...AN INTRODUCTION TO PCI-DSS COMPLIANCE Author: Nicholas Henry April 2016 Table of Contents 1. Abstract 2. History 3. PCI-DSS Overview 4. Understanding PCI-DSS Compliance 5. Achieving PCI-DSS Compliance 6. PCI-DSS in the IT Department 7. Negatives of PCI-DSS 8. Positives of PCI-DSS Abstract Around the world, consumer migration from traditional cash and check payments to electronic payment methods such as credit, debit or bank transfers continue to grow. In 2009 a survey discovered that less than 37% of all payments are now made using cash or check. While there are many benefits to this, there are also significant new issues introduced as a result. As customers use electronic payment methods, there is an expectation of security for the cardholder’s identity and payment information. With all the recent data theft and security breaches, this is becoming a significant issue. To ensure the protection of consumer information, the Payment Card Industry, or PCI, developed a set of data security standards (DSS) that merchants and financial service providers must maintain to be able to process debit and credit cards. While PCI does not manage compliance or impose consequences for non-compliance, individual card associations may initiate financial/operational penalties to businesses that are non-compliant...
Words: 4052 - Pages: 17
...PCI DSS compliance is providing a safe place for your customers to do business with us either online or within our brick and motor location. Providing this compliance will ensure that your network has a chance to avoid the publicity nightmare that has effected so many other organizations, like Home Depot and J.P. Morgan Chase. As part of being PCI DSS compliant, organizations must adhere to risk analysis. In order for any organization to handle their network security risk it is important to understand the three important areas of a risk analysis and they are confidentiality, integrity, and availability. Confidentiality is all about letting only the allowed personal have access to that sensitive information and keeping private information private. Unsecure networks, malware, and even social engineering are all types of attacks that can compromise that important data. But intruders or the use of stolen credentials are topping the charts and have been a top ten issue for several years now. It also has been increasing in the number of case in recent years and this attack has accounted for 422 cases in 2013. Whether it comes from a Point of Sale (POS) interaction or a Web application attack the best defense is a strong password. A password should not be written down or can be found in a dictionary, but consist of upper and lower case letters with numbers and special characters mixed throughout (Verizon DBIR, 2014). Integrity is insuring that the information and devises...
Words: 623 - Pages: 3
...P01 - Information Security Policy Document Reference Date Document Status Version Revision History P01 - IS Policy Final 1.0 Table of Contents 1. 2. 3. 4. 5. 5.1. 5.2. 5.3. 5.4. 5.5. 5.6. 5.6.1. 5.6.2. 5.6.3. 5.6.4. 6. 6.1. 6.2. Policy Statement ....................................................................................................................... 3 Review and Update of the Policy Statement .......................................................................... 3 Purpose ...................................................................................................................................... 3 Scope.......................................................................................................................................... 3 Information Security Framework ........................................................................................... 3 Reporting Structure for the Business .......................................................................................... 3 Associated Teams....................................................................................................................... 4 Annual Policy Review................................................................................................................ 4 Policy Breaches .......................................................................................................................... 4 Individual Policies ......................
Words: 1892 - Pages: 8
...The PCI-DSS Framework: Protecting Stored Cardholder Data Wednesday, November 25th 2009 Contents The PCI-DSS Framework: Protecting Stored Cardholder Data 3 Introduction 3 PCI-DSS Compliance 4 Solutions for Encrypting Data at Rest 4 Data Classification, an Alternative to Encryption 8 Building Policies and Procedures 12 Conclusion 12 References 14 The PCI-DSS Framework: Protecting Stored Cardholder Data Introduction Payment cards, whether they are debit or credit cards are an essential component of modern commerce. EMV-based cards have already helped improve the security of millions of bank cards throughout the world, giving even more people the confidence to make payments. But there are other security concerns associated with bank cards. (Card Technology Today, 2009) Globally, debit and credit cards are used for a wide variety of payments with Internet card payments increasingly significantly in recent years. However, with this growth in Internet-based transactions has come an increase in stories related to Card Not Present (CNP) fraud via Internet channels. (Laredo, 2008) The proliferation of fraud and identity theft cases has put the Payment Card Industry (PCI) on the offensive frontlines. (Morse and Raval, 2008) American Express, Discover, JCB, MasterCard, and Visa have joined forces and formed the PCI Security Standards Council, an independent...
Words: 3961 - Pages: 16
...any federal or state laws? Yes they did because they did follw the compliance of the pci dss. 2. CardSystems Solutions claims to have hired an auditor to assess compliance with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings? That he either did not do a full audit of the company just showed him part of what he needed to see to pass them so they could operate without prying eyes 3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue? No they did not and if they had credibility then yes they should sue but if they are at fault then they will be brought to trial in civil court 4. Who do you think is negligent in this case study and why? The company and the auditor because neither one did their job to the fullest extent and it cost the company 5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)? Yes it does because they did not comply with the standards that were put before them 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance? They should have had the firewalls in place that had monitoring built in...
