Академический Документы
Профессиональный Документы
Культура Документы
- .1,4.-91(3=
-DA
- .1,4.-91(3=:3D3A
-(
- .1,4.-91(3=A'1(-
- .1,4.-91(3=3D3DA(-&/.1
- .1,4.-91(3=A9(
'(+ 3'
31(-1 (2 '(&'+= 1&1 - 09+(" 3. .-93 3' 31(-(-&A 3'
31(-1(2-(3'13'2/.*2/12.-.
-.1
D
RXVW[
- .1,4.-91(3=
-D W
Introduction
$,-$)$).$(1,.$58
*1),)$% 41/2",
/$"-'&+6 5 :5 5 5 5 5 ?C==> %($%&,*5 5 ; :< /,!'*"4
*"&*&0"+'*5
*-(($"-'&&+,*;<5"*'+'*-*'++"'&$;<5
- .1,4.- 91(3=
-D (2 9--=:+ 2 =,-3 91(3= 2291- .,/-=D
'2
/12-(-
-(A(-&/.1-
(+23D
;2239/(-XVVY-2(-3'-'2;.1*;(3'
,.13'-WAVVV.1&-(>4.-22AI-D
'231(-.:1[AVVV/1. 22(.-+2.-
/=,-3291(3=;(3'(32$&2'(/14"4.-
D '12'-;23'/1./.21-+ .13'
(2*2222,-31.9/3'393'.13'
(2*2222,-3&9(-.9,-3D
Background
1,%)#,#)%6/*)-%)*2,FC*1).,%--+,,*--)&-8
) *,(/*)$)*'*#58
)-1,)8<
*((,85().,2%+,*2%,-8%,'%)-8'*((1)%/*)-).%'%)1-.,%-:
o
-="1232(-
o
,/+,-34.-.1*2'./N
O-.1,+(2*2222,-3.1*2'./N
O
o1(-,.13'-[AVVV
- .1,4.-291(3=/1. 22(.-+21.9-3'&+.
o(.-12. =-1&491(3=1,;.1*
RXVW[
- .1,4.-91(3=
-D X
1:(2 1(-(-& 1.93
*(+'%),2%-
8<8
8
8E8
2%-*,5,2%- %-&----().
*,('%-&----().3*,&-$*+>
?
%#.8,%25%,.1'%6/*)8'*1
1,%.58
;
1,%.58%-&----().
(+'()./*)*,&-$*+>
? /*)
)#().
$)%'1,%.5,2%- 1,5().++'%/*)2'*+(). .%-*2,5**'
8
*%'1,%.58*,)-%-
*,&-$*+>
<?
*1().
)#().
1++*,.,2%-
(+'()./*)*,&-$*+
,*1.2'1/*)-8*'%5;,*1,- *(+'%)
)#().
-1++*,.8;
%'%..
SISA
RXVW[
- .1,4.-91(3=
-D Y
Ground rules
++'.-2.(13
:1=.=14(/32
(23-4:+=
'1.91-.;+&N931( O
/- (-
2*924.-2
N
',/(.- .1&..0924.-2O
Objective
-123-3'=,-31.2=23,
.,/+(-1.&1,
-123-
12(.-YDV09(1,-32
.,/1(2.-3;-12(.-XDV-YDV
9(-.-
(2*2222,-32AI.,,1A(139+H+.9
09(1,-32.-
RXVW[
- .1,4.-91(3=
-D Z
INTRODUCTION TO
PCI-DSS
BACKGROUND CONCEPTS COMMONPLACE EVENTS
PCI COUNCIL
The Protagonist
1(,1=.9-39,1
RXVW[
- .1,4.-91(3=
-D [
The other side
&-431(/
(&-391+
X
X
RXVW[
- .1,4.-91(3=
-D \
TRACK and CHIP
1*W3
1*X3
1*Y3
-+=1*X(292 .1"--(+31-24.-2
91(3= 2912
B 4 0 0 0 0 0 1 2 3 4 5 6 2 ^ P U B L I C J R / J O H N Q M R ^ 0 8 0 9 1 0 1 0 0 8 7 6 0 0 0 0 0 0
Format
Code
PAN
Separator
Title Separator
CVV/CVC
Suffix Reserved
Surname For
Separator Proprietary
use of
First Name Card issuer
Initial
Title
Title Separator
Expiration Date
Service Code
RXVW[
- .1,4.-91(3=
-D ]
The Who is Who
-/1.:(-=21:(3.-=.3'1-43=
RXVW[
- .1,4.-91(3=
-D ^
Service Provider Examples
+241,.22(-&D
,(6-/1.22(-&-93'-44.-1.:(12
-&"1;++-
21:(/1.:(12D
.%;1:+./,-3.,/-(2A92(-221.22932.91(-&.,/-(2A++
-312A3D .1
+(4.-.-209-33.'-+(-&1'.+1
3D
.,21:(/1.:(12,=-.3(-+929'23+.,,9-(4.-2.,/-(23'3
.-+=/1.:(.,,9-(4.-2+(-*2;(3'.93223.3'//+(4.-+=1. 3'
.,,9-(4.-+(-*D
M M
RXVW[
- .1,4.-91(3=
-D _
Transactions Card Not Present
M M
I 23+(2'3';'.
