PCI Compliance 2008
What You Need To Know
Sumedh Thakar
PCI Solutions Manager

Agenda
What’s PCI / Key Terms
What’s new with PCI in 2008?
What’s coming later this year?
Quick Tips for PCI compliance
Q&A
(Please send questions online via Q&A Chat)
2 of 13

What’s PCI? / Key Terms
PCI SSC
Payment Card Industry Security Standards Council
PCI DSS
Payment Card Industry Data Security Standard
QSA
Qualified Security Assessor
ASV
Approved Scanning Vendor
3 of 13

The Standard - PCI DSS v1.1
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
4 of 13

PCI DSS Validation
5 of 13

PCI Changes in 2008
Self Assessment Questionnaires
New Self Assessment Questionnaires v1.1
– Questionnaire version now in line with DSS version
– 4 Questionnaires to acknowledge different type of Merchants
– Effective as of April 30, 2008
Validation
Description SAQ Number
Type
1 Card-not-present (e-commerce or mail/telephone-order) merchants, all
cardholder data functions outsourced. This would never apply to face- A 11
to-face merchants.
2 Imprint-only merchants with no electronic cardholder data storage B 21
3 Stand-alone terminal merchants, no electronic cardholder data
B 21
storage
4 Merchants with POS systems connected to the Internet, no electronic
C 38
cardholder data storage
5 All other merchants (not included in Types 1-4 above) and all service
D 226
providers defined by a payment brand as eligible to complete an SAQ.
6 of 13

PCI Changes in 2008
Requirement 6.6
Security of web applications
– For Organizations who have web applications processing payments
– Requirement as of June 30, 2008
6.6 - Ensure that all web-facing applications are
protected against known attacks
Having all custom application code reviewed for common vulnerabilities by an
organization that specializes in application security.
Installing an application layer firewall in front of web-facing applications.
Options to get there…
Manual review of application source code
Proper use of automated application source code analyzer (scanning) tools
Manual web application security vulnerability assessment
Proper use of automated web application security vulnerability assessment
(scanning) tools
Use appropriate Web application firewall
7 of 13

PCI Changes in 2008
Use of CVSS v2.0 scores
External Vulnerability Scans Performed by ASV
– See www.pcisecuritystandards.org for list of ASVs
CVSS Scoring
Common Vulnerability Scoring System
PCI SSC Requirement
– As of July 1, 2008 all ASVs must use CVSS v2.0 scoring
– CVSS scores 4.0 and above should cause host to fail compliance
8 of 13

PCI Changes in 2008
New Standard – PA DSS
PA DSS
Payment Application Data Security Standard
– Designed to secure applications processing payments for merchants
– Based on PCI DSS
– Successor of VISA’s PABP program
Applicability
– Commercial payment applications
– Generally bought off the shelves with little or no customization
– Not for custom/in-house developed payment applications
Rollout of PA DSS
– Special auditors approved by PCI SSC will audit applications
– PCI SSC will maintain list of approved Payment Applications and versions
– First list to be published Oct 1, 2008
Compliance
– Dates for merchants to comply with PA DSS decided by payment brands
– Check with your vendor if the application you bought is PA DSS compliant
9 of 13

PCI Changes in 2008
PCI DSS Revision to 1.2
Update from 1.1 to 1.2
Same 12 requirements as 1.1
More clarifications on existing requirements
New Questionnaires v1.2
Publication date – Oct 1, 2008
Effective date – Oct 1, 2008
Sunset date for 1.1 – TBD
10 of 13

Quick Tips for PCI Compliance
PCI Compliance is ongoing
Do the right things… it’s for your own good!
Use your trusted vendors
Use of Automation & Technology is key
11 of 13

Quick Tips for PCI Compliance
Use of Automation & Technology
Automated tools are the best place to start…
…and will eliminate 80-90% of your headaches!
Use automated tools where possible
– If you have basic security knowledge then signup for automated scanning
portals like QualysGuard PCI
– Use automated web application scanner
– Use automated wireless analyzer and log analyzer
– Use of automated internal scanner appliance will be cheaper than dedicating
resource to perform internal scanning
12 of 13

Q & A Session
Send your questions to PCI-Info@Qualys.com
13 of 13