PCI-DSS v3 One Day Training

S
PCI DSS One Day

Training
SISA INFORMATION SECURITY

- .1,4.-91(3=
-DA

- .1,4.-91(3=:3D3A
-(

- .1,4.-91(3=A'1(-

- .1,4.-91(3=3D3DA(-&/.1

- .1,4.-91(3=A9(
The small print

'-,2. ,1'-32A21:(/1.:(12A-*2,-4.-91(-&3'.912. 3'
;.1*2'./ 1 .-+= .1 <,/+ /91/.22D '= 2'.9+ -.3 .-2319 3. (-(3
-=3'(-&:12.1;1.-& 9+.-3'(11 1-D
'-,2. 3'3..+2,-4.-91(-&3';.1*2'./1.-+= .1<,/+/91/.22

-.2-.3.!1.,/1'-2(:3..++(233'3<(232(-3',1*3/+D
'(+ 3'
31(-1 (2 '(&'+= 1&1 - 09+(" 3. .-93 3' 31(-(-&A 3'
31(-1(2-(3'13'2/.*2/12.-.
-.1
D
RXVW[

- .1,4.-91(3=
-D W
Introduction
$,-$)$).$(1,.$58
*1),)$% 41/2",
/$"-'&+6 5 :5 5 5 5 5 ?C==> %($%&,*5 5 ; :< /,!'*"4
*"&*&0"+'*5 *-(($"-'&&+,*;<5"*'+'*-*'++"'&$;<5

- .1,4.- 91(3=
-D (2 9--=:+ 2 =,-3 91(3= 2291- .,/-=D
'2
/12-(-
-(A(-&/.1- (+23D
;2239/(-XVVY-2(-3'-'2;.1*;(3'

,.13'-WAVVV.1&-(>4.-22AI-D
'231(-.:1[AVVV/1. 22(.-+2.-
/=,-3291(3=;(3'(32$&2'(/14"4.-

D '12'-;23'/1./.21-+ .13'

(2*2222,-31.9/3'393'.13'
(2*2222,-3&9(-.9,-3D

Background
1,%)#,#)%6/*)-%)*2,FC*1).,%--+,,*--)&-8
) *,(/*)$)*'*#58
)-1,)8<
*((,85().,2%+,*2%,-8%,'%)-8'*((1)%/*)-).%'%)1-.,%-:
o -="1232(-

o

,/+,-34.-.1*2'./N

O-.1,+(2*2222,-3.1*2'./N
O
o1(-,.13'-[AVVV
- .1,4.-291(3=/1. 22(.-+21.9-3'&+.
o(.-12. =-1&491(3=1,;.1*
RXVW[

- .1,4.-91(3=
-D X
1:(2 1(-(-& 1.93
*(+'%),2%-

8<8
8

8E8

2%-*,5,2%- %-&----().
*,('%-&----().3*,&-$*+>
?
%#.8,%25%,.1'%6/*)8'*1
1,%.58 ;
1,%.58%-&----().

(+'()./*)*,&-$*+>

? /*) )#().

$)%'1,%.5,2%- 1,5().++'%/*)2'*+(). .%-*2,5**'
8 *%'1,%.58*,)-%-
*,&-$*+>

<?
*1(). )#().
1++*,.,2%-

(+'()./*)*,&-$*+
,*1.2'1/*)-8*'%5;,*1,- *(+'%) )#().
-1++*,.8;

%'%..

SISA

RXVW[

- .1,4.-91(3=
-D Y
Ground rules
++'.-2.(13
:1=.=14(/32
(23-4:+=
'1.91-.;+&N931( O
/- (-
2*924.-2
N
',/(.- .1&..0924.-2O
Objective
-123-3'=,-31.2=23,

.,/+(-1.&1,
-123-
12(.-YDV09(1,-32
.,/1(2.-3;-12(.-XDV-YDV
9(-.-
(2*2222,-32AI.,,1A(139+H+.9
09(1,-32.-

RXVW[

- .1,4.-91(3=
-D Z
INTRODUCTION TO
PCI-DSS
BACKGROUND CONCEPTS COMMONPLACE EVENTS
PCI COUNCIL
The Protagonist
1(,1=.9-39,1

RXVW[

- .1,4.-91(3=
-D [
The other side
&-431(/
(&-391+
X
ELEMENTS REQUIRED FOR

PAYMENT

I

X
RXVW[

- .1,4.-91(3=
-D \
TRACK and CHIP
1*W3
1*X3
1*Y3
-+=1*X(292 .1"--(+31-24.-2
91(3= 2912
'.++.3. -*(-& 3912
Track 1 and Track 2

10 20 30 40 50 56
B 4 0 0 0 0 0 1 2 3 4 5 6 2 ^ P U B L I C J R / J O H N Q M R ^ 0 8 0 9 1 0 1 0 0 8 7 6 0 0 0 0 0 0
Format
Code
PAN
Separator
Title Separator
CVV/CVC
Suffix Reserved
Surname For
Separator Proprietary
use of
First Name Card issuer
Initial
Title
Title Separator
Expiration Date
Service Code
RXVW[

- .1,4.-91(3=
-D ]
The Who is Who

The Service Providers

-/1.:(-=21:(3.-=.3'1-43=
RXVW[

- .1,4.-91(3=
-D ^
Service Provider Examples
+241,.22(-&D
,(6-/1.22(-&-93'-44.-1.:(12
-&"1;++-
21:(/1.:(12D
.%;1:+./,-3.,/-(2A92(-221.22932.91(-&.,/-(2A++
-312A3D .1
+(4.-.-209-33.'-+(-&1'.+1
3D
.,21:(/1.:(12,=-.3(-+929'23+.,,9-(4.-2.,/-(23'3
.-+=/1.:(.,,9-(4.-2+(-*2;(3'.93223.3'//+(4.-+=1. 3'
.,,9-(4.-+(-*D
Transactions Card Present

M M

RXVW[

- .1,4.-91(3=
-D _
Transactions Card Not Present

M M

The core processing actions

I 23+(2'3';'.

I +(4.-.-=3'(2291

I ++4:(42+(-&3.26+,-3
I ++92/(=:1=.-
RXVW[

- .1,4.-91(3=
-D WV
Payment Card Fraud Evolution
W_^Y I,.22.9-31 (3 19
W_^^ I-..9-31 (3 19
W_^_ 1-.3/12-3 19H 19//+(4.-2
W__W :11(:(229 19
W__X 1'-3 19
W__Z
-43='%
XVVV *(,,.9-31 (3
XVVX .,,9-(4.-2(-31/4.-
XVV] (1+22H'(/2-(#-&-1.9-31 (3H*31,(-+2
XVWVIW[ 1:1 *(-&H +;1H ,.1=1//(-&
PCI SSC
5().,
)1-.,51,%.5.),-*1)%'
-(-/--3(-9231=23-12.=/1.:((-&.:12(&'3. 3':+./,-3-,-&,-3.
=,-31
-9231=91(3=3-12.-&+.+2(2
RXVW[

- .1,4.-91(3=
-D WW
ROUTE TO
COMPLIANCE
PCI-DSS REQUIREMENTS COMPLIANCE FINDING CARD
NUMBERS
PCI-SSC Mandate

I.,/+(-//+(23.-=-43=3'3
.*,-.9-33
,*---.9-33
,)-(%.-.9-33
.9-33.-2(232. 1'.+13-2-2(4:93'-44.-3
)//-(-+9A93-.3+(,(33.C
1'-32
09(112

22912
1:(1.:(12
1923'(1142
RXVW[

- .1,4.-91(3=
-D WX
Driving the Compliance

;
1-& =,-31-.--4:(3=
=
,+22
-3&14.- 1.22(-&

=
PCI-DSS Certification
2222,-3 ,(4.- 14"4.-
./(-& 9(3
(4&4.-

(2*2222,-3 H
(+23.-:(;2
/-+=2(2 14"3. .,/+(-
RXVW[

- .1,4.-91(3=
-D WY
The most important slide
PCI-DSS v3.0
1%') %).%)1,.3*,&)5-.(-
D:
-23++-,(-3(-"1;++.-"&914.-3./1.331'.+13
E:.-.392:-.1I29//+( 9+32 .12=23,/22;.12-.3'1291(3=/1,312

