PCI Compliance: What You Need to Know
Upcoming SlideShare
Loading in...5

PCI Compliance: What You Need to Know



This presentation covers the key facts you need to know about the current and upcoming PCI compliance requirements. ...

This presentation covers the key facts you need to know about the current and upcoming PCI compliance requirements.

Key take-aways:
*What are the new PCI Compliance changes (current and planned)
*When the changes go into effect & how they impact your business
*How to automate the PCI Compliance processes



Total Views
Views on SlideShare
Embed Views



1 Embed 6

http://www.slideshare.net 6



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    PCI Compliance: What You Need to Know PCI Compliance: What You Need to Know Presentation Transcript

    • PCI Compliance 2008 What You Need To Know Sumedh Thakar PCI Solutions Manager
    • Agenda What’s PCI / Key Terms What’s new with PCI in 2008? What’s coming later this year? Quick Tips for PCI compliance Q&A (Please send questions online via Q&A Chat) 2 of 13
    • What’s PCI? / Key Terms PCI SSC Payment Card Industry Security Standards Council PCI DSS Payment Card Industry Data Security Standard QSA Qualified Security Assessor ASV Approved Scanning Vendor 3 of 13
    • The Standard - PCI DSS v1.1 Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 4 of 13
    • PCI DSS Validation 5 of 13
    • PCI Changes in 2008 Self Assessment Questionnaires New Self Assessment Questionnaires v1.1 – Questionnaire version now in line with DSS version – 4 Questionnaires to acknowledge different type of Merchants – Effective as of April 30, 2008 Validation Description SAQ Number Type 1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face- A 11 to-face merchants. 2 Imprint-only merchants with no electronic cardholder data storage B 21 3 Stand-alone terminal merchants, no electronic cardholder data B 21 storage 4 Merchants with POS systems connected to the Internet, no electronic C 38 cardholder data storage 5 All other merchants (not included in Types 1-4 above) and all service D 226 providers defined by a payment brand as eligible to complete an SAQ. 6 of 13
    • PCI Changes in 2008 Requirement 6.6 Security of web applications – For Organizations who have web applications processing payments – Requirement as of June 30, 2008 6.6 - Ensure that all web-facing applications are protected against known attacks Having all custom application code reviewed for common vulnerabilities by an organization that specializes in application security. Installing an application layer firewall in front of web-facing applications. Options to get there… Manual review of application source code Proper use of automated application source code analyzer (scanning) tools Manual web application security vulnerability assessment Proper use of automated web application security vulnerability assessment (scanning) tools Use appropriate Web application firewall 7 of 13
    • PCI Changes in 2008 Use of CVSS v2.0 scores External Vulnerability Scans Performed by ASV – See www.pcisecuritystandards.org for list of ASVs CVSS Scoring Common Vulnerability Scoring System PCI SSC Requirement – As of July 1, 2008 all ASVs must use CVSS v2.0 scoring – CVSS scores 4.0 and above should cause host to fail compliance 8 of 13
    • PCI Changes in 2008 New Standard – PA DSS PA DSS Payment Application Data Security Standard – Designed to secure applications processing payments for merchants – Based on PCI DSS – Successor of VISA’s PABP program Applicability – Commercial payment applications – Generally bought off the shelves with little or no customization – Not for custom/in-house developed payment applications Rollout of PA DSS – Special auditors approved by PCI SSC will audit applications – PCI SSC will maintain list of approved Payment Applications and versions – First list to be published Oct 1, 2008 Compliance – Dates for merchants to comply with PA DSS decided by payment brands – Check with your vendor if the application you bought is PA DSS compliant 9 of 13
    • PCI Changes in 2008 PCI DSS Revision to 1.2 Update from 1.1 to 1.2 Same 12 requirements as 1.1 More clarifications on existing requirements New Questionnaires v1.2 Publication date – Oct 1, 2008 Effective date – Oct 1, 2008 Sunset date for 1.1 – TBD 10 of 13
    • Quick Tips for PCI Compliance PCI Compliance is ongoing Do the right things… it’s for your own good! Use your trusted vendors Use of Automation & Technology is key 11 of 13
    • Quick Tips for PCI Compliance Use of Automation & Technology Automated tools are the best place to start… …and will eliminate 80-90% of your headaches! Use automated tools where possible – If you have basic security knowledge then signup for automated scanning portals like QualysGuard PCI – Use automated web application scanner – Use automated wireless analyzer and log analyzer – Use of automated internal scanner appliance will be cheaper than dedicating resource to perform internal scanning 12 of 13
    • Q & A Session Send your questions to PCI-Info@Qualys.com 13 of 13