I +(4.-.-=3'(2291
I ++4:(42+(-&3.26+,-3
RXVW[
- .1,4.-91(3=
-D WV
Payment Card Fraud Evolution
W_^Y I,.22.9-31 (3 19
W_^^ I-..9-31 (3 19
W_^_ 1-.3/12-3 19H 19//+(4.-2
W__W :11(:(229 19
W__X
1'-3 19
W__Z
-43='%
XVVV *(,,.9-31 (3
XVVX .,,9-(4.-2(-31/4.-
XVV] (1+22H'(/2-(#-&-1.9-31 (3H*31,(-+2
XVWVIW[ 1:1 *(-&H
+;1H
,.1=1//(-&
PCI SSC
5().,
)1-.,51,%.5.),-*1)%'
-(-/--3(-9231=23-12.=/1.:((-&.:12(&'3. 3':+./,-3-,-&,-3.
=,-31
-9231=91(3=3-12.-&+.+2(2
RXVW[
- .1,4.-91(3=
-D WW
ROUTE TO
COMPLIANCE
PCI-DSS REQUIREMENTS COMPLIANCE FINDING CARD
NUMBERS
PCI-SSC Mandate
I.,/+(-//+(23.-=-43=3'3
.*,-.9-33
,*---.9-33
,)-(%.-.9-33
.9-33.-2(232. 1'.+13-2-2(4:93'-44.-3
)//-(-+9A93-.3+(,(33.C
1'-32
09(112
22912
1:(1.:(12
1923'(1142
RXVW[
- .1,4.-91(3=
-D WX
Driving the Compliance
;
1-& =,-31-.--4:(3=
,+22
-3&14.- 1.22(-&
PCI-DSS Certification
./(-& 9(3
(4&4.-
(2*2222,-3 H
(+23.-:(;2
/-+=2(2 14"3. .,/+(-
RXVW[
- .1,4.-91(3=
-D WY
The most important slide
PCI-DSS v3.0
1%')
%).%)1,.3*,&)5-.(-
D:
-23++-,(-3(-"1;++.-"&914.-3./1.331'.+13
E:.-.392:-.1I29//+( 9+32 .12=23,/22;.12-.3'1291(3=/1,312
,*..,$*',.
F:1.3323.11'.+13
G:-1=/331-2,(22(.-. 1'.+131.22./-A/9+(-3;.1*2
%).%)1'),%'%.5
)#().,*#,(
H:1.33++2=23,2&(-23,+;1-1&9+1+=9/3-4I:(1922.%;1.1/1.&1,2
I::+./-,(-3(-2912=23,2-//+(4.-2
RXVW[
- .1,4.-91(3=
-D WZ
PCI-DSS v3.0
(+'()..,*)#--*).,*'
-1,-
J:231(3223.1'.+13=92(-22-3.*-.;
K:
-4 =-93'-43223.2=23,.,/.--32
L:231(3/'=2(+223.1'.+13
#1','5
*)%.*,)-..3*,&-
DC:1*-,.-(3.1++223.-3;.1*12.912-1'.+13
DD:&9+1+=323291(3=2=23,2-/1.222
%).%))
) *,(/*)1,%.5*'%5
DE:
(-3(-/.+(=3'31222(- .1,4.-291(3= .1++/12.--+
--.
$,.
%-&)'5-%-9%-&
)/!/*)
1'),%'%/-
%-&)'5-%-9%-&-/(/*))2'1/*) %-&,*!'%)#
%-&,.().')
%-&,.(). -1'.-*1()./*)
RXVW[
- .1,4.-91(3=
-D W[
Recap
WD LLLLLLLLLL/=,-31-(2-:1-09(11.1(2291D
XD
(2,-&=LLLLLLLLLLLLLLLLD
YD
(2//+(+3.-=.1&-(>4.-3'3LLLLLLLLLLLLALLLLLLLLLLLLLL
LLLLLLLLLLLLL1'.+1(- .1,4.-D
ZD - .1,-3.