,*..,$*',.
F:1.3323.11'.+13
G:-1=/331-2,(22(.-. 1'.+131.22./-A/9+(-3;.1*2

%).%)1'),%'%.5 )#().,*#,(
H:1.33++2=23,2&(-23,+;1-1&9+1+=9/3-4I:(1922.%;1.1/1.&1,2
I::+./-,(-3(-2912=23,2-//+(4.-2

RXVW[

- .1,4.-91(3=
-D WZ
PCI-DSS v3.0

(+'()..,*)#--*).,*' -1,-
J:231(3223.1'.+13=92(-22-3.*-.;
K:
-4 =-93'-43223.2=23,.,/.--32
L:231(3/'=2(+223.1'.+13

#1','5 *)%.*,)-..3*,&-
DC:1*-,.-(3.1++223.-3;.1*12.912-1'.+13
DD:&9+1+=323291(3=2=23,2-/1.222

%).%))
) *,(/*)1,%.5*'%5
DE: (-3(-/.+(=3'31222(- .1,4.-291(3= .1++/12.--+
PCI Risk Assessment Flow

),'-,%+/*)*
*+
--.
$,.
%-&)'5-%-9%-&
)/!/*)
1'),%'%/-
%-&)'5-%-9%-&-/(/*))2'1/*) %-&,*!'%)#
%-&,.().')
%-&,.(). -1'.-*1()./*)
RXVW[

- .1,4.-91(3=
-D W[
Recap
WD LLLLLLLLLL/=,-31-(2-:1-09(11.1(2291D
XD
(2,-&=LLLLLLLLLLLLLLLLD
YD
(2//+(+3.-=.1&-(>4.-3'3LLLLLLLLLLLLALLLLLLLLLLLLLL
LLLLLLLLLLLLL1'.+1(- .1,4.-D
ZD - .1,-3.
(2.-=LLLLLLLLLLLLLLD
Where do we find card data

-=;'1
.3*,&," .-- %'- +*,.- *#-
RXVW[

- .1,4.-91(3=
-D W\
Mod 10 Formula Luhns Algorithm
WD .9+3':+9. +31-3(&(32. 3'/1(,1=.9-3-9,1&(--(-&;(3'3'2.-
(&(3 1.,3'1(&'3D.1-=129+4-&:+9a`WVA29313_D
XD 3'+9+3:+922;++23':+922*(//(-3/W3.&3'1D
YD '3.3+.3(-(-3/X,923(:(2(+=WVD
4 4 0 8 9 8 5 5 0 0 0 0 0 5 8 5
x2 x2 x2 x2 x2 x2 x2 x2
8 0 18 10 0 0 0 16
-9 -9 -9
8 4 0 8 9 8 1 5 0 0 0 0 0 5 7 5
Exercise 1 :
'*;'3'13' .++.;(-&W\(&(3-9,121:+(1-9,12C
[Z_VWXYZ[\]^_WXY
ZVZ^YZY][VVW_][Z

-(:(9+4:(3=
(,914.-CW[ (-932
RXVW[

- .1,4.-91(3=
-D W]
Oh and yes
9++31*3-2-2(4:93'-44.-3--.3
23.1%193'.1(>4.-D
Scoping relevant systems

291(3=109(1,-32//+=3.++
2=23,.,/.--32D
=23,.,/.--3I-=-3;.1*
.,/.--3A21:1A.1//+(4.-3'3(2
(-+9(-.1.--33.3'
1'.+13-:(1.-,-3D
=23,.,/.--3+2.(-+9-=
:(139+(>4.-.,/.--32D
1'.+13-:(1.-,-3(23'3/13
. 3'-3;.1*3'323.12A/1.222A
-H.131-2,(321'.+13.1
2-2(4:93'-44.-3D
(139+(>4.-.,/.--32(-+9:(139+
,'(-2A:(139+2;(3'2H1.9312A:(139+
//+(-2A:(139+//+(4.-2H2*3./2
-'=/1:(2.12D
RXVW[

- .1,4.-91(3=
-D W^
Scoping out - Network
Requirement 1: Install and maintain a firewall configuration to protect

cardholder data
D:D23+(2'-(,/+,-3"1;++-1.931.-"&914.-23-12
D:E9(+"1;++-1.931.-"&914.-23'31231(3.--4.-23;-9-31923-3;.1*2--=
2=23,.,/.--32(-3'1'.+13-:(1.-,-3D
D:F1.'((3(13/9+(223;-3'
-31-3--=2=23,.,/.--3(-3'1'.+13
-:(1.-,-3D
D:G
-23++/12.-+"1;++2.%;1.--=,.(+-H.1,/+.=I.;-:(23'3.--33.3'

-31-3;'-.932(3'-3;.1*N .1<,/+A+/3./292=,/+.=2OA-;'('1+2.923.
223'-3;.1*D
D:H-2913'3291(3=/.+((2-./14.-+/1.912 .1,-&(-&"1;++21.9,-3A(-92A
-*-.;-3.++!3/142D
RXVW[

- .1,4.-91(3=
-D W_
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
E:D+;=2'-&:-.1I29//+( 9+32-1,.:.1(2+9--221= 9+3.9-32 .1(-23++(-&

2=23,.-3'-3;.1*D
'(2//+(23. 9+3/22;.12A(-+9(-&93-.3+(,(33.3'.292=./14-&2=23,2A2.%;13'3

/1.:(2291(3=21:(2A//+(4.--2=23,.9-32A/.(-3I. I2+NO31,(-+2A(,/+3;.1* -&,-3
1.3..+N O.,,9-(3=231(-&2A3DOD
E:E:+./.-"&914.-23-12 .1++2=23,.,/.--32D22913'33'223-12122++*-.;-291(3=
:9+-1(+(42-1.-2(23-3;(3'(-9231=I/32=23,'1-(-&23-12D.912. (-9231=I/3
2=23,'1-(-&23-12
E:F-1=/3++-.-I.-2.+,(-(2314:2292(-&231.-&1=/3.&1/'=D23'-.+.&(229'2 AA.1H
.1;I2,-&,-3-.3'1-.-I.-2.+,(-(2314:22D
Requirement 2: Do not use vendor-supplied defaults for system passwords

and other security parameters
E:G (-3(--(-:-3.1=. 2=23,.,/.--323'31(-2./ .1

D
E:H-2913'3291(3=/.+((2-./14.-+/1.912 .1,-&(-&:-.1 9+32-.3'1291(3=

/1,3121.9,-3A(-92A-*-.;-3.++!3/142D
E:I'1'.24-&/1.:(12,923/1.33'-43=E2'.23-:(1.-,-3-1'.+13D'2
/1.:(12,923,32/("109(1,-3223(+(-((&"26"-'&$ )/"*%&,+'*
!*'+-& *'0"*+7
RXVW[

- .1,4.-91(3=
-D XV
Exercise 2 : Firewall Rule Review
1'* *1, -/)/*) ,2%- /*)
W 1:1 A /3
X
-31-+1:1 /3
Y W_XDW\^DWDV 1:1 /3
Z 1:1 XW /3
[ (+1:1 AY /3
\
-31-+1:1 /3
] 321:1 /3
^ 321:1 /3
_ WXXDY]DZWDY^ /3
WV A /3
WW /3

-(:(9+4:(3=
(,914.-CW[ (-932
Identifying the data

-4 =++2=23,23'323.1A/1.22A.131-2,(31'.+13
13,31(<. 2=23,2(-+9(-&
=23,-,
1'.+1323.1N+(23"+2O
3-4.-/1(.
1.34.-,'-(2,
1.3323.12/1
YDZN'2'(-&A-1=/4.-A.1319-4.-O

- .1&-(>4.- --.3 1-1 1'.+1 3 9-1+A (3 (2 ++.;+ 3. 94+(>
.,/-24.- .-31.+2 3. /1.:( .1&-(>4.- ': 9-13*- 1(2* -+=2(2 - ':
+&(4,33'-.+.&(+.1.9,-392(-22.-231(-32D
RXVW[

- .1,4.-91(3=
-D XW
Card Holder Matrix
++'%/*)( ,-%*) ++'%/*) .- '() .)/*) ,*./*)

