PCI DSS

Describe PCI DSS 3.2

PCI DSS 3.2 is the current version that outlines all the requirement in order to be PCI DSS compliant.

List the requirements of this domain: Build & Maintain a Secure Network & Systems

1. Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters.

List the requirements of this domain: Maintain a Vulnerability Management Program

1. Protect all systems against malware and regularly update anti-virus software or programs. 2. Develop and maintain secure systems and applications.

List the requirements of this domain: Protect Cardholder Data

1. Protect stored cardholder data. 2. Encrypt transmission of cardholder data across open, public networks.

List the requirements of this domain: Implement Strong Access Control Measures

1. Restrict access to cardholder data by business need to know. 2. Identify and authenticate access to system components. 3. Restrict physical access to cardholder data.

List the requirements of this domain: Regularly Monitor and Test Networks

1. Track and monitor all access to network resources and cardholder data. 2. Regularly test security systems and processes.

How many requirements does PCI DSS have?

12 requirements under 6 domains

List the 6 domains of PCI DSS

1. Build & Maintain a Secure Network & Systems. 2. Protect Cardholder Data. 3. Maintain a Vulnerability Management Program. 4. Implement Strong Access Control Measures. 5. Regularly Monitor and Test Networks. 6. Maintain an Information Security Policy.

Describe the 1st phase of PCI DSS.

Assessment: this is where you identify the vulnerabilities and threats. That comes in at least 2 parts: a. Site Visit perform by a Qualified Security Assessor (QSA). example Richard Carson and Associate, PWC, Deloitte etc. b. Self Assessment Questionnaire (SAQ) if site visit is not a requirement. c. Vulnerability scanning by an Approved Scanning Vendor (ASV) - example Saint Corporation etc.

List the requirement of this domain: Maintain an Information Security Policy.

Maintain a policy that addresses Information Security for all personnel

Define PCI DSS.

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and Point of Sales (POS) cards.

Describe the 2nd phase of PCI DSS.

Remediation: Fix Findings

Describe the 3rd phase of PCI DSS.

Report: Submit a Self Assessment Questionnaire (SAQ) or a Report on Compliance (ROC), Attestation of Compliance and ASV scan reports — to the acquiring banks (merchant), and global payment brand.

What leading organization is responsible for establishing and regulating PCI DSS?

Security Standard Council