The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.

1. PCI: THE ESSENTIALS

2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com

3. THE ESSENTIALS
• What PCI compliance is and why its important
• Understand how to identify potential risks to card
data within your business
• Foundation in data risk management
• How to communicate the importance of PCI to
stakeholders
• The keys to achieving and maintaining compliance
• How to avoid fines

4. The Standard

5. WHERE DID IT COME FROM?
Restaurants sue POS vendor over data breach: Dec’09
Nearly 100 customers had their identities stolen as a result of "Aloha" POS software payments
terminals that were not PCI-DSS compliant. They have to pay for forensic audits to trace the problems,
reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected
individuals.

7. Security
Scans
Self-
Assessment
Questionnaire
On Site
Audits
Community
Meeting
Industry
Best
Practices
Approved
Scanning
Vendors
(ASVs) and Qualified
Security Assessors
(QSAs)
Proactive
feedback
from QSAs,
ASVs and
POs
PCI Data Security
Standard
ADC
Forensics
Results
Advisory
Board

8. THE STANDARD

9. APPLIES TO:
 Systems that store, process or transmit cardholder data
 Systems that connect to them
Compliance is mandatory
 Enforced through merchant services agreements

10. 6 GOALS, 12 REQUIREMENTS
The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security

11. 264 CONTROLS
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
 1.1 Establish firewall configuration standards that include the following:
 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall
configuration.
 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.
 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone
(intranet).
 1.1.4 Description of groups, roles and responsibilities for logical management of network components.
 1.1.5 Documented list of services/ports necessary for business.
 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and
secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).
 1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which
includes reason for use of protocol and security features implemented.
 1.1.8 Quarterly review of firewall and router rule sets.
 1.1.9 Establish configuration standards for routers.

12. THE STRUCTURE

13. CARDHOLDER DATA?
Card (PAN) number
Magnetic stripe
Expiry date
Chip
Card account number

14. CONTROLS-2-DATA

15. SCOPING

16. DE-SCOPING
• Network segmentation is not a PCI DSS control
requirement
• De-scoping is where you set the cost baseline for
the project.
• Take your time.
• The more you can take out of scope – the less it
will cost to implement the controls.

17. QUIZ 1
1. The PCI DSS applies to all systems that ________,
__________, or _________ card data.
2. The PCI DSS is comprised of _________ principles,
___________ requirements and 264 controls.
3. The PCI DSS is a checklist of controls. True/False?
4. Controls only apply to systems “in scope”.
True/False?
5. We can store sensitive card holder data.
True/False?

18. The Players

19. THE PLAYERS
 Card Brands
 PCI Council
 Acquirers
 QSA
 ASV
 Merchants
 Service Providers

20. RELATIONSHIPS MATRIX
Cardholder Data
Targeted
Cardholder
Victimized
Regulatory
Enforcement
Government
Intervention
Media
Scrutiny

21. CONCERNS & CONSQUENCES
Service Provider CardholderMerchant
Acquirer

22. CARDHOLDER DATA EXPOSURE
Payment
Application
Service
Provider
Service
Provider

23. SERVICE PROVIDERS
 Businesses that facilitate: process, storage or transmission of
card data on behalf of Merchant or Acquirer.
 Any business requiring connectivity to a card holder network or
application.

25. QUIZ 2
1. The __________ issue fines for non-compliance.
2. A service provider is defined as either
______________ or __________________.
3. Merchant Levels are determined by the _________
of ___________ per __________.
4. QSAs are monitored by _______________
5. The Acquirers set the compliance deadlines for the
Merchants. True/False?

26. Compliance
Process

27. PROCESS
Gap Analysis Remediation
QSA
Validation
Report of
Compliance
Attestation of
Compliance
Acquirer Card Brands

28. KEY DOCUMENTATION
 Card Data Security Policy
 Comprehensive Network Diagram
 Evidence
 3rd Party Agreements
 End User Agreements
 Security Vulnerability Scan Reports
 Security Penetration Reports

29. KEY ACTIONS
 Gap Analysis
 Remediation
 Monthly Acquirer Reports
 Audit-ready (Evidence in place)
 Pass ASV scan
 Network Security Penetration Test
 Application Security Penetration Test
 Validation
 RoC to Acquirer / Card Brands
 Annual Revalidation

30. PROCESS – NOT A CHECKLIST

31.  Identify
 Minimise
 Manage

32. QUIZ 3
1. RoC is an acronym for ____________ on ____________.
2. AoC is an acronym for ____________ of ____________.
3. SaQ is an acronym fro _________ ________ ________.
4. I need to pass both an ASV scan and penetration test
prior to validation. True/False.
5. These quizzes are getting on my nerves. True/False

33. Exercise

34. Situation: You have a bank owned terminal (BOT)
taking credit card payments at your site. It
is connected directly to the bank and is not
connected to your local systems.
Problem: Is it “in scope” of PCI DSS? Design a process
for determining your answer.
Dilemma: What problem do you still have?