-,%+/*) $( *'1())( ,%*
XDX %-++'%/*) =J ')(= X=12 .-

'*.%).$-.*,-:
. .,4.%'
+,*---@.*,- ', *'1())(=
,)*
,2,(
%'(;*/*)3$, ..*, 1-%)--,-*) .)/*) ,*./*)
,-- .$ -.*, ,%*
3.1LL21:1 W_XDW\^ 5 1 *,$,#& X=12 .-

DWVD[ -9,1
Requirement 3: Protect stored cardholder data

F:D
/1'.+1323.1&3.,(-(,9,=(,/+,-4-&313-4.--(2/.2+/.+((2A
/1.912-/1.2223'3(-+93+233' .++.;(-& .1++1'.+13N O23.1&C
(,(4-&323.1&,.9-3-13-4.-4,3.3'3;'('(2109(1 .1+&+A1&9+3.1=A-
92(-22109(1,-32
1.222 .1291+4.-. 3;'--.+.-&1-
/("13-4.-109(1,-32 .11'.+13
09131+=/1.22 .1(-4 =(-&-291+=+4-&23.11'.+133'3<2
"-13-4.-D

RXVW[

- .1,4.-91(3=
-D XX
F:E
.-.323.12-2(4:93'-44.-3%193'.1(>4.-N:-( -1=/3OD
2-2(4:93'-44.-
3(21(:A1-1++39-1.:1+9/.-.,/+4.-. 3'93'.1(>4.-/1.22D
,"+(*%"++"$'*"++/*+&'%(&"+,!,+/(('*,"++/"& +*0"+,'+,'*+&+"-0/,!&--'&,"6
'1(292(-22)924"4.-
'3(223.1291+=D
F:F 2*;'-(2/+=N3'"1232(<-+23 .91(&(3213',<(,9,-9,1. (&(323.
(2/+=OA29'3'3.-+=/12.--+;(3'+&(4,392(-22--23' 9++D


F:G-19-1+-=;'1(3(223.1N(-+9(-&.-/.13+(&(3+,(A*9/,(A-
(-+.&2O=92(-&-=. 3' .++.;(-&//1.'2C
M-I;='2'22.-231.-&1=/3.&1/'=AN'2',923. 3'-41O
M19-4.-N'2'(-&--.3923.1/+3'319-32&,-3. O
M
-<3.*-2-/2N/2,923291+=23.1O
M31.-&1=/3.&1/'=;(3'22.(3*=I,-&,-3/1.222-/1.912D

,"+*$-0$3,*"0"$'*,'*%$""'/+"&"0"/$,'*'&+,*/,'*" "&$ ,",!3!0
++,'',!,!,*/&,&!+!0*+"'&' 7!*!+!&,*/&,0*+"'&+',!
+% *(*+&,"&&&-,38+&0"*'&%&,5"-'&$'&,*'$++!'/$"&($,'&+/*,!,,!
!+!&,*/&,0*+"'&+&&','**$,,'*'&+,*/,,!'*" "&$ 7
RXVW[

- .1,4.-91(3=
-D XY
F:H.9,-3-(,/+,-3/1.9123./1.33*=2923.29123.11'.+13&(-23
(2+.291-,(292
F:I9++=.9,-3-(,/+,-3++*=I,-&,-3/1.222-/1.912 .11=/3.&1/'(*=2
92 .1-1=/4.-. 1'.+13D
/%*'/+"&/+,*3+,&*+'*#3%& %&,*0"$$*'%0*"'/+*+'/*+"&$/"& 5
1!"!&'/&,!.(699+*7&"+,7 '07
Requirement 4: Encrypt transmission of cardholder data across open, public

networks
G:D2231.-&1=/3.&1/'=-291(3=/1.3..+2N .1<,/+AHA

A A3DO3.2 &91
2-2(4:1'.+1391(-&31-2,(22(.-.:1./-A/9+(-3;.1*2A(-+9(-&3' .++.;(-&C
-+=31923*=2-14"321/3D
'/1.3..+(-92.-+=29//.132291:12(.-2.1.-"&914.-2D
'-1=/4.-231-&3'(2//1./1(3 .13'-1=/4.-,3'..+.&=(-92D

<,/+2. ./-A/9+(-3;.1*2(-+9931-.3+(,(33.C
'
-31-3
(1+223'-.+.&(2A(-+9(-&^VXDWW-+93..3'
++9+13'-.+.&(2A .1<,/+A+.+=23, .1 .(+.,,9-(4.-2N OA.(:(2(.-,9+4/+
22N O
-1+*3(.1:(NOD
3++(3.,,9-(4.-2D

RXVW[

- .1,4.-91(3=
-D XZ
Requirement 4: Encrypt transmission of cardholder data
across open, public networks
G:E:12-9-/1.332=-I921,22&(-&3'-.+.&(2N .1<,/+AI,(+A(-23-3
,22&(-&A'3A3DOD
G:F-2913'3291(3=/.+((2-./14.-+/1.912 .1-1=/4-&31-2,(22(.-2. 1'.+13

1.9,-3A(-92A-*-.;-3.++!3/142D
Requirement 5: Protect all systems against malware and regularly update

anti-virus software or programs
[DW/+.=-4I:(1922.%;1.-++2=23,2.,,.-+=!3=,+((.922.%;1N/149+1+=/12.-+
.,/9312-21:12OD
[DWDW-2913'3-4I:(192/1.&1,21/+. 34-&A1,.:(-&A-/1.34-&&(-23++*-.;-
3=/2. ,+((.922.%;1D
[DWDX.12=23,2.-2(13.-.3.,,.-+=!3=,+((.922.%;1A/1 .1,/1(.(
:+94.-23.(-4 =-:+93:.+:(-&,+;13'132(-.113..-"1,;'3'129'2=23,2
.-4-93.-.3109(1-4I:(1922.%;1D
[DX-2913'3++-4I:(192,'-(2,21,(-3(-2 .++.;2C
1*/3911-3A
1 .1,/1(.(2-2
-139(3+.&2;'('113(-/1
09(1,-3WVD]D

RXVW[

- .1,4.-91(3=
-D X[
Requirement 5: Protect all systems against malware and regularly update
anti-virus software or programs
[DY-2913'3-4I:(192,'-(2,214:+=19--(-&---.3(2+.1+31=9212A9-+22
2/("++=93'.1(>=,-&,-3.-2I=I22(2 .1+(,(34,/1(.D
.3C-4I:(1922.+94.-2,=3,/.11(+=(2+.-+=( 3'1(2+&(4,33'-(+-A293'.1(>
=,-&,-3.-2I=I22(2D
-4I:(192/1.34.--23.(2+ .12/("/91/.2A(3
,923 .1,++=93'.1(>D(4.-+291(3=,2912,=+2.-3.(,/+,-3 .13'/1(.
. 4,91(-&;'('-4I:(192/1.34.-(2-.34:D
[DZ-2913'3291(3=/.+((2-./14.-+/1.912 .1/1.34-&2=23,2&(-23,+;11
.9,-3A(-92A-*-.;-3.++!3/142D
Requirement 6: Develop and maintain secure systems and applications
\DW23+(2'/1.223.(-4 =291(3=:9+-1(+(42A92(-&1/93+.932(2.912 .1291(3=:9+-1(+(3=

(- .1,4.-A-22(&-1(2*1-*(-&N .1<,/+A2F'(&'AGF,(9,AG.1F+.;GO3.-;+=(2.:1291(3=
:9+-1(+(42D
.3C(2*1-*(-&22'.9+2.-(-9231=23/1422;++2.-2(14.-. /.3-4+(,/3D.1<,/+A
1(31( .11-*(-&:9+-1(+(42,=(-+9.-2(14.-. 3'22.1A-H.13'+22("4.-=3'
:-.1A-H.13=/. 2=23,2!3D
3'.2 .1:+94-&:9+-1(+(42-22(&-(-&1(2*14-&2;(++:1=2.--.1&-(>4.-E2-:(1.-,-3-1(2*I
2222,-32313&=D(2*1-*(-&22'.9+A3,(-(,9,A(-4 =++:9+-1(+(42.-2(13.F'(&'1(2*G3.3'
-:(1.-,-3D
-(4.-3.3'1(2*1-*(-&A:9+-1(+(42,=.-2(1F1(4+G( 3'=/.2-(,,(--33'133.
3'-:(1.-,-3A(,/31(4+2=23,2A-H.1;.9+129+3(-/.3-4+.,/1.,(2( -.3122D<,/+2.
1(4+2=23,2,=(-+9291(3=2=23,2A/9+(I (-&:(2-2=23,2A322A-.3'12=23,23'323.1A
/1.22A.131-2,(31'.+13D
RXVW[

