Audit & Pentest
-
Over View
- Payment Card Industry Data Security Standard
- Enforced by PCI Security Standard Council
- Council formed by the five major card brands shown VISA, Master, JCB, America Express, Discovery
- Any company that process, stores or transmits card information is required PCI DSS compliant -
Goals
-
Protect cardholder data and sensitive authentication data
-
Cardholder data:
- Primary account number
- Cardholder name
- Expiration date
- Service code
-
Sensitive authentication data:
- Full track data (from magnetic strip)
- CAV2 / CVC2 / CVV2 / CID
- PIN blocks
-
-
-
6 Goals - 12 Requirements
-
Build and Maintain a Secure Network and Systems
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
-
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
-
Maintain a Vulnerability Management Program
- Protect all systems against malware and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
-
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need to know
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
-
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
-
Maintain an Information Security Policy
- Maintain a policy that addresses information security for all personnel
-