35. The Policies

36. FRAMEWORK
Annex C
• Hosting
Provider
Security
Annex B
• 3rd Party
Connectivity
Annex A
• Appropriate
Use
Corporate
Policy

37. POLICIES
1. INTRODUCTION
• Required for the protection of client card data.
2. APPLICABILITY
• All employees, contractors and 3rd party suppliers.
3. COMPLIANCE
• Compliance Manager monitors & enforces
• Collaborative effort
• Non-compliance = disciplinary action
4. REVIEW, UPDATES & MAINTENANCE
• Annual
• 30 days after significant changes
5. EXCEPTIONS
• Require Compliance Manager’s prior approval
6. PROGRAM MANAGEMENT

38. POLICIES
6.1 ANNUAL DOCUMENTATION
 Current network diagram
 Card data asset register
 Card data flow diagram clearly indicating all credit card dependant business processes
 List of all roles having access to card data
 3rd Party Statements of Compliance
6.2 INFORMATION SECURITY RISK ASSESSMENTS
 Annually
 Prior to significant changes
6.3 MINIMISE HOLDINGS
6.4 CARD DATA ASSET REGISTER
 Maintain current list of all devices hosting card data
6.5 ASSET CLASSIFICATION
 Hardware & software marked “Company Confidential”

39. POLICIES
6.6 EMPLOYEE CHECKS
• Staff with access to card data = criminal & credit checks
6.7 SECURITY TRAINING
• Initial
• Annual update
6.8 3rd PARTY CONNECTIVITY AGREEMENTS
• Condition of connectivity
6.9 3rd PARTY COMPLIANCE
6.103rd PARTY AUDITS
• Initial
• Annual verification

40. POLICIES
6.11 NETWORK SECURITY VULNERABILITY SCANNING
 Done quarterly – Pass – submitted to Acquirer
6.12 NETWORK SECURITY PENETRATION TESTING
 Annually
 After significant changes
6.13 APPLICATION SECURITY PENETRATION TESTING
 Applies to all application process/store/transmit
 Conducted prior to launch
 After significant changes
 Annually
7. SYSTEM SECURITY
7.1 FIREWALL & ROUTER CONFIGURATIONS
 As stated in Annex

41. POLICIES
7.2 PASSWORDS & SECURITY ADMINISTRATION
• Vendor accounts & defaults removed
• Admin access encrypted
• Configuration security build standards
7.3 CARD DATA STORAGE
• Minimise!
• Data Retention Policy
• Do not store authentication data
7.4 CARD DATA TRANSMISSION
• Encrypted when sent over public networks (email, etc.)
7.5 ANTI-VIRUS MANAGEMENT
• Software on all systems that process, store or transmit card data
7.6 SYSTEM MONITORING
• Quarterly testing for wireless - Implement IDS - File integrity monitoring

42. POLICIES
8. APPLICATION SECURITY
• Software security development lifecycle procedures
• Change control procedures as detailed in Annex
• Patches
• Process to keep up to date with new application threats
9. LOGS & RECORDS
• System logs as detailed in Annex
10. SYSTEM USER SECURITY
• Need to know
• Password
• Screensaver, lock outs
11. PHYSICAL ACCESS CONTROLS
• Facility access control, locks alarms
• Visitor badging
• Protection of hard copy card data

43. QUIZ 4
1. The Card Data Security Policy only applies to your
employees. True/False?
2. __________ is responsible for 3rd party compliance
verification.
3. Credit and criminal records checks need to be
conducted for all employees. True/False?
4. Identification badges are required for access to any
facility. True/False?
5. This guy uses way too much mousse in his hair.
True/False.

44. The Controls

45. CONTROLS
Requirement 1: Install and maintain firewall configuration to protect cardholder data.
 1.1 Establish firewall configuration standards that include the following:
 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall
configuration.
 1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.
 1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network
zone (intranet).
 1.1.4 Description of groups, roles and responsibilities for logical management of network components.
 1.1.5 Documented list of services/ports necessary for business.
 1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP)
and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).
 1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol
(FTP), which includes reason for use of protocol and security features implemented.
 1.1.8 Quarterly review of firewall and router rule sets.
 1.1.9 Establish configuration standards for routers.

46. EVIDENCE
 Types
• Observation (configuration or process)
• Documentation
• Interview
• Technical (monitoring of network traffic)
 Required for each and every control !