- .1,4.-91(3=
-D X\
\DX-2913'3++2=23,.,/.--32-2.%;11/1.33 1.,*-.;-:9+-1(+(42=(-23++(-&//+(+
:-.1I29//+(291(3=/3'2D
-23++1(4+291(3=/3'2;(3'(-.-,.-3'. 1+2D
.3C1(4+291(3=/3'22'.9+(-4".1(-&3.3'1(2*1-*(-&/1.22"-(-09(1,-3\DWD
I:F:+./(-31-+-<31-+2.%;1//+(4.-2N(-+9(-&;I2,(-(2314:223.//+(4.-2O
291+=A2 .++.;2C

-.1-;(3'
N .1<,/+A29193'-44.--+.&&(-&O
2.-(-9231=23-12-H.123/142D

-.1/.14-&(- .1,4.-291(3=3'1.9&'.933'2.%;1I:+./,-3+( =+
6!"+(($"+,'$$+'1*0$'("&,*&$$3+1$$++('#'*/+,'%+'1*0$'(3,!"*(*,37
I:G.++.;'-&.-31.+/1.222-/1.912 .1++'-&23.2=23,.,/.--32D'/1.222,923(-+9
3' .++.;(-&C
I:G:D/13:+./,-3H323-:(1.-,-32 1.,/1.94.--:(1.-,-32A-- .13'2/14.-;(3'22
.-31.+2D
I:G:E/14.-. 9423;-:+./,-3H323-/1.94.--:(1.-,-32
I:G:F1.94.-3N+(:2O1-.392 .1324-&.1:+./,-3
I:G:G,.:+. 3233-.9-32 .1/1.94.-2=23,2.,4:
I:G:H'-&.-31.+/1.912 .13'(,/+,-34.-. 291(3=/3'2-2.%;1,.("4.-2,923(-+93'
.++.;(-&C
I:G:H:D.9,-34.-. (,/3D
I:G:H:E.9,-3'-&//1.:+=93'.1(>/142D
I:G:H:F9-4.-+(3=324-&3.:1( =3'33''-&.2-.3:12+=(,/33'291(3=. 3'2=23,D
I:G:H:G*I.93/1.912D
RXVW[

- .1,4.-91(3=
-D X]
I:H
122.,,.-.(-&:9+-1(+(42(-2.%;1I:+./,-3/1.2222 .++.;2C
1(-:+./12(-291.(-&3'-(092A(-+9(-&'.;3.:.(.,,.-.(-&:9+-1(+(42A-
9-123-(-&'.;2-2(4:3(2'-+(-,,.1=D
:+.///+(4.-22.-291.(-&&9(+(-2D

!0/$&*"$"-+$"+,,B7A7>,!*'/ !B7A7>=1*/**&,1",!"&/+,*3+,(*-+1!&,!"+0*+"'&'
1+(/$"+!7'10*5+"&/+,*3+,(*-+'*0/$&*"$",3%& %&,*/(,;'*2%($5,!
/"5 '(?A5/*'"& 5,7<5,!/**&,+,(*-+%/+,/+'*,!+
*)/"*%&,+7

I:H:D
-)4.-$;2A/149+1+=(-)4.-D+2..-2(1.,,-
-)4.-A-3'(-)4.-$;22;++2
.3'1(-)4.-$;2D
I:H:E9!1.:1$.;2
I:H:F
-2911=/3.&1/'(23.1&
I:H:G
-291.,,9-(4.-2
I:H:H
,/1./111.1'-+(-&
I:H:I++F'(&'1(2*G:9+-1(+(42(-4"(-3':9+-1(+(3=(-4"4.-/1.22N2"-(-
09(1,-3\DWOD
I:H:J1.22I2(321(/4-&NO
I:H:K
,/1./122.-31.+N29'2(-291(13.)31 1-2A (+913.1231(322A(13.1=31:12+A-
(+913.1231(3921223. 9-4.-2OD
RXVW[

- .1,4.-91(3=
-D X^
I:H:L1.22I2(310923 .1&1=NO
I:H:DC1.*-93'-44.--222(.-,-&,-3
)/"*%&,B7A7>="++,(*-/&-$
/&@=5?=>A5*1!"!",'%+*)/"*%&,7
I:I.1/9+(I (-&;//+(4.-2A122-;3'132-:9+-1(+(42.--.-&.(-&2(2--2913'2
//+(4.-21/1.33&(-23*-.;-6*2=(3'1. 3' .++.;(-&,3'.2C
:(;(-&/9+(I (-&;//+(4.-2:(,-9+.193.,3//+(4.-:9+-1(+(3=291(3=2222,-33..+2
.1,3'.2A3+23--9++=-%1-='-&2!"+++++%&,"+&',,!+%+,!0/$&*"$",3
+&+(*'*%'*)/"*%&,>>7?7

-23++(-&-93.,33'-(+2.+94.-3'3332-/1:-32;I26*2N .1<,/+A;I
//+(4.-"1;++O(- 1.-3. /9+(I (-&;//+(4.-2A3..-4-9++='*++31#D
I:J
-2913'3291(3=/.+((2-./14.-+/1.912 .1:+./(-&-,(-3(-(-&2912=23,2-//+(4.-2
1.9,-3A(-92A-*-.;-3.++!3/142D
Recap
WD '313'(!1-3//1.'23.,*9-1+@
XD -319-3-'2'23.13.&3'1@
YD '3(23'</34.-.
1.,91.(-&142@
RXVW[

- .1,4.-91(3=
-D X_
Requirement 7: Restrict access to cardholder data by business need to know
J:D(,(3223.2=23,.,/.--32-1'.+133..-+=3'.2(-(:(9+2;'.2).109(1229'22D
J:D:D"-22-2 .1'1.+A(-+9(-&C
=23,.,/.--32-312.9123'3'1.+-23.22 .13'(1). 9-4.-
:+. /1(:(+&109(1N .1<,/+A921A,(-(2313.1A3DO .122(-&12.912D
J:D:E231(3223./1(:(+&921
23.+23/1(:(+&2-221=3./1 .1,).12/.-2((+(42D
J:D:F22(&-222.-(-(:(9+/12.--+E2).+22("4.-- 9-4.-D
J:D:G09(1.9,-3//1.:+=93'.1(>/1422/( =(-&109(1/1(:(+&2D
Requirement 7: Restrict access to cardholder data by business need to know
J:E23+(2'-22.-31.+2=23, .12=23,2.,/.--323'31231(32222.-921E2-3.*-.;A-(2
233.F-=++G9-+222/("++=++.;D
'(222.-31.+2=23,,923(-+93' .++.;(-&C
J:E:D.:1&. ++2=23,.,/.--32
J:E:E22(&-,-3. /1(:(+&23.(-(:(9+22.-).+22("4.-- 9-4.-D
J:E:F 9+3F-=I++G27-&D
J:F-2913'3291(3=/.+((2-./14.-+/1.912 .11231(4-&223.1'.+131.9,-3A(-
92A-*-.;-3.++!3/142D
RXVW[

- .1,4.-91(3=
-D YV
Requirement 8: Identify and authenticate access to system components
K:D"--(,/+,-3/.+((2-/1.9123.-291/1./1921(-4"4.-,-&,-3 .1-.-I
.-29,19212-,(-(2313.12.-++2=23,.,/.--32
K:E
-(4.-3.22(&-(-&9-(09
A-291/1./1921I93'-44.-,-&,-3 .1-.-I.-29,19212-
,(-(2313.12.-++2=23,.,/.--32=,/+.=(-&3+23.-
. 3' .++.;(-&,3'.23.93'-43++9212C
.,3'(-&=.9*-.;A29'2/22;.1.1/22/'12
.,3'(-&=.9':A29'23.*-:(.12,131
.,3'(-&=.91A29'2(.,31(
K:F
-.1/.133;.I 3.193'-44.- .11,.3-3;.1*22.1(&(-4-& 1.,.932(3'-3;.1*=
/12.--+N(-+9(-&9212-,(-(2313.12O-++3'(1/142AN(-+9(-&:-.122 .129//.13.1
,(-3--OD
K:G.9,-3-.,,9-(393'-44.-/1.912-/.+((23.++9212(-+9(-&C
9(-.-2+4-&231.-&93'-44.-1-4+2
9(- .1'.;92122'.9+/1.333'(193'-44.-1-4+2

