longer prevented adversary from penetrating your network.

03:19

So by continuously monitoring your environment, you'll be better equipped to detect unauthorized access and you'll be better equipped to determine the effectiveness of your controls.

03:29

And the last goal is the implementation of a strong security policy.

03:35

Security policy is meant to establish the culture of security in the organization.

03:39

It should clearly define who is responsible for what uniform all employees of the sensitive nature of processing card holder.

03:49

Now that we've gone over the high level goals, let's go into the 12 requiring

03:53

for cryo mint groups associated with each of these goals

03:57

and we'll start with firewalls.

03:59

The P C. I s S C has mandated that the implementation of firewalls throughout the cardholder data environment to secure it,

04:06

firewalls control and monitor the traffic that enters and or exits the system or network

04:13

they can exist in in points, routers or their stand alone appliances.

04:17

Requirement to is to make sure that all vendor supplied default passwords were changed.

04:24

One of the first things that Attackers do is to check to see if the user name and password combinations of devices in the cardholder data environment our default.

04:33

If I'm able to see that you're running version 1.2 of a particular software, I may be able to look up the user name and password that came with that software and be able to immediately grant myself administrative access to that software because it's not been changed.

04:50

Requirement three is to protect stored cardholder data.

04:55

PC I requires that it must be absolutely necessary for their business to function to allow the storage of sensitive cardholder information.

05:02

If you must store data, then it must be encrypted.

05:08

Requirement for is to protect cardholder data that is being transmitted between networks.

05:14

Communication channels must be encrypted of sensitive information is being sent.

05:18

An attacker could potentially be listening on networks, and if measures to encrypt are put in place, the attacker could steal this information.

05:28

Requirement five is to design to protect all systems against malware.

05:33

It mandates that merchants install a regularly update antivirus software programs.

05:40

Antivirus is meant to thwart some malware from exploiting systems in the data environment.

05:46

Other anti malware solutions are permitted, but it is required that they be up to date that up today, antivirus be in place.

05:55

Requirement six is to ensure that a merchant practices the development in maintenance of secure software applications.

06:02

Whether developed in house or by a vendor. The merchant needs to make sure the security of the software has tested and patches are regularly implemented. To minimize risk.

06:12

Oven attacker exploiting a floor on the software

06:15

for applications developed in house secure code and practices must be in place.

06:20

Change control procedures and other secure software development practices should always be followed.

06:29

Requirement seven is to restrict access. The cardholder data by a business need to know

06:34

this process is to make sure that critical data can only be accessed by authorized personnel systems and processes

06:42

I need to know is when access rights are granted. Thio only the least amount of data and privileges needed to perform a job function

06:51

requirement. Eight. Mandates that access to systems components must be via unique identification assigned to each person with access.

07:00

This ensures that actions taken on critical data and systems are performed by and can be traced to known. An authorized users

07:11

requirements apply to all accounts with administrative capabilities and all accounts with access to store it. Cardholder data

07:18

crime. It's do not apply accounts used by customers.

07:24

Requirement nine is to restrict physical access to cardholder data.

07:29

If an attacker is physically able to access data or systems, opportunity exists for data to be compromised.

07:35

Physically. Protecting media includes all paper and electronic media containing hard holder date

07:43

Requirement. 10 Mandates that merchants track and monitor all access to network resource is and cardholder data

07:49

longing mechanisms need to be put in place to provide the ability to track to user activities.

07:56

This is an important requirement because it is necessary to provide effective forensics and vulnerable on vulnerability. Management

08:05

Requirement 11 is that the merchant must regularly test security systems and processes

08:11

vulnerabilities air being discovered continuously by malicious individuals and researchers,

08:16

and then they're being introduced by new software

08:20

system components. Processes and custom software should be tested frequently to ensure security has maintained over time.

08:28

Testing of security controls is especially important for any environmental changes, such as deploying new software or changing system configurations.

08:39

A requirement 12 is simply that the merchant maintained a policy that defines information, security policies and procedures for all personnel.

08:50

So in summary, we went over some of the goals of the P C i D. Assessing we went through each of the requirements needed to meet these goals.

09:01

And now, for a quick with

09:03

the goal of building and maintaining a secure environment has which of the following requirements

09:09

were strict physical access and require unique I. D. S.

09:13

Maintaining a security policy

09:16

firewalls in no default passwords

09:20

or strong encryption.

09:28

This one is firewalls and no default passwords.

09:33

True or false,

09:35

all users, including customers, are required to have a user account on the CD.

09:43

This one's false

09:46

customers do not necessarily have tohave a unique user account.

09:54

Sure, false

09:54

antivirus isn't required if you have other anti malware solutions in place,

10:03

this one's false.

10:05

You can have other anti malware solutions in support of anti virus, but it cannot take the replace