PCI DSS for Penetration Testing

What is PCI DSS ?
 Payment Card Industry (PCI) Data Security Standard
(DSS)

 PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.

 PCI DSS comprises a minimum set of requirements for
protecting cardholder data, and may be enhanced by
additional controls and practices to further mitigate risks

Why Is Compliance with PCI DSS
Important?
 A security breach and subsequent compromise of
payment card data has far-reaching consequences for
affected organizations, including:
 Regulatory notification requirements,
 Loss of reputation,
 Loss of customers,
 Potential financial liabilities (for example, regulatory and
other fees and fines), and
 Litigation.

PCI DSS
Payment Card Industry Data Security Standard
 Standard applies to:
 Merchants – Acquirer is the authority
 Service Providers – Card Brand or Client is the authority
 Systems
 Who:
 Store cardholder data
 Transmit cardholder data
 Process cardholder data
 Inclusive of:
 Electronic Transactions
 Paper Transactions

The PCI Security Standards Council
(PCI SSC)
 An open global forum, launched in 2006, responsible for the
development, management, education, and awareness of
the PCI Security Standards, including:
 Data Security Standard (DSS)
 Payment Application Data Security Standard (PA-DSS)
 Pin Transaction Security (PTS)
 Formally known as Pin-Entry Device (PED)

PCI PTS PCI PA-DSS PCI DSS

PIN Transaction (PTS) Security
Requirements

• It is a set of security requirements focused on characteristics
and management of devices used in the protection of
cardholder PINs and other payment processing related
activities.
• The requirements are for manufacturers to follow in the
design, manufacture and transport of a device to the entity
that implements it.
• Financial institutions, processors, merchants and service
providers should only use devices or components that are
tested and approved by the PCI SSC.

www.pcisecuritystandards.org/security_standards/ped/pedappro
vallist.html

Payment Application Data Security
Standard (PA-DSS)

• The PA-DSS is for software developers and integrators of
payment applications that store, process or transmit
cardholder data as part of authorization or settlement when
these applications are sold, distributed or licensed to third
parties.

• Most card brands encourage merchants to use payment
applications that are tested and approved by the PCI SSC.

Validated applications are listed at:
www.pcisecuritystandards.org/security_standards/pa_dss.shtml

PCI Data Security Standard (DSS)

• The PCI DSS applies to all entities that store, process,
and/or transmit cardholder data.
• It covers technical and operational system components
included in or connected to cardholder data.
• If you are a merchant who accepts or processes
payment cards, you must comply with the PCI DSS.

The PCI Security Standards Founders

Track 1 vs. Track 2 Data (cont..)
 If full track (either Track 1 or Track 2, from the magnetic stripe,
magnetic-stripe image in a chip, or elsewhere) data is stored,
malicious individuals who obtain that data can reproduce and sell
payment cards around the world.
 Full track data storage also violates the payment brands' operating
regulations and can lead to fines and penalties.

What to store & what not to store

Guidelines for Storage

1. One-way hash functions based on strong cryptography – converts the
entire PAN into a unique, fixed-length cryptographic value.

2. Truncation – permanently removes a segment of the data (for example,
retaining only the last four digits).

3. Index tokens and securely stored pads – encryption algorithm that
combines sensitive plain text data with a random key or “pad” that works only
once.

4. Strong cryptography – with associated key management processes and
procedures. Refer to the PCI DSS and PA-DSS Glossary of Terms,
Abbreviations and Acronyms for the definition of “strong cryptography.”

The PCI Data Security Standard
Six Goals, Twelve Requirements
Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder
Secure Network data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters

Protect Cardholder Data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks

Maintain a Vulnerability 5. Use and regularly update anti-virus software or programs
Management Program 6. Develop and maintain secure systems and applications

Implement Strong Access 7. Restrict access to cardholder data by business need-to-know
Control Measures 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data

Regularly Monitor and 10. Track and monitor all access to network resources and cardholder
Test Networks data
11. Regularly test security systems and processes

Maintain an Information 12. Maintain a policy that addresses information security for
Security Policy employees and contractors

Requirements (cont..)

• Objective 1 : PINs used in transactions governed by these
requirements are processed using equipment and
methodologies that ensure they are kept secure.
• Objective 2 : Cryptographic keys used for PIN
encryption/decryption and related key management are
created using processes that ensure that it is not possible to
predict any key or determine that certain keys are more
probable than other keys.
• Objective 3 : Keys are conveyed or transmitted in a secure
manner.

Requirements (cont..)

• Objective 4 : Key-loading to hosts and PIN entry devices is
handled in a secure manner.
• Objective 5 : Keys are used in a manner that prevents or
detects their unauthorized usage.
• Objective 6 : Keys are administered in a secure manner.
• Objective 7 : Equipment used to process PINs and keys is
managed in a secure manner.

PA-DSS (cont..)

• Requirement 1 : Do not retain full magnetic stripe, card
verification code or value (CAV2, CID, CVC2, CVV2), or
PIN block data
• Requirement 2 : Protect stored cardholder data
• Requirement 3 : Provide secure authentication features
• Requirement 4 : Log payment application activity
• Requirement 5 : Develop secure payment applications
• Requirement 6 : Protect wireless transmissions
• Requirement 7 : Test payment applications to address
vulnerabilities
• Requirement 8 : Facilitate secure network
implementation
• Requirement 9 : Cardholder data must never be stored

PA-DSS (cont..)
• Requirement 10 : Facilitate secure remote access to
payment application
• Requirement 11 : Encrypt sensitive traffic over public
networks
• Requirement 12 : Encrypt all non-console
administrative access
• Requirement 13 : Maintain instructional
documentation and training programs for customers,
resellers, and integrators

Thank you!
Questions / Queries

NETWORK INTELLIGENCE INDIA PVT. LTD.
AN ISO/IEC 27001:2005 CERTIFIED COMPANY

Web http://www.niiconsulting.com
Email kkmookhey@niiconsulting.com
Tel +91-22-2839-2628
+91-22-4005-2628
Fax +91-22-2837-5454

PCI DSS for Penetration Testing

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to PCI DSS for Penetration Testing

Similar to PCI DSS for Penetration Testing (20)

More from Network Intelligence India

More from Network Intelligence India (20)

Recently uploaded

Recently uploaded (20)

PCI DSS for Penetration Testing