-23194.-2-.33.192/1:(.92+=92/22;.12

-23194.-23.'-&/22;.12( 3'1(2-=292/((.-3'/22;.1.9+.,/1.,(2D

K:H.-.392&1.9/A2'1A.1&-1(
2A/22;.12A.1.3'193'-44.-,3'.22 .++.;2C
-1(921
21(2+.11,.:D
'1921
2.-.3<(23 .12=23,,(-(2314.--.3'11(4+ 9-4.-2D
'1-&-1(921
21-.3923.,(-(231-=2=23,.,/.--32D

RXVW[

- .1,4.-91(3=
-D YW
K:I'1.3'193'-44.-,'-(2,2192N .1<,/+A/'=2(+.1+.&(+291(3=3.*-2A2,1312A
14"32A3DOA92. 3'2,'-(2,2,92322(&-2 .++.;2C
93'-44.-,'-(2,2,92322(&-3.-(-(:(9+.9-3--.32'1,.-&,9+4/+.9-32D
'=2(+-H.1+.&(+.-31.+2,923(-/+3.-291.-+=3'(-3-.9-3-923'3,'-(2,3.
&(-22D

K:J++223.-=32.-3(-(-&1'.+13N(-+9(-&22=//+(4.-2A,(-(2313.12A-++.3'1
9212O(21231(32 .++.;2C
++921223.A921091(2. A-9214.-2.-32213'1.9&'/1.&1,,4,3'.2D
-+=32,(-(2313.12':3'(+(3=3.(13+=22.1091=322D
//+(4.-
2 .132//+(4.-2-.-+=92=3'//+(4.-2N--.3=(-(:(9+9212.1.3'1-.-I
//+(4.-/1.222OD

K:K-2913'3291(3=/.+((2-./14.-+/1.912 .1(-4"4.--93'-44.-1.9,-3A(-92A
-*-.;-3.++!3/142D

RXVW[

- .1,4.-91(3=
-D YX
Requirement 9: Restrict physical access to cardholder data
L:D2//1./1(3 (+(3=-31=.-31.+23.+(,(3-,.-(3.1/'=2(+223.2=23,2(-3'1'.+13
-:(1.-,-3D
L:E:+.//1.9123.2(+=(24-&9(2'3;-.-2(3/12.--+-:(2(3.12A3.(-+9C

-4 =(-&-;.-2(3/12.--+.1:(2(3.12N .1<,/+A22(&-(-&&2O
'-&23.22109(1,-32
:.*(-&.131,(-4-&.-2(3/12.--+-</(1:(2(3.1(-4"4.-N29'2
&2OD
L:F.-31.+/'=2(+22 .1.-2(3/12.--+3.3'2-2(4:122 .++.;2C
22,92393'.1(>-2.-(-(:(9+). 9-4.-D
22(21:.*(,,(3+=9/.-31,(-4.-A-++/'=2(+22,'-(2,2A29'2*=2A2212A3DA
11391-.1(2+D
Requirement 9: Restrict physical access to cardholder data
_DZ
,/+,-3/1.9123.(-4 =-93'.1(>:(2(3.12
_D['=2(++=291++,(D
_D\ (-3(-231(3.-31.+.:13'(-31-+.1<31-+(231(94.-. -=*(-. ,(
_D] (-3(-231(3.-31.+.:13'23.1&-22((+(3=. ,(D
_D^231.=,(;'-(3(2-.+.-&1- .192(-22.1+&+12.-2
_D_1.33:(23'3/391/=,-313:((13/'=2(+(-314.-;(3'3'1 1.,3,/1(-&-2924394.-D
_DWV-2913'3291(3=/.+((2-./14.-+/1.912 .11231(4-&/'=2(+223.1'.+131.9,-3A(-92A-*-.;-
3.++!3/142D
RXVW[

- .1,4.-91(3=
-D YY
Requirement 10: Track and monitor all access to network resources and
cardholder data
DC:D
,/+,-39(331(+23.+(-*++223.2=23,.,/.--323.'(-(:(9+921D

DC:E
,/+,-393.,39(331(+2 .1++2=23,.,/.--323.1.-231933' .++.;(-&:-32C
DC:E:D++(-(:(9+9212223.1'.+13
DC:E:E++4.-23*-=-=(-(:(9+;(3'1..3.1,(-(2314:/1(:(+&2
DC:E:F223.++9(331(+2
DC:E:G
-:+(+.&(+226,/32
DC:EH2. -'-&23.(-4"4.--93'-44.-,'-(2,2K(-+9(-&93-.3+(,(33.14.-. -;
.9-32-+:4.-. /1(:(+&2K-++'-&2A(4.-2A.1+4.-23..9-32;(3'1..3.1,(-(2314:
/1(:(+&2
DC:E:I
-(4+(>4.-A23.//(-&A.1/92(-&. 3'9(3+.&2
DC:E:J14.--+4.-. 2=23,I+:+.)32

cardholder data
DC:F.13+233' .++.;(-&9(331(+-31(2 .1++2=23,.,/.--32 .1':-3C

DC:F:D21(-4"4.-
DC:F:E=/. :-3
DC:F:F3-4,
DC:F:G922.1 (+91(-(4.-
DC:F:H1(&(-4.-. :-3
DC:F:I
-43=.1-,. !33A2=23,.,/.--3A.112.91D
DC:G2(-&4,I2=-'1.-(>4.-3'-.+.&=A2=-'1.-(>++1(4+2=23,+.*2-4,2--2913'33'
.++.;(-&(2(,/+,-3 .109(1(-&A(231(94-&A-23.1(-&4,D
&2%($'-%+3&!*'&"4-'&,!&'$' 3"+ ,1'*#"%*',''$; <7
RXVW[

- .1,4.-91(3=
-D YZ
cardholder data
DC:H919(331(+22.3'=--.3+31D
DC:H:D(,(3:(;(-&. 9(331(+23.3'.2;(3').I1+3-D
DC:H:E1.339(331(+"+2 1.,9-93'.1(>,.("4.-2D
DC:H:F1.,/3+=*9/9(331(+"+23.-31+(>+.&21:1.1,(3'3(2(#9+33.+31D
DC:H:G1(3+.&2 .1<31-+I (-&3'-.+.&(2.-3.291A-31+(>A(-31-++.&21:1.1,(:(D
DC:H:H2"+I(-3&1(3=,.-(3.1(-&.1'-&I34.-2.%;1.-+.&23.-2913'3<(24-&+.&3--.3
'-&;(3'.93&-14-&+132N+3'.9&'-;3(-&2'.9+-.392-+13OD
cardholder data
DC:I:(;+.&2-291(3=:-32 .1++2=23,.,/.--323.(-4 =-.,+(2.1292/((.924:(3=D

' !*0+-& 5(*+"& 5&$*-& ,''$+%3/+,'%,,!"+)/"*%&,7DC:I:D:(;3' .++.;(-&3
+23(+=C
++291(3=:-32
.&2. ++2=23,.,/.--323'323.1A/1.22A.131-2,(3 -H.1A.13'3.9+(,/33'291(3=.
-H.1
.&2. ++1(4+2=23,.,/.--32
.&2. ++21:12-2=23,.,/.--323'3/1 .1,291(3= 9-4.-2N .1<,/+A"1;++2A(-3192(.-I34.-
2=23,2H(-3192(.-I/1:-4.-2=23,2N
H
OA93'-44.-21:12AI.,,11(14.-21:12A3DOD
DC:I:E:(;+.&2. ++.3'12=23,.,/.--32/1(.(++=2.-3'.1&-(>4.-E2/.+((2-1(2*
,-&,-32313&=A231,(-=3'.1&-(>4.-E2--9+1(2*2222,-3D
DC:I:F.++.;9/</4.-2--.,+(2(-4"91(-&3'1:(;/1.22D