Words: 559 - Pages: 3
...PCI DSS and the Seven Domains As a business that is entering into the web business and having the ability to receive payment from Credit Cards negates that the business now complies with some standards that secures all of the customers information from misuse and inappropriate access from unauthorized persons.. To do this some logical approaches and best practices have been proven to facilitate a business meeting the PCI DSS standards. These best practices start with a simple install of a firewall that isolates the business' network from unauthorized outside access to the customer's information. Also, make sure that all defaults setting on the network are changed as the default information is a generally known value and easy to bypass security if not changed. (Gibson, 2011) These are generally good practices for security on any network anyway, but definitely a good start to achieving the PCI DSS standard. Once these measures are taken, it is now important to protect the data that you are using from the customer to complete a purchases. The best way is to setup access control measure within the LAN and that the LAN to WAN interface is protected by a firewall. When using the information to authorize outside of the LAN environment it is important to protect the information by encrypting the data being sent to the authorizing entity. By doing this you can further protect the information stored at your business from unwanted access and viewing. Within the business itself...
Words: 504 - Pages: 3
...Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2 April 2016 Document Changes Date October 2008 Version 1.2 Description Pages To introduce PCI DSS v1.2 as “PCI DSS Requirements and Security Assessment Procedures,” eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For complete information, see PCI Data Security Standard Summary of Changes from PCI DSS Version 1.1 to 1.2. Add sentence that was incorrectly deleted between PCI DSS v1.1 and v1.2. Correct “then” to “than” in testing procedures 6.3.7.a and 6.3.7.b. 1.2.1 32 Remove grayed-out marking for “in place” and “not in place” columns in testing procedure 6.5.b. 33 For Compensating Controls Worksheet – Completed Example, correct wording at top of page to say “Use this worksheet to define compensating controls for any requirement noted as ‘in place’ via compensating controls.” July 2009 5 64 October 2010 2.0 Update and implement changes from v1.2.1. See PCI DSS – Summary of Changes from PCI DSS Version 1.2.1 to 2.0. November 2013 3.0 Update from v2.0. See PCI DSS – Summary of Changes from PCI DSS Version 2.0 to 3.0. April 2015 3.1 Update from PCI DSS v3.0. See PCI DSS – Summary of Changes from PCI DSS Version 3.0 to 3.1 for details of changes. April 2016 3.2 Update from PCI DSS v3.1. See PCI DSS – Summary of...
Words: 57566 - Pages: 231
...Compliments of ersion 2.0 ! ated for PCI DSS V Upd pliance PCI Com ition Qualys Limited Ed Secure and protect cardholder data Sumedh Thakar Terry Ramos PCI Compliance FOR DUMmIES ‰ by Sumedh Thakar and Terry Ramos A John Wiley and Sons, Ltd, Publication PCI Compliance For Dummies® Published by John Wiley & Sons, Ltd The Atrium Southern Gate Chichester West Sussex PO19 8SQ England Email (for orders and customer service enquires): cs-books@wiley.co.uk Visit our Home Page on www.wiley.com Copyright © 2011 by John Wiley & Sons Ltd, Chichester, West Sussex, England All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except under the terms of the Copyright, Designs and Patents Act 1988 or under the terms of a licence issued by the Copyright Licensing Agency Ltd, 90 Tottenham Court Road, London, W1T 4LP, UK, without the permission in writing of the Publisher. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, or emailed to permreq@wiley.com, or faxed to (44) 1243 770620. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and...
Words: 15012 - Pages: 61
...Payment Card Industry Data Security Standards-(PCI DSS) compliant. What is your assessment of the auditor’s findings? I personally disagreed with the auditors findings. If CardSysytems Solutions per the report were indeed deemed compliant, proper IP firewalls and antivirus programs would have been active as PCI DSS requires a firewall and an up to date anti-virus which CardSystem Solutions did not. 3. Can CardSystems Solutions sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystem Solutions pursue this avenue? No. In 2004 they were PCI DSS compliant. At the time of the attack in June of 2005, they were not certified compliant. 4. Who do you think is negligent in this case study and why? CardSystems Solutions have to be considered the negligent party in the case. CardSystems Solutions is a high profiled company that is expected to comply with the regulations and requirements for properly protecting and storing private and secure data. 5. Do the actions of CardSystems Solutions warrant an “unfair trade practice” designation as stated by the FTC? Yes I believe it should 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance? SNMP along with MAC filtering. 7. What security controls and security countermeasures do you recommend for CardSystems Solutions to be in compliance with PCI DSS requirement? Answer: up to date anti-virus, firewall...
