SlideShare a Scribd company logo

PCI DSS for Penetration Testing

Download as PPTX, PDF
Network Intelligence India
Network Intelligence India

“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.

Technology
1 of 26
PCI DSS K. K. Mookhey
What is PCI DSS ?  Payment Card Industry (PCI) Data Security Standard (DSS)  PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.  PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
Why Is Compliance with PCI DSS Important?  A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
PCI DSS Payment Card Industry Data Security Standard  Standard applies to:  Merchants – Acquirer is the authority  Service Providers – Card Brand or Client is the authority  Systems  Who:  Store cardholder data  Transmit cardholder data  Process cardholder data  Inclusive of:  Electronic Transactions  Paper Transactions
The PCI Security Standards Council (PCI SSC)  An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedappro vallist.html
Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PCI Data Security Standard (DSS) • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. • It covers technical and operational system components included in or connected to cardholder data. • If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
The PCI Security Standards Founders
Data on Payment Card
Track 1 vs. Track 2 Data
Track 1 vs. Track 2 Data (cont..)  If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.  Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
What to store & what not to store
Guidelines for Storage 1. One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value. 2. Truncation – permanently removes a segment of the data (for example, retaining only the last four digits). 3. Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once. 4. Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder Secure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and cardholder Test Networks data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for Security Policy employees and contractors
Other PCI Standards
PCI SSC- Standards
PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedappro vallist.html
PIN Transaction (PTS) Security Requirements (cont..) • Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. • Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. • Objective 3 : Keys are conveyed or transmitted in a secure manner.
PIN Transaction (PTS) Security Requirements (cont..) • Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner. • Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage. • Objective 6 : Keys are administered in a secure manner. • Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
PA-DSS (cont..) • Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Requirement 2 : Protect stored cardholder data • Requirement 3 : Provide secure authentication features • Requirement 4 : Log payment application activity • Requirement 5 : Develop secure payment applications • Requirement 6 : Protect wireless transmissions • Requirement 7 : Test payment applications to address vulnerabilities • Requirement 8 : Facilitate secure network implementation • Requirement 9 : Cardholder data must never be stored
PA-DSS (cont..) • Requirement 10 : Facilitate secure remote access to payment application • Requirement 11 : Encrypt sensitive traffic over public networks • Requirement 12 : Encrypt all non-console administrative access • Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY Web http://www.niiconsulting.com Email kkmookhey@niiconsulting.com Tel +91-22-2839-2628 +91-22-4005-2628 Fax +91-22-2837-5454

Recommended

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 

Recommended

PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance ReadinessAl Abbas, PMP, CISSP, MBA, MSc
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1leon bonilla
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Digital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For BanksDigital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For BanksEvernym
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0SureCloud
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Kriangkrai Chumsaktrakul
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxMdMofijulHaque
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
Swift 7.2 & Customer Security: Providing choice, flexibility and control.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Swift 7.2 & Customer Security: Providing choice, flexibility and control.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Nancy Hernandez
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentestingn|u - The Open Security Community
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 

More Related Content

What's hot

Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates VISTA InfoSec
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should careSean D. Goodwin
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksAnnMargaret Tutu (AMT)
 
Digital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For BanksDigital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For BanksEvernym
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0SureCloud
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxMdMofijulHaque
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for DummiesSilly Beez
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS ProtocolsPeter R. Egli
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Veritis Group, Inc
 
Swift 7.2 & Customer Security: Providing choice, flexibility and control.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Swift 7.2 & Customer Security: Providing choice, flexibility and control.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Nancy Hernandez
 

What's hot (20)

Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
 
PCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should carePCI DSS: What it is, and why you should care
PCI DSS: What it is, and why you should care
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
 
Digital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For BanksDigital Identity Wallets: What They Mean For Banks
Digital Identity Wallets: What They Mean For Banks
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
 
Smart Card EMV for Dummies
Smart Card EMV for DummiesSmart Card EMV for Dummies
Smart Card EMV for Dummies
 
AAA & RADIUS Protocols
AAA & RADIUS ProtocolsAAA & RADIUS Protocols
AAA & RADIUS Protocols
 
Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
 
Swift 7.2 & Customer Security: Providing choice, flexibility and control.
Swift 7.2 & Customer Security: Providing choice, flexibility and control. Swift 7.2 & Customer Security: Providing choice, flexibility and control.
Swift 7.2 & Customer Security: Providing choice, flexibility and control.
 