RXVW[

- .1,4.-91(3=
-D Y[
cardholder data
DC:J3(-9(331(+'(23.1= .13+23.-=1A;(3',(-(,9,. 3'1,.-3'2(,,(3+=:(++ .1

-+=2(2N .1<,/+A.-+(-A1'(:A.1123.1+ 1.,*9/OD
DC:K-2913'3291(3=/.+((2-./14.-+/1.912 .1,.-(3.1(-&++223.-3;.1*12.912
-1'.+131.9,-3A(-92A-*-.;-3.++!3/142D
Golden Logging Architecture
RXVW[

- .1,4.-91(3=
-D Y\
Requirement 11: Regularly test security systems and processes.
DD:D
,/+,-3/1.2223.323 .13'/12-. ;(1+2222/.(-32N^VXDWWOA-33-(-4 =++
93'.1(>-9-93'.1(>;(1+2222/.(-32.-09131+=2(2D
DD:E9-(-31-+-<31-+-3;.1*:9+-1(+(3=2-23+2309131+=-%1-=2(&-("-3'-&(-3'
-3;.1*N29'2-;2=23,.,/.--3(-23++4.-2A'-&2(--3;.1*3./.+.&=A"1;++19+,.("4.-2A
/1.939/&12OD
DD:F
,/+,-3,3'..+.&= .1/-314.-324-&3'3(-+923' .++.;(-&C

22.-(-9231=I/3/-314.-324-&//1.'2N .1<,/+A
^VVIWW[O

-+92.:1& .13'-41/1(,31-1(4+2=23,2

-+92324-& 1.,.3'(-2(-.932(3'-3;.1*

-+92324-&3.:+(3-=2&,-34.--2./I194.-.-31.+2
"-2//+(4.-I+=1/-314.-32323.(-+9A3,(-(,9,A3':9+-1(+(42+(23(-09(1,-3\D[
"-2-3;.1*I+=1/-314.-32323.(-+9.,/.--323'329//.13-3;.1* 9-4.-22;++2./14-&
2=23,2

-+921:(;-.-2(14.-. 3'132-:9+-1(+(42</1(-(-3'+23WX,.-3'2
/("213-4.-. /-314.-324-&129+32-1,(4.-4:(42129+32D

DD:F
,/+,-3,3'..+.&= .1/-314.-324-&3'3(-+923' .++.;(-&C

22.-(-9231=I/3/-314.-324-&//1.'2N .1<,/+A
^VVIWW[O

-+92.:1& .13'-41/1(,31-1(4+2=23,2

-+92324-& 1.,.3'(-2(-.932(3'-3;.1*

-+92324-&3.:+(3-=2&,-34.--2./I194.-.-31.+2
"-2//+(4.-I+=1/-314.-32323.(-+9A3,(-(,9,A3':9+-1(+(42+(23(-09(1,-3\D[
"-2-3;.1*I+=1/-314.-32323.(-+9.,/.--323'329//.13-3;.1* 9-4.-22;++2./14-&
2=23,2

-+921:(;-.-2(14.-. 3'132-:9+-1(+(42</1(-(-3'+23WX,.-3'2
/("213-4.-. /-314.-324-&129+32-1,(4.-4:(42129+32D
RXVW[

- .1,4.-91(3=
-D Y]
DD:G2(-3192(.-I34.--H.1(-3192(.-I/1:-4.-3'-(0923.33-H.1/1:-3(-3192(.-2(-3.3'
-3;.1*D .-(3.1++31#33'/1(,31. 3'1'.+13-:(1.-,-32;++231(4+/.(-32(-3'
1'.+13-:(1.-,-3A-+13/12.--+3.292/3.,/1.,(22D
/++(-3192(.-I34.--/1:-4.--&(-2A2+(-2A-2(&-39129/3.3D
DD:H/+.='-&I34.-,'-(2,N .1<,/+A"+I(-3&1(3=,.-(3.1(-&3..+2O3.+13/12.--+3.
9-93'.1(>,.("4.-. 1(4+2=23,"+2A.-"&914.-"+2A.1.-3-3"+2B-.-"&913'2.%;13.
/1 .1,1(4+"+.,/1(2.-23+23;*+=D
DD:I-2913'3291(3=/.+((2-./14.-+/1.912 .1291(3=,.-(3.1(-&-324-&1.9,-3A(-92A
-*-.;-3.++!3/142D
Recap
WD (1;++(2109(13.1:(;:1=LLLLLLLLLLD
XD LLLLLLLLLLLL(2++.;3.23.1(-
.1+&(4,392(-22109(1,-3D
YD -4:(1922.%;1(2109(13.(,/+,-3(-LLLLLLLLLLLLLLLD
ZD 9(31(+(2109(13.23.1 .1/1(.. LLLLLLLLL
[D <31-+-21109(13..-LLLLLLLLLLLLD
\D +:-3/3'21109(13.(-23++LLLLLLLLLLLD

RXVW[

- .1,4.-91(3=
-D Y^
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:D23+(2'A/9+(2'A,(-3(-A-(22,(-3291(3=/.+(=D
DE:D:D:(;3'291(3=/.+(=3+23--9++=-9/33'/.+(=;'-3'-:(1.-,-3'-&2D
DE:E
,/+,-31(2*I2222,-3/1.223'3C

2/1 .1,3+23--9++=-9/.-2(&-("-3'-&23.3'-:(1.-,-3N .1<,/+A09(2(4.-A,1&1A
1+.4.-A3DOA

-4"21(4+2232A3'132A-:9+-1(+(42A-
29+32(- .1,+1(2*2222,-3D
2%($+'*"+#:++++%&,%,!''$' "+"&$//,*&',$"%",,'5 ?C==A& D==:@=7

personnel.
DE:F:+./92&/.+((2 .11(4+3'-.+.&(2-"-/1./192. 3'23'-.+.&(2D
2%($+'*"-$,!&'$' "+"&$/5/,*&',$"%",,'5*%',++&1"*$++,!&'$' "+5$(,'(+5

,$,+5*%'0$$,*'&"%"5:%"$/+ & &,*&,/+ 7
-2913'292&/.+((2109(13' .++.;(-&C
DE:F:D</+((3//1.:+=93'.1(>/142
DE:F:E93'-44.- .192. 3'3'-.+.&=
DE:F:F+(23. ++29':(2-/12.--+;(3'22
DE:F:G,3'.3.913+=-1(+=31,(-.;-1A.-33(- .1,4.-A-/91/.2N .1<,/+A++(-&A
.(-&A-H.1(-:-3.1=(-&. :(2O
DE:F:H/3+922. 3'3'-.+.&=
RXVW[

- .1,4.-91(3=
-D Y_
personnel.
DE:F:I/3+-3;.1*+.4.-2 .13'3'-.+.&(2
DE:F:J(23. .,/-=I//1.:/1.932
DE:F:K93.,4(2.--3. 222(.-2 .11,.3I223'-.+.&(2%12/("/1(.. (-4:(3=
DE:F:L4:4.-. 1,.3I223'-.+.&(2 .1:-.12-92(-22/13-12.-+=;'--=:-.12-

92(-22/13-12A;(3'(,,(34:4.-%192
DE:F:DC.1/12.--+22(-&1'.+13:(1,.3I223'-.+.&(2A/1.'((33'./=(-&A,.:(-&A-
23.1&. 1'.+13.-3.+.+'11(:2-1,.:++31.-(,(A9-+22</+((3+=93'.1(> .1
"-92(-22-D
'13'1(2-93'.1(>92(-22-A3'92&/.+((2,923109(13'3/1.33(-.1-;(3'++
//+(+
09(1,-32D
personnel.
DE:G-2913'33'291(3=/.+(=-/1.912+1+="-(- .1,4.-291(3=12/.-2((+(42 .1++/12.--+D
DE:H22(&-3.-(-(:(9+.13,3' .++.;(-&(- .1,4.-291(3=,-&,-312/.-2((+(42C
DE:H:D23+(2'A.9,-3A-(231(93291(3=/.+((2-/1.912D
DE:H:E .-(3.1--+=>291(3=+132-(- .1,4.-A-(231(933.//1./1(3/12.--+D
DE:H:F23+(2'A.9,-3A-(231(93291(3=(-(-312/.-2-2+4.-/1.9123.-2914,+=-
!4:'-+(-&. ++2(394.-2D
DE:H:G,(-(231921.9-32A(-+9(-&(4.-2A+4.-2A-,.("4.-2D
DE:H:H .-(3.1-.-31.+++223.3D
DE:I
,/+,-3 .1,+291(3=;1-22/1.&1,3.,*++/12.--+;1. 3'(,/.13-. 1'.+13
291(3=D
RXVW[