47. CONTROLS EXAMPLE
Requirement 1: Install and maintain firewall configuration to protect cardholder data.
1.1 Establish firewall configuration standards that include the following:
1.1.1 A formal process for approving and testing all external network connections and changes to the firewall
configuration.
 Observation (configuration)
 Observation (process)
 Documentation (firewall rule set)
 Interview (systems administrator)
 Technical (monitoring of network traffic)

48. COMPENSATING CONTROLS
 Used only when a specific control cannot be implemented due to a business process
 Implement “risk-based” supplementary control(s)
 Designed for the business
 Accepted by the business
 Must be accompanied by supporting evidence
 Accompanied by supporting processes

49. COMPENSATING CONTROLS
Information Required Explanation
1. Constraints List constraints precluding compliance
with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP.
As such, they each require a “root” login. It is not possible for
Company XYZ to manage the “root” login nor is it feasible to log
all “root” activity by each user.
1. Objective Define the objective of the original
control; identify the objective met by
the compensating control.
The objective of requiring unique logins is twofold. First, it is not
considered acceptable from a security perspective to share login
credentials. Secondly, having shared logins makes it impossible
to state definitively that a person is responsible for a particular
action.
1. Identified Risk Identify any additional risk posed by the
lack of the original control.
Additional risk is introduced to the access control system by not
ensuring all users have a unique ID and are able to be tracked.
1. Definition of
Compensating Controls
Define the compensating controls and
explain how they address the objectives
of the original control and the increased
risk, if any.
Company XYZ is going to require all users to log into the servers
from their desktops using the SU command. SU allows a user to
access the “root” account and perform actions under the “root”
account but is able to be logged in the SU-log directory. In this
way, each user’s actions can be tracked through the SU account.
1. Validation of
Compensating Controls
Define how the compensating controls
were validated and tested.
Company XYZ demonstrates to assessor that the SU command
being executed and that those individuals utilizing the command
are logged to identify that the individual is performing actions
under root privileges
1. Maintenance Define process and controls in place to
maintain compensating controls.
Company XYZ documents processes and procedures to ensure
SU configurations are not changed, altered, or removed to allow
individual users to execute root commands without being
individually tracked or logged

50. QUIZ 5
1. Name the four types of evidence generally required.
2. If you cannot implement a control you will fail the
audit. True/False?
3. Compensating controls are _________ based and
must be accepted by ___________________.
4. When designing a compensating control you must
always consider the ____________ objective.
5. If I just nod once and a while, this guys actually
thinks I’m listening to him. True/False.

51. Project
Management

52. MILESTONES
• Risk based prioritisation of
implementation of the controls
established by card brands
• Milestone 1 – identify what you
have, where you have it and write
policies to protect it.
• Milestone 2 – Network integrity
• Milestone 3 – Code integrity
• Milestone 4 – Logs & records
• Milestone 5 – Incidents
• Miles 6 – Auditing & testing

53. TIMELINES
• Missed deadline
• Milestones 1-4
• Validation
• SAQ
• AoC to Acquirer
• Annual Recertification

54. HOW WILL YOU GET THERE?
 By starting and maintaining momentum!
 Document everything
 Monthly Acquirer reports
 Quick resolution of questions
 Compensating controls
 Site visits – practice audits
 Disseminating information

55. 2 WORDS
Due diligence

56. The Messages

57. INTENT
Minimise risk to card holder data
Give
PCI
a
Chance!

58. BUSINESS MESSAGES
Card brand service requirements
Regulatory requirement
Losses impact our clients
Lost client confidence = Lost £
System down time = Lost £
Repair costs = Lost £
Data theft & fraud = Lost £
Reputation losses = Lost £
Fines = Lost £

59. EMPLOYEE
 Security of our customer credit card data is critical
to our mission.
 We’ve implemented a detailed security program to
protect this data.
 Security is your responsibility.
 Security is everyone’s responsibility.
 Failure to meet this responsibility…
 We need your help and suggestions.

60. PARTNER
 Protection of our customer data is mission critical to us.
 We have implemented a PCI DSS compliance program and are
pending formal certification.
 Regulatory compliance is a shared responsibility.
 Connectivity to our systems require compliance to PCI DSS controls as
a condition of contract.
 How can we help you?

61. CUSTOMER
 We are implementing a PCI DSS compliance program and are pending
formal certification.
 We require all of our partners and suppliers to meet PCI DSS controls
 We have implemented a rigorous security testing program to ensure the
security integrity of our systems.
 Protection of your personnel data is critical to our business.
 If you have any question regarding our policies – do not hesitate to
contact us.

62. LAST QUIZ
1. Name a business message.
2. Name a employee message.
3. Name a client message.
4. Name a partner message.
5. Name all five members of the original Jackson 5.

63. The Close

64. IF NOTHING ELSE, REMEMBER
 PCI DSS is a “risk management framework”
 Implementation does not guarantee security
 A framework only serves to identify, minimise and
manage the risk of compromise.
 At the day’s end - You still own the risk.

65.  Identify
 Minimise
 Manage

66. A DIFFERENT PERSPECTIVE FROM:
www.riskfactory.com
0800 978 8139