Similar to PCI DSS for Penetration Testing

Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptgealehegn
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 

Similar to PCI DSS for Penetration Testing (20)

PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetPayment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNet
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 

More from Network Intelligence India

ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationNetwork Intelligence India
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies Network Intelligence India
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyNetwork Intelligence India
 

More from Network Intelligence India (20)

Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
The Economics of Security
The Economics of SecurityThe Economics of Security
The Economics of Security
 
Web Application Security Strategy
Web Application Security Strategy Web Application Security Strategy
Web Application Security Strategy
 
ISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics ImplementationISO 27004- Information Security Metrics Implementation
ISO 27004- Information Security Metrics Implementation
 
National Cyber Security Policy 2013
National Cyber Security Policy 2013National Cyber Security Policy 2013
National Cyber Security Policy 2013
 
RBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on ITRBI Gopalakrishna Committee Report on IT
RBI Gopalakrishna Committee Report on IT
 
Understanding Governance
Understanding GovernanceUnderstanding Governance
Understanding Governance
 
Cyber Security in Civil Aviation
Cyber Security in Civil AviationCyber Security in Civil Aviation
Cyber Security in Civil Aviation
 
Spear Phishing Methodology
Spear Phishing MethodologySpear Phishing Methodology
Spear Phishing Methodology
 
Mobile Device Management (MDM)
Mobile Device Management (MDM)Mobile Device Management (MDM)
Mobile Device Management (MDM)
 
IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies IT Act 2000 Penalties, Offences with case studies
IT Act 2000 Penalties, Offences with case studies
 
Information Rights Management (IRM)
Information Rights Management (IRM)Information Rights Management (IRM)
Information Rights Management (IRM)
 
Distributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing MethodologyDistributed Denial of Service (DDos) Testing Methodology
Distributed Denial of Service (DDos) Testing Methodology
 
Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)Data Leakage Prevention (DLP)
Data Leakage Prevention (DLP)
 
Advanced persistent threats(APT)
Advanced persistent threats(APT)Advanced persistent threats(APT)
Advanced persistent threats(APT)
 
XML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus ScannerXML Interfaces to the popular Nessus Scanner
XML Interfaces to the popular Nessus Scanner
 
Cyber fraud in banks
Cyber fraud in banksCyber fraud in banks
Cyber fraud in banks
 
Advanced persistent threats
Advanced persistent threatsAdvanced persistent threats
Advanced persistent threats
 
Who will guard the guards
Who will guard the guardsWho will guard the guards
Who will guard the guards
 
Application security enterprise strategies
Application security enterprise strategiesApplication security enterprise strategies
Application security enterprise strategies
 