- .1,4.-91(3=
-D ZV
personnel.
DE:I:D93/12.--+9/.-'(1-3+23--9++=D
,!'+&0*3(&"& '&,!*'$',!(*+'&&$&,!"*$0$'++,',!*!'$*,7
WXD\DX09(1/12.--+3.*-.;+&3+23--9++=3'33'=':1-9-123..3'291(3=/.+(=-
/1.912D
DE:J1-/.3-4+/12.--+/1(.13.'(13.,(-(,(>3'1(2*. 6*2 1.,(-31-+2.912DN<,/+2.
*&1.9-'*2(-+9/1:(.92,/+.=,-3'(23.1=A1(,(-+1.1A1(3'(23.1=A-1 1-'*2DO
'*,!'+(',&-$(*+'&&$,'!"*'**,"&('+"-'&++/!++,'*+!"*+1!''&$3!0++,''&*
&/%*,-%1!&"$",-& ,*&+-'&5,!"+*)/"*%&,"+*'%%&-'&'&$37
DE:K (-3(--(,/+,-3/.+((2-/1.9123.,-&21:(/1.:(12;(3';'.,1'.+13(22'1A
.13'3.9+!33'291(3=. 1'.+13A2 .++.;2C
DE:K:D (-3(-+(23. 21:(/1.:(12D
personnel.
DE:K:E (-3(-;1(6-&1,-33'3(-+92-*-.;+&,-33'33'21:(/1.:(12112/.-2(+ .13'

291(3=. 1'.+133'21:(/1.:(12/.2222.1.3'1;(223.1A/1.22.131-2,(3.-'+ . 3'
923.,1A.13.3'<3-33'33'=.9+(,/33'291(3=. 3'923.,1E21'.+13-:(1.-,-3D
!2,1'*"& '&#&'1$ %&,1"$$(&'&,! *%&,,1&,!,1'(*-+5,!,"$+',!

+*0""& (*'0"5&,!*+('&+""$"-+++" &,'!(*,37!#&'1$ %&,'+&',!0,'"&$/,!
2,1'*"& (*'0""&,!"+*)/"*%&,7
DE:K:F-2913'1(2-23+(2'/1.22 .1-&&(-&21:(/1.:(12(-+9(-&/1./19(+(&-/1(.13.
-&&,-3D
DE:K:G (-3(-/1.&1,3.,.-(3.121:(/1.:(12E
.,/+(-233923+23--9++=D
RXVW[

- .1,4.-91(3=
-D ZW
personnel.
DE:K:H (-3(-(- .1,4.-.93;'('

109(1,-321,-&='21:(/1.:(1A-;'('1
,-&=3'-43=D
DE:L
91:(/1.:(12*-.;+&(-;1(4-&3.923.,123'33'=1
12/.-2(+ .13'291(3=. 1'.+133'21:(/1.:(1/.22222.1.3'1;(223.12A/1.222A.131-2,(32
.-'+ . 3'923.,1A.13.3'<3-33'33'=.9+(,/33'291(3=. 3'923.,1E21'.+13
-:(1.-,-3D
!"+*)/"*%&,"++,(*-/&-$
/&@=5?=>A5*1!"!",'%+*)/"*%&,7
!2,1'*"& '&#&'1$ %&,1"$$(&'&,! *%&,,1&,!,1'(*-+5,!,"$+',!
+*0""& (*'0"5&,!*+('&+""$"-+++" &,'!(*,37!#&'1$ %&,'+&',!0,'"&$/,!
2,1'*"& (*'0""&,!"+*)/"*%&,7
personnel.
DE:DC
,/+,-3-(-(-312/.-2/+-D/1/13.12/.-(,,(3+=3.2=23,1'D
DE:DC:D133'(-(-312/.-2/+-3.(,/+,-3(-3':-3. 2=23,1'D-2913'/+-1222
3' .++.;(-&A3,(-(,9,C
.+2A12/.-2((+(42A-.,,9-(4.--.-332313&(2(-3':-3. .,/1.,(2(-+9(-&-.4"4.-.
3'/=,-31-2A3,(-(,9,
/("(-(-312/.-2/1.912
92(-221.:1=-.-4-9(3=/1.912
3*9//1.222
-+=2(2. +&+109(1,-32 .11/.14-&.,/1.,(22
.:1&-12/.-22. ++1(4+2=23,.,/.--32
1-.1(-+92(.-. (-(-312/.-2/1.912 1.,3'/=,-31-2D
RXVW[

- .1,4.-91(3=
-D ZX
personnel.
DE:DC:E233'/+-3+23--9++=D
DE:DC:F2(&-32/("/12.--+3.:(++.-XZH]2(23.12/.-3.+132D
DE:DC:G1.:(//1./1(331(-(-&3.23!;(3'291(3=1'12/.-212/.-2((+(42D
DE:DC:H
-+9+132 1.,291(3=,.-(3.1(-&2=23,2A(-+9(-&93-.3+(,(33.(-3192(.-I34.-A(-3192(.-I
/1:-4.-A"1;++2A-"+I(-3&1(3=,.-(3.1(-&2=23,2D
DE:DC:I:+.//1.223.,.( =-:.+:3'(-(-312/.-2/+-.1(-&3.+22.-2+1--3.
(-.1/.13(-9231=:+./,-32D
PCI Success Plan*

WD 3'(&'23+:+. 2/.-2.12'(/ .13'/1.&1,
XD 33'1(&'33,H/./+'(-3'/1.&1,
YD 93/1./1/1.)3/+--9&329#(-34,3.&3(31(&'3
ZD .-93Y3=/2. 31(-(-&C
D
31(-(-& .1(,/+,-312
D
31(-(-& .1(2(.-,*12
D
31(-(-& .1:+./12
[D 14.-. 1.22 9-4.-+

31(-&.,,(6
\D
-4 =1'.+13(-3'-:(1.-,-3
P<313. 3'

922+-
RXVW[

- .1,4.-91(3=
-D ZY
PCI Success Plan*
]D .-93
(2*2222,-3
^D .-932+ 2222,-3.-I .11(4+//+(4.-233'1+(23
_D /2(2922(.--&1,-33;--(-31-+23*'.+12
WVD ,(4.-2/13'/+--(- .1,*=23*'.+12. -=+=
WWD 1(.(231(-&.,,(6,4-&23.3*(2(.-2
WXD (+23.-1:(;++23.(29223'-(+'++-&2-&1,-3;(3'
P<313. 3'

922+-
THANK YOU

Q

D

RXVW[

- .1,4.-91(3=
-D ZZ

PCI-DSS v3 One Day Training

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

PCI-DSS v3 One Day Training

Загружено:

Авторское право:

Доступные форматы

S

PCI DSS One Day

The small print

'-,2. 3'3..+2,-4.-91(-&3';.1*2'./1.-+= .1<,/+/91/.22

  

ELEMENTS REQUIRED FOR

'.++.3. -*(-& 3912

Track 1 and Track 2

The Service Providers

Transactions Card Present

  

The core processing actions

   I ++92/(=:1=.-

 = 

   

2222,-3 ,(4.- 14"4.-

PCI Risk Assessment Flow

Where do we find card data

.3*,&," .-- %'- +*,.- *#-

Scoping relevant systems

Requirement 1: Install and maintain a firewall configuration to protect

E:D+;=2'-&:-.1I29//+( 9+32-1,.:.1(2+9--221= 9+3.9-32 .1(-23++(-&

'(2//+(23.  9+3/22;.12A(-+9(-&93-.3+(,(33.3'.292=./14-&2=23,2A2.%;13'3

Requirement 2: Do not use vendor-supplied defaults for system passwords

E:G (-3(--(-:-3.1=. 2=23,.,/.--323'31(-2./ .1

E:H-2913'3291(3=/.+((2-./14.-+/1.912 .1,-&(-&:-.1 9+32-.3'1291(3=

Identifying the data

++'%/*)( ,-%*) ++'%/*) .- '() .)/*) ,*./*)