Words: 437 - Pages: 2
...changes are based upon the PCI-DSS Compliace: 1. Usage policies must be developed for critical technologies and defined for proper use of these technologies (PCI DSS 12.3). With this first policy an organization with prohibit or allow the usage of equipment and/or accounts depending on the individual’s permitted access. 2. Explicit approval by authorized parties (PCI DSS 12.3.1). This policy will grant specific approval by management to match the business needs. Proper approval to individual personnel will create a secured environment with critical systems. 3. Authentication for use of the technology (PCI DSS 12.3.2) Personnel will use passwords to authenticate the access they have to specific technology. This will hinder any individual who is trying to breach the environment and gain access to critical information. 4. Automatic disconnect of sessions after a specific period of inactivity (PCI-DSS 12.3.7) Users must log out if they plan to step away from their accounts and/or devices. Automatic log-off will stop any individual who is trying to gain access to the system without authorization. 5. Administer user accounts, including additions, deletions, and modifications (PCI-DSS 12.5.4) User accounts will be administered by the appropriate personnel. This responsibility will assure that any person in the organization has the correct information along with the correct access. 6. Educate personnel upon hire and at least annually (PCI-DSS 12.6.1) Security...
Words: 627 - Pages: 3
...the company’s policy is in compliance with all relevant federal regulations and industry standards. As an insurance company, Heart-Healthy Insurance works with and stores personal health information, financial information, and credit card information of clients and business partners. Data of this type is required to be protected by the United States Federal Government under several privacy acts. Heart-Healthy Insurance must also be Payment Card Industry Data Security Standard (PCI-DSS) compliant due to the fact the company takes credit cards to pay for premiums and deductibles. Below is information on each privacy act and security standard that Heart-Healthy Insurance must be in compliance with. The Payment Card Industry Data Security Standard (PCI-DSS) The Payment Card Industry Data Security Standard (PCI-DSS) was developed “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally” (PCI Security Council, 2010 p. 5). PCI-DSS provides the following requirements for passwords and user access: -Each user must be assigned a unique ID for system access. -A user’s identity must be verified before passwords are reset. -Passwords for new users and reset passwords for existing users must be set...
Words: 1355 - Pages: 6
...(HIPAA), Payment Card Industry Data Security Standard (PCI DSS), and Sarbanes-Oxley Act (SOX). HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). In today’s era, everyone pays with credit cards or debit cards. This healthcare organization will need to be PCI DSS compliant. PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The Council is responsible for managing the security standards, while compliance with the PCI Security Standards is enforced by the payment card...
Words: 276 - Pages: 2
...with PCI DSS and other best practices for ensuring the C-I-A of privacy data for credit card transaction processing. Assuming the auditor did indeed perform a PCI DSS security compliance assessment, what is your assessment of the auditor’s findings? • If compliant they would have implemented proper IP s firewalls or maintained their anti-virus program definitions. Also they were required to encrypt all stored sensitive privacy data for research. 3. Can CardSystems sue the auditor for not performing his or her tasks and deliverables with accuracy? Do you recommend that CardSystems Solutions pursue this avenue? • No because they were PCI DSS compliant in 2004 but was not certifiably compliant at the time of attack in June of 2005. 4. Who do you think is negligent in this case study and why? • CardSystems. Given their high profile, they were expected to be in compliance for properly storing and protecting all privacy data including gathered transactions and credit card information of their cliental in an encrypted manner. 5. Do the actions of the CardSystems warrant an “unfair trade practice” designation as stated by the Federal Trade Commission (FTC)? • Yes, because the cliental trust in good faith at the fact that their information will not be compromised in the possession of the company. If the company was not compliant then all sensitive data was put at risk. 6. What security policies do you recommend to help with monitoring, enforcing, and ensuring PCI DSS compliance...
Words: 649 - Pages: 3
...qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmrtyuiopasdfghjklzxcvbnmqwer...
Words: 640 - Pages: 3
...NEW HEART-HEALTHY INSURANCE INFORMATION SECURITY 1. Overview Heart-Healthy Insurance (HHI) is a company that is required by the federal government to keep the customer's information confidential, available and safe. The HHI is required to comply with PCI-DSS regulations, GLBA regulations, federal privacy laws, and HIPAA and HITECH regulations. 2. Scope The scope of this task is to develop a new policy statement with two modifications for the new users and password requirements that follow all the federal laws and regulations. 3. Policies of the HHI from before FOR NEW USERS. 4. New Users HHI requires new users to be assigned access based on the level of content they are requesting. The new users are required to prove their level of clearance base on the access they are requesting. It is also required that only the manager approves administrator level access for new users. 5. Password Requirements. The password is required to have at least eight characters. The password characters must contain a combination of upper and lowercase letters. A shared password is forbidden in any system that has patient information. The users are not allowed to reuse any of the previous six passwords that were used when resetting a password. Users must wait at least 15 minutes before the password can be reset when they insert the wrong information more than three times. 5. PASSWORD REQUIREMENT WITH NEW POLICY HHI has already strong password policies, but those password policies...
Words: 1481 - Pages: 6