Recently uploaded

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

PCI DSS for Penetration Testing

  • 1. PCI DSS K. K. Mookhey
  • 2. What is PCI DSS ?  Payment Card Industry (PCI) Data Security Standard (DSS)  PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.  PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks
  • 3. Why Is Compliance with PCI DSS Important?  A security breach and subsequent compromise of payment card data has far-reaching consequences for affected organizations, including:  Regulatory notification requirements,  Loss of reputation,  Loss of customers,  Potential financial liabilities (for example, regulatory and other fees and fines), and  Litigation.
  • 4.
  • 5. PCI DSS Payment Card Industry Data Security Standard  Standard applies to:  Merchants – Acquirer is the authority  Service Providers – Card Brand or Client is the authority  Systems  Who:  Store cardholder data  Transmit cardholder data  Process cardholder data  Inclusive of:  Electronic Transactions  Paper Transactions
  • 6. The PCI Security Standards Council (PCI SSC)  An open global forum, launched in 2006, responsible for the development, management, education, and awareness of the PCI Security Standards, including:  Data Security Standard (DSS)  Payment Application Data Security Standard (PA-DSS)  Pin Transaction Security (PTS)  Formally known as Pin-Entry Device (PED) PCI PTS PCI PA-DSS PCI DSS
  • 8. PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedappro vallist.html
  • 9. Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • 10. PCI Data Security Standard (DSS) • The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. • It covers technical and operational system components included in or connected to cardholder data. • If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS.
  • 11. The PCI Security Standards Founders
  • 13. Track 1 vs. Track 2 Data
  • 14. Track 1 vs. Track 2 Data (cont..)  If full track (either Track 1 or Track 2, from the magnetic stripe, magnetic-stripe image in a chip, or elsewhere) data is stored, malicious individuals who obtain that data can reproduce and sell payment cards around the world.  Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties.
  • 15. What to store & what not to store
  • 16. Guidelines for Storage 1. One-way hash functions based on strong cryptography – converts the entire PAN into a unique, fixed-length cryptographic value. 2. Truncation – permanently removes a segment of the data (for example, retaining only the last four digits). 3. Index tokens and securely stored pads – encryption algorithm that combines sensitive plain text data with a random key or “pad” that works only once. 4. Strong cryptography – with associated key management processes and procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms, Abbreviations and Acronyms for the definition of “strong cryptography.”
  • 17. The PCI Data Security Standard Six Goals, Twelve Requirements Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder Secure Network data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs Management Program 6. Develop and maintain secure systems and applications Implement Strong Access 7. Restrict access to cardholder data by business need-to-know Control Measures 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and 10. Track and monitor all access to network resources and cardholder Test Networks data 11. Regularly test security systems and processes Maintain an Information 12. Maintain a policy that addresses information security for Security Policy employees and contractors
  • 20. PIN Transaction (PTS) Security Requirements • It is a set of security requirements focused on characteristics and management of devices used in the protection of cardholder PINs and other payment processing related activities. • The requirements are for manufacturers to follow in the design, manufacture and transport of a device to the entity that implements it. • Financial institutions, processors, merchants and service providers should only use devices or components that are tested and approved by the PCI SSC. www.pcisecuritystandards.org/security_standards/ped/pedappro vallist.html
  • 21. PIN Transaction (PTS) Security Requirements (cont..) • Objective 1 : PINs used in transactions governed by these requirements are processed using equipment and methodologies that ensure they are kept secure. • Objective 2 : Cryptographic keys used for PIN encryption/decryption and related key management are created using processes that ensure that it is not possible to predict any key or determine that certain keys are more probable than other keys. • Objective 3 : Keys are conveyed or transmitted in a secure manner.
  • 22. PIN Transaction (PTS) Security Requirements (cont..) • Objective 4 : Key-loading to hosts and PIN entry devices is handled in a secure manner. • Objective 5 : Keys are used in a manner that prevents or detects their unauthorized usage. • Objective 6 : Keys are administered in a secure manner. • Objective 7 : Equipment used to process PINs and keys is managed in a secure manner.
  • 23. Payment Application Data Security Standard (PA-DSS) • The PA-DSS is for software developers and integrators of payment applications that store, process or transmit cardholder data as part of authorization or settlement when these applications are sold, distributed or licensed to third parties. • Most card brands encourage merchants to use payment applications that are tested and approved by the PCI SSC. Validated applications are listed at: www.pcisecuritystandards.org/security_standards/pa_dss.shtml
  • 24. PA-DSS (cont..) • Requirement 1 : Do not retain full magnetic stripe, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data • Requirement 2 : Protect stored cardholder data • Requirement 3 : Provide secure authentication features • Requirement 4 : Log payment application activity • Requirement 5 : Develop secure payment applications • Requirement 6 : Protect wireless transmissions • Requirement 7 : Test payment applications to address vulnerabilities • Requirement 8 : Facilitate secure network implementation • Requirement 9 : Cardholder data must never be stored
  • 25. PA-DSS (cont..) • Requirement 10 : Facilitate secure remote access to payment application • Requirement 11 : Encrypt sensitive traffic over public networks • Requirement 12 : Encrypt all non-console administrative access • Requirement 13 : Maintain instructional documentation and training programs for customers, resellers, and integrators
  • 26. Thank you! Questions / Queries NETWORK INTELLIGENCE INDIA PVT. LTD. AN ISO/IEC 27001:2005 CERTIFIED COMPANY Web http://www.niiconsulting.com Email kkmookhey@niiconsulting.com Tel +91-22-2839-2628 +91-22-4005-2628 Fax +91-22-2837-5454