XDX %-++'%/*) = J ')(= X=12 .-

3.1LL21:1 W_XDW\^ 5  1 *,$,#& X=12 .-

Requirement 3: Protect stored cardholder data

1.222 .1291+4.-. 3;'--.+.-&1-

09131+=/1.22 .1(-4 =(-&-291+=+4-&23.11'.+133'3<2

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public

G:D2231.-&1=/3.&1/'=-291(3=/1.3..+2N .1<,/+A H A

G:F-2913'3291(3=/.+((2-./14.-+/1.912 .1-1=/4-&31-2,(22(.-2. 1'.+13

Requirement 5: Protect all systems against malware and regularly update

Requirement 6: Develop and maintain secure systems and applications

\DW23+(2'/1.223.(-4 =291(3=:9+-1(+(42A92(-&1/93+.932(2.912 .1291(3=:9+-1(+(3=

Requirement 6: Develop and maintain secure systems and applications

Requirement 6: Develop and maintain secure systems and applications

:+. /1(:(+&109(1N .1<,/+A921A,(-(2313.1A3DO .122(-&12.912D

Requirement 7: Restrict access to cardholder data by business need to know

J:E:E22(&-,-3. /1(:(+&23.(-(:(9+22.-).+22("4.-- 9-4.-D

Requirement 8: Identify and authenticate access to system components

Requirement 8: Identify and authenticate access to system components

L:F.-31.+/'=2(+22 .1.-2(3/12.--+3.3'2-2(4:122 .++.;2C

Requirement 9: Restrict physical access to cardholder data

_D\ (-3(-231(3.-31.+.:13'(-31-+.1<31-+(231(94.-. -=*(-. ,(

_D] (-3(-231(3.-31.+.:13'23.1&-22((+(3=. ,(D

DC:F.13+233' .++.;(-&9(331(+-31(2 .1++2=23,.,/.--32 .1':-3C

DC:I:(;+.&2-291(3=:-32 .1++2=23,.,/.--323.(-4 =-.,+(2.1292/((.924:(3=D

DC:J3(-9(331(+'(23.1= .13+23.-=1A;(3',(-(,9,. 3'1,.-3'2(,,(3+=:(++ .1

Golden Logging Architecture

Requirement 11: Regularly test security systems and processes.

ZD 9(31(+(2109(13.23.1 .1/1(.. LLLLLLLLL

2%($+'*"+#:++++%&,%,!''$' "+"&$//,*&',$"%",,'5 ?C==A& D==:@=7

DE:F:+./92&/.+((2 .11(4+3'-.+.&(2-"-/1./192. 3'23'-.+.&(2D

 2%($+'*"-$,!&'$' "+"&$/5/,*&',$"%",,'5*%',++&1"*$++,!&'$' "+5$(,'(+5

DE:F:J (23. .,/-=I//1.:/1.932

DE:F:K93.,4(2.--3. 222(.-2 .11,.3I223'-.+.&(2%12/("/1(.. (-4:(3=

DE:F:L4:4.-. 1,.3I223'-.+.&(2 .1:-.12-92(-22/13-12.-+=;'--=:-.12-

DE:G-2913'33'291(3=/.+(=-/1.912+1+="-(- .1,4.-291(3=12/.-2((+(42 .1++/12.--+D

'-,2. 3'3..+2,-4.-91(-&3';.1*2'./1.-+= .1<,/+/91/.22

'.++.3. -*(-& 3912

I ++92/(=:1=.-

=

2222,-3 ,(4.- 14"4.-

.3,&," .-- %'- +,.- *#-

E:D+;=2'-&:-.1I29//+( 9+32-1,.:.1(2+9--221= 9+3.9-32 .1(-23++(-&

'(2//+(23. 9+3/22;.12A(-+9(-&93-.3+(,(33.3'.292=./14-&2=23,2A2.%;13'3

E:G (-3(--(-:-3.1=. 2=23,.,/.--323'31(-2./ .1

E:H-2913'3291(3=/.+((2-./14.-+/1.912 .1,-&(-&:-.1 9+32-.3'1291(3=

++'%/)( ,-%) ++'%/) .- '() .)/) ,./)

XDX %-++'%/*) =J ')(= X=12 .-

3.1LL21:1 W_XDW\^ 5 1 *,$,#& X=12 .-

1.222 .1291+4.-. 3;'--.+.-&1-

09131+=/1.22 .1(-4 =(-&-291+=+4-&23.11'.+133'3<2

G:D2231.-&1=/3.&1/'=-291(3=/1.3..+2N .1<,/+AHA

G:F-2913'3291(3=/.+((2-./14.-+/1.912 .1-1=/4-&31-2,(22(.-2. 1'.+13

\DW23+(2'/1.223.(-4 =291(3=:9+-1(+(42A92(-&1/93+.932(2.912 .1291(3=:9+-1(+(3=

:+. /1(:(+&109(1N .1<,/+A921A,(-(2313.1A3DO .122(-&12.912D

J:E:E22(&-,-3. /1(:(+&23.(-(:(9+22.-).+22("4.-- 9-4.-D

L:F.-31.+/'=2(+22 .1.-2(3/12.--+3.3'2-2(4:122 .++.;2C

_D\ (-3(-231(3.-31.+.:13'(-31-+.1<31-+(231(94.-. -=*(-. ,(

_D] (-3(-231(3.-31.+.:13'23.1&-22((+(3=. ,(D

DC:F.13+233' .++.;(-&9(331(+-31(2 .1++2=23,.,/.--32 .1':-3C

DC:I:(;+.&2-291(3=:-32 .1++2=23,.,/.--323.(-4 =-.,+(2.1292/((.924:(3=D

DC:J3(-9(331(+'(23.1= .13+23.-=1A;(3',(-(,9,. 3'1,.-3'2(,,(3+=:(++ .1

ZD 9(31(+(2109(13.23.1 .1/1(.. LLLLLLLLL

2%($+'"+#:++++%&,%,!''$' "+"&$//,&',$"%",,'5 ?C==A& D==:@=7

DE:F:+./92&/.+((2 .11(4+3'-.+.&(2-"-/1./192. 3'23'-.+.&(2D

2%($+'"-$,!&'$' "+"&$/5/,&',$"%",,'5%',++&1"$++,!&'$' "+5$(,'(+5

DE:F:J(23. .,/-=I//1.:/1.932

DE:F:K93.,4(2.--3. 222(.-2 .11,.3I223'-.+.&(2%12/("/1(.. (-4:(3=

DE:F:L4:4.-. 1,.3I223'-.+.&(2 .1:-.12-92(-22/13-12.-+=;'--=:-.12-

DE:G-2913'33'291(3=/.+(=-/1.912+1+="-(- .1,4.-291(3=12/.-2((+(42 .1++/12.--+D

DE:H22(&-3.-(-(:(9+.13,3' .++.;(-&(- .1,4.-291(3=,-&,-312/.-2((+(42C

DE:H:E .-(3.1--+=>291(3=+132-(- .1,4.-A-(231(933.//1./1(3/12.--+D

DE:K:D (-3(-+(23. 21:(/1.:(12D

DE:K:E (-3(-;1(6-&1,-33'3(-+92-*-.;+&,-33'33'21:(/1.:(12112/.-2(+ .13'

!2,1'"& '&#&'1$ %&,1"$$(&'&,! %&,,1&,!,1'(*-+5,!,"$+',!

DE:K:H (-3(-(- .1,4.-.93;'('

-+=2(2. +&+109(1,-32 .11/.14-&.,/1.,(22

1-.1(-+92(.-. (-(-312/.-2/1.912 1.,3'/=,-31-2D

[D 14.-. 1.22 9-4.-+

^D .-932+ 2222,-3.-I .11(4+//+(4.-233'1+(23

WVD ,(4.-2/13'/+--(- .1,=23'.+12. -=+=