Embed Size (px)
DESCRIPTION
10 Best-Practice tips merchants need to focus on in order to achieve PCI Compliance, protect cardholder data, and establish a successful risk reduction program.
Citation preview
10 Tips to Achieve PCI DSS Complianceby Sumedh ThakarDirector of Engineering PCI Solutions
Terry RamosVP, Strategic Alliances, Qualys
2
Agenda
Why PCI is important
Who has to comply with PCI
10 Tips
PCI Compliance for Dummies
3
Account Compromise - Impacts
Counterfeit cards and fraud Significant chargeback risk Penalties, fines, losses Damage to reputation Negative media coverage Impacts to consumer confidence Re-issuance and monitoring of cards Potential of new legislation
4
Top 5 Vulnerabilities
Storage of prohibited data (e.g., full track, CVV2, PIN blocks)
Vendor default accounts and passwords
Insecure remote access by software vendors
Compatibility issues with anti-virus and encryption
Poorly coded web-facing applications resulting in SQL injection
Based on merchant compromises, Visa has found the following common vulnerabilities:
www.visa.com/cisp
5
Source: MasterCard Forensics Examinations of Hacked Entities
Top 5 Reasons: Data Compromise
6
PCI Certification Merchant & Service Provider Levels
10 Tips
7
Know the Risks you Face in Protecting Cardholder Data- Understand where your risks are- Understand what are your risks versus others
Build and Maintain a Secure Network for Cardholder Data- Requirement 1: Install and maintain a firewall configuration to
protect cardholder data- Requirement 2: Do not use vendor-supplied defaults for system
passwords and other security parameters
Protect Cardholder Data That’s Stored or Transmitted- Requirement 3: Protect stored cardholder data- Requirement 4: Encrypt transmission of cardholder data across
open, public networks
10 Tips
8
Maintain a Vulnerability Management Program- Requirement 5: Use and regularly update anti-virus software- Requirement 6: Develop and maintain secure systems and
applications
Implement Strong Access Control Measures- Requirement 7: Restrict access to cardholder data by business
need-to-know- Requirement 8: Assign a unique ID to each person with computer
access- Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks- Requirement 10: Track and monitor all access to network
resources and cardholder data- Requirement 11: Regularly test security systems and processes
10 Tips
9
Maintain an Information Security Policy- Requirement 12: Maintain a policy that addresses information
security
Submit Reports for Quarterly Scans and Annual Review
Make PCI Compliance a Continuous, Ongoing Process
PCI Compliance for Dummies
10
Read PCI Compliance for Dummies- Get as much information as you can
about PCI and how it relates to your organization
