PCI Compliance Technical Overview
PCI Compliance Technical Overview
Jan 14, 2016
PCI Compliance Technical Overview. RM PCI Calendar. Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release Sept 2006: Validation Report sent to VISA Jan 2007: VISA approves certification. Card Data Compromises. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
PCI ComplianceTechnical Overview
RM PCI Calendar
Dec 2005: Began PCI 15.1 development
Feb 2006: Initial PCI Audit
Sept 2006: Official 15.1 PCI Release
Sept 2006: Validation Report sent to VISA
Jan 2007: VISA approves certification
Card Data Compromises 40% of all compromises involve a
restaurant Top 5 compromises:
Full track data retention Default accounts Insecure remote access Non-use of security tools (antivirus,
encryption) SQL injection
Terms and Definitions PCI DSS: Payment Card Industry Data
Security Standard PABP: Payment Application Best
Practices RM is a validated payment application
that meets the PCI PABP So what is “PCI Compliance”? Hint: It’s
not simply installing RM 15.1.
The PCI Compliant SiteRestaurant must use PCI PABP validated POS
application, properly configured, implementing proper procedures, and installed following all site-specific PCI guidelines and rules.
That’s 4 areas needing attention: Use PABP validated applications Proper configuration Proper procedures Follow site guidelines
1. Use PABP validated applications Use RM 15.1 (final release Sept 2006
or later) Use certified credit card processing
gateways (e.g. Mercury Payment Systems, PC Charge, Datacap)
2. Proper Configuration Follow ASI PCI configuration guidelines:
RM and Reseller PCI Guidance Doc Logging, Audit Trail Admin Password Expiration
3. Proper Procedures Enforcing limited access to RM Server
machine. Internet use from Server machine Remote access (allowed only during
incident) No emailing of card data
4. Site Guidelines Secure RM Server (credit card server)
Physical access Logical access (open ports) Firewalled
Network Remote Access 2-factor authentication
(VPN + PCAnywhere passwords) And Wireless …
4. Site Guidelines (WiFi) Enable WPA with key rotation Change SSID from default Turn off SSID broadcast Implement MAC address filtering Install firewall services between APs
and RM Server Port/Service Restrictions
Only: TCP 80, DNS 53, ICMP
Network w/ WiFiInternet
SymbolWS2000
Thank you
Questions?
Related Documents
