User Tools

Site Tools


pci_compliance

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
pci_compliance [2013/12/05 09:45 (10 years ago)] cromopci_compliance [2022/04/12 10:52 (24 months ago)] (current) anemenzo
Line 1: Line 1:
-====== PCI Support Training ====== +See: https://newaccount1608055419986.freshdesk.com/a/solutions/articles/66000503375 
-//Windward Software Inc//+ 
 +====== PCI ======
  
 ===== What is the difference between PCI Compliance and PA-DSS Validation? ===== ===== What is the difference between PCI Compliance and PA-DSS Validation? =====
Line 17: Line 18:
 ===== The 12 Requirements of the PCI DSS ===== ===== The 12 Requirements of the PCI DSS =====
  
 +Outlined below are the 12 requirements for the PCI DSS. For more details, refer to this [[https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf|link]]
  
-**Build and Maintain a Secure Network**\\ +Build and Maintain a Secure Network ^ 
-1. Install and maintain a firewall configuration to protect data\\ +1. Install and maintain a firewall configuration to protect data | 
-2. Do not use vendor-supplied defaults for system passwords and other security parameters\\ +2. Do not use vendor-supplied defaults for system passwords and other security parameters | 
-    +Protect Card holder Data ^ 
-**Protect Card holder Data**\\ +3. Protect Stored Data | 
-3. Protect Stored Data\\ +4. Encrypt transmission of card holder data and sensitive information across public networks 
-4. Encrypt transmission of card holder data and sensitive information across public networks\\+^ Maintain a Vulnerability Management Program ^ 
 +| 5. Use and regularly update anti-virus software | 
 +| 6. Develop and maintain secure systems and applications | 
 +^ Implement Strong Access Control Measures ^ 
 +| 7. Restrict access to data by business need-to-know | 
 +| 8. Assign a unique Id to each person with computer access | 
 +| 9. Restrict physical access to card holder data | 
 +^ Regularly Monitor and Test Networks ^ 
 +| 10. Track and monitor all access to network resources and card holder data | 
 +| 11. Regularly test security systems and processes\\ Maintain an Information Security Policy | 
 +| 12. Maintain a policy that addresses information security |
  
-**Maintain a Vulnerability Management Program**\\ +===== Sensitive credit card data requires special handling =====
-5. Use and regularly update anti-virus software\\ +
-6. Develop and maintain secure systems and applications\\ +
- +
-**Implement Strong Access Control Measures**\\ +
-7. Restrict access to data by business need-to-know\\ +
-8. Assign a unique Id to each person with computer access\\ +
-9. Restrict physical access to card holder data\\ +
- +
-**Regularly Monitor and Test Networks**\\ +
-10. Track and monitor all access to network resources and card holder data\\ +
-11. Regularly test security systems and processes\\ +
- +
-**Maintain an Information Security Policy**\\ +
-12. Maintain a policy that addresses information security\\ +
- +
-===== Sensitive Credit card data requires special handling =====+
  
 <note> <note>
Line 68: Line 64:
   * Expiry date   * Expiry date
   * Card holder name   * Card holder name
-  * Also user passwords must be encrypted.  +  * Also user passwords must be encrypted.
  
-==== Set up Good Access Controls ====+{{ :cardholder_data.png?direct&1000 |}} 
 +//Note: The chip contains track equivalent data as well as other sensitive data, including the Integrated Circuit (IC) Chip Card Verification Value (also referred to Chip CVC, iCVV, CAV3 or iCSC).// \\ 
 +source: [[https://www.pcisecuritystandards.org/documents/navigating_dss_v20.pdf|Page 8]] 
 +   
 + 
 +===== Set up Good Access Controls =====
 The PCI DSS requires that access to all systems in the payment processing environment be protected The PCI DSS requires that access to all systems in the payment processing environment be protected
 through use of unique users and complex passwords. Unique user accounts indicate that every through use of unique users and complex passwords. Unique user accounts indicate that every
Line 80: Line 81:
 (SQL/MSDE), and "root" (UNIX/Linux). (SQL/MSDE), and "root" (UNIX/Linux).
  
-===== Password Requirements =====+==== Password Requirements ====
 The PCI standard requires the following password complexity for compliance (often referred to as The PCI standard requires the following password complexity for compliance (often referred to as
 using "strong passwords"): using "strong passwords"):
Line 86: Line 87:
   * Administrator passwords must be __at least 7 characters__.   * Administrator passwords must be __at least 7 characters__.
   * Administrator passwords must include both __numeric and alphabetic characters__   * Administrator passwords must include both __numeric and alphabetic characters__
-  * New administrator passwords can not be the same as the last 4 passwords.\\+  * Administrator passwords must be __changed at least every 90 days__. 
 +  * New administrator passwords __can not be the same as the last 4 passwords__.\\
  
 ^ PCI user account requirements beyond uniqueness and password complexity are listed below: ^ ^ PCI user account requirements beyond uniqueness and password complexity are listed below: ^
Line 95: Line 97:
  
 ===== Log Settings must be Compliant ===== ===== Log Settings must be Compliant =====
-System Five has logging enabled by default and is not configurable. The log file can be viewed by an administrator via the System Five View Event Log window ((Navigator -> Setup Tools -> Utilities -> View Event Log))  under the Utilities menu. All access to non truncated Card holder data is logged by System Five. In addition, all logins, attempted logins, password changes, configuration changes and accesses to the log file itself are logged. Log file entries are date/time stamped and identify the user and system component.+  * System Five has logging enabled by default and is not configurable.  
 +  * The log file can be viewed by an administrator via the System Five View Event Log window ((Navigator -> Setup Tools -> Utilities -> View Event Log))  under the Utilities menu.  
 +  * All access to non truncated Card holder data is logged by System Five. In addition, all logins, attempted logins, password changes, configuration changes and accesses to the log file itself are logged. Log file entries are date/time stamped and identify the user and system component.
  
 ===== Maintain an Information Security Program ===== ===== Maintain an Information Security Program =====
Line 128: Line 132:
   - In the event of a system comprise, to determine who, where and why the system was compromised.   - In the event of a system comprise, to determine who, where and why the system was compromised.
  
-===== The events that are logged are as follows. =====+==== The events that are logged are as follows. ====
  
   * General user events.   * General user events.
Line 163: Line 167:
   * Debug logging should not be employed in a production environment.   * Debug logging should not be employed in a production environment.
  
 +===== Links: =====
 +
 +  * [[https://www.pcisecuritystandards.org/security_standards/glossary.php| Glossary of Terms]]
pci_compliance.1386265533.txt.gz · Last modified: 2013/12/05 09:45 (10 years ago) by cromo