10 Tips to Achieve PCI DSS Compliance by Sumedh Thakar Director of Engineering PCI Solutions Terry Ramos VP, Strategic Alliances, Qualys

Agenda Why PCI is important Who has to comply with PCI 10 Tips PCI Compliance for Dummies

Why PCI is important

Who has to comply with PCI

10 Tips

PCI Compliance for Dummies

Account Compromise - Impacts Counterfeit cards and fraud Significant chargeback risk Penalties, fines, losses Damage to reputation Negative media coverage Impacts to consumer confidence Re-issuance and monitoring of cards Potential of new legislation

Counterfeit cards and fraud

Significant chargeback risk

Penalties, fines, losses

Damage to reputation

Negative media coverage

Impacts to consumer confidence

Re-issuance and monitoring of cards

Potential of new legislation

Top 5 Vulnerabilities Storage of prohibited data (e.g., full track, CVV2, PIN blocks) Vendor default accounts and passwords Insecure remote access by software vendors Compatibility issues with anti-virus and encryption Poorly coded web-facing applications resulting in SQL injection Based on merchant compromises, Visa has found the following common vulnerabilities: www.visa.com/cisp

Storage of prohibited data (e.g., full track, CVV2, PIN blocks)

Vendor default accounts and passwords

Insecure remote access by software vendors

Compatibility issues with anti-virus and encryption

Poorly coded web-facing applications resulting in SQL injection

Top 5 Reasons: Data Compromise Source: MasterCard Forensics Examinations of Hacked Entities

PCI Certification Merchant & Service Provider Levels

10 Tips Know the Risks you Face in Protecting Cardholder Data Understand where your risks are Understand what are your risks versus others Build and Maintain a Secure Network for Cardholder Data Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data That’s Stored or Transmitted Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks

Know the Risks you Face in Protecting Cardholder Data

Understand where your risks are

Understand what are your risks versus others

Build and Maintain a Secure Network for Cardholder Data

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data That’s Stored or Transmitted

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

10 Tips Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes

Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

10 Tips Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security Submit Reports for Quarterly Scans and Annual Review Make PCI Compliance a Continuous, Ongoing Process

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security

Submit Reports for Quarterly Scans and Annual Review

Make PCI Compliance a Continuous, Ongoing Process

PCI Compliance for Dummies Read PCI Compliance for Dummies Get as much information as you can about PCI and how it relates to your organization

Read PCI Compliance for Dummies

Get as much information as you can about PCI and how it relates to your organization

Q&A C O N F I D E N T I A L Thank You [email_address] [email_address]