This talk was presented in NULL/OWASP Bangalore chapter meet in May 2017. It acts as an insight into PCI DSS and compliances.

1. PCI DSS
COMPLIANCE
BY
SAUMYA VISHNOI

2. WHO AM I ?
 Currently working with FreeCharge’s Information Security Team
 Ex- PCI QSA
 Audited multiple PCI DSS environments

3. DISCLAIMER
All the information, discussion and views
presented in the talk are
personal !!!

4. COMPLIANCE STANDARDS

5. COMPLIANCE – FRIEND OR FOE
• Increases workload
• Creates extra process
• Costly

6. COMPLIANCE – FRIEND OR FOE
• Business enabler –
• PCI DSS for processing card details
• RBI PSS for getting and running a digital wallet
• Give confidence to clients and third party
• Force organizations to give security a thought
• Act as baseline for security
Compliance acts as an enabler for security

7. PCI DSS
PAYMENT CARD INDUSTRY DATA SECURITY
STANDARD

8. A BIT OF HISTORY ……
• Drafted, Maintained and promoted by PCI SSC (Payment Card Industry
Security Standard Council)
• PCI SSC is founded by --- American Express, Discoverer Financial Services,
JCB International, Master card Worldwide, VISA Inc.
• PCI DSS ver. 1.0 (2004) ------------ PCI DSS ver. 3.2 (2017)
• Other Standards by PCI SSC – PA DSS, PCI PTS, etc.

9. PCI DSS APPLICABILITY
• It applies to –
• Systems that Store, Process or Transmit Card holder data
• Systems that provide security functionalities or may impact the security of
Card Holder Data (CDE)
• Any other component or device, located within or connected to CDE

10. CARD HOLDER DATA

11. PCI DSS ASSESSMENTS
• Self Assessment Questionnaire (SAQ) –
• Qualified Security Assessor (QSA) -

13. REQUIREMENT 1
Install and Maintain a firewall configuration to protect card holder data
• Firewall & Router Hardening
• Firewall Rule review
• Firewall Rule justification

14. REQUIREMENT 2
Do not use Vendor – Supplied defaults for system password and other
security parameters
• Removal of default configurations
• Hardening

15. REQUIREMENT 3
Protect Stored Card holder data
• Storage of Card holder data
• Not Storing Sensitive Authentication Data
• Encryption and Key Management

16. REQUIREMENT 4
Encrypt transmission of cardholder data across open, public network
• Encryption standard for secure transmission
• End user messaging

17. REQUIREMENT 5
Protect all systems against malware and regularly update anti-virus
software or programs
• Anti- Virus - Update, Scanning , Logging

18. REQUIREMENT 6
Develop and maintain secure systems and applications
• Secure application development
• Change Control procedure
• Patching
• Risk Ranking
• Web application firewall

19. REQUIREMENT 7
Restrict access to cardholder data by business need to know
• Least Privilege
• User Management Process

20. REQUIREMENT 8
Identify and authenticate access to system components
• Password policy
• User Access Review
• Remote access Management

21. REQUIREMENT 9
Restrict physical access to cardholder data
• Physical Access controls – Visitor management
• CCTV & Smart card based access
• Physical security of Media
• Protecting POS devices from physical tempering

22. REQUIREMENT 10
Track and monitor all access to network resources and cardholder data
• Log management
• Time Synchronization
• FIM

23. REQUIREMENT 11
Regularly test security systems and processes.
• Wireless scan – Quarterly
• Network Level VA (Internal/ External) - Quarterly
• Network Level PT (Internal/ External) – Half Yearly
• Application testing – Yearly
• PT Methodology

24. REQUIREMENT 12
Maintain a policy that addresses information security for all personnel.
• Risk Assessment
• Policy & procedure Documentation
• Training and Awareness
• Incident Response
• Internal Audit

25. THANK YOU
saum98@gmail.com
Twitter: @saum98