(2.-=LLLLLLLLLLLLLLD
RXVW[
- .1,4.-91(3=
-D W\
Mod 10 Formula Luhns Algorithm
WD .9+3':+9. +31-3(&(32. 3'/1(,1=.9-3-9,1&(--(-&;(3'3'2.-
(&(3 1.,3'1(&'3D.1-=129+4-&:+9a`WVA29313_D
XD 3'+9+3:+922;++23':+922*(//(-3/W3.&3'1D
YD '3.3+.3(-(-3/X,923(:(2(+=WVD
4 4 0 8 9 8 5 5 0 0 0 0 0 5 8 5
x2 x2 x2 x2 x2 x2 x2 x2
8 0 18 10 0 0 0 16
-9 -9 -9
8 4 0 8 9 8 1 5 0 0 0 0 0 5 7 5
Exercise 1 :
'*;'3'13' .++.;(-&W\(&(3-9,121:+(1-9,12C
[Z_VWXYZ[\]^_WXY
ZVZ^YZY][VVW_][Z
-(:(9+4:(3=
(,914.-CW[
(-932
RXVW[
- .1,4.-91(3=
-D W]
Oh and yes
9++31*3-2-2(4:93'-44.-3--.3
23.1%193'.1(>4.-D
RXVW[
- .1,4.-91(3=
-D W^
Scoping out - Network
D:D23+(2'-(,/+,-3"1;++-1.931.-"&914.-23-12
D:E9(+"1;++-1.931.-"&914.-23'31231(3.--4.-23;-9-31923-3;.1*2--=
2=23,.,/.--32(-3'1'.+13-:(1.-,-3D
D:F1.'((3(13/9+(223;-3'
-31-3--=2=23,.,/.--3(-3'1'.+13
-:(1.-,-3D
D:G
-23++/12.-+"1;++2.%;1.--=,.(+-H.1,/+.=I.;-:(23'3.--33.3'
-31-3;'-.932(3'-3;.1*N .1<,/+A+/3./292=,/+.=2OA-;'('1+2.923.
223'-3;.1*D
D:H-2913'3291(3=/.+((2-./14.-+/1.912 .1,-&(-&"1;++21.9,-3A(-92A
-*-.;-3.++!3/142D
RXVW[
- .1,4.-91(3=
-D W_
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
E:E:+./.-"&914.-23-12 .1++2=23,.,/.--32D22913'33'223-12122++*-.;-291(3=
:9+-1(+(42-1.-2(23-3;(3'(-9231=I/32=23,'1-(-&23-12D.912. (-9231=I/3
2=23,'1-(-&23-12
E:F-1=/3++-.-I.-2.+,(-(2314:2292(-&231.-&1=/3.&1/'=D23'-.+.&(229'2 AA.1H
.1;I2,-&,-3-.3'1-.-I.-2.+,(-(2314:22D
E:I'1'.24-&/1.:(12,923/1.33'-43=E2'.23-:(1.-,-3-1'.+13D'2
/1.:(12,923,32/("109(1,-3223(+(-((&"26"-'&$ )/"*%&,+'*
!*'+-& *'0"*+7
RXVW[
- .1,4.-91(3=
-D XV
Exercise 2 : Firewall Rule Review
1'* *1, -/)/*) ,2%- /*)
W 1:1 A /3
X
-31-+1:1 /3
Y W_XDW\^DWDV 1:1 /3
Z 1:1 XW /3
[
(+1:1
AY /3
\
-31-+1:1 /3
] 321:1 /3
^ 321:1 /3
_ WXXDY]DZWDY^ /3
WV A /3
WW /3
-(:(9+4:(3=
(,914.-CW[
(-932
RXVW[
- .1,4.-91(3=
-D XW
Card Holder Matrix
,2,(
%'(;*/*)3$, ..*, 1-%)--,-*) .)/*) ,*./*)
,-- .$ -.*, ,%*
(,(4-&323.1&,.9-3-13-4.-4,3.3'3;'('(2109(1 .1+&+A1&9+3.1=A-
92(-22109(1,-32
/("13-4.-109(1,-32 .11'.+13
"-13-4.-D
RXVW[
- .1,4.-91(3=
-D XX
Requirement 3: Protect stored cardholder data
F:E
.-.323.12-2(4:93'-44.-3%193'.1(>4.-N:-( -1=/3OD
2-2(4:93'-44.-
3(21(:A1-1++39-1.:1+9/.-.,/+4.-. 3'93'.1(>4.-/1.22D
,"+(*%"++"$'*"++/*+&'%(&"+,!,+/(('*,"++/"& +*0"+,'+,'*+&+"-0/,!&--'&,"6
'1(292(-22)924"4.-
'3(223.1291+=D
F:F
2*;'-(2/+=N3'"1232(<-+23 .91(&(3213',<(,9,-9,1. (&(323.
(2/+=OA29'3'3.-+=/12.--+;(3'+&(4,392(-22--23' 9++D
RXVW[
- .1,4.-91(3=
-D XY
Requirement 3: Protect stored cardholder data
F:H.9,-3-(,/+,-3/1.9123./1.33*=2923.29123.11'.+13&(-23
(2+.291-,(292
F:I9++=.9,-3-(,/+,-3++*=I,-&,-3/1.222-/1.912 .11=/3.&1/'(*=2
92 .1-1=/4.-. 1'.+13D
/%*'/+"&/+,*3+,&*+'*#3%& %&,*0"$$*'%0*"'/+*+'/*+"&$/"&
5
1!"!&'/&,!.(699+*7&"+,7 '07
RXVW[
- .1,4.-91(3=
-D XZ
Requirement 4: Encrypt transmission of cardholder data
across open, public networks
G:E:12-9-/1.332=-I921,22&(-&3'-.+.&(2N .1<,/+AI,(+A(-23-3
,22&(-&A'3A3DOD
[DW/+.=-4I:(1922.%;1.-++2=23,2.,,.-+=!3=,+((.922.%;1N/149+1+=/12.-+
.,/9312-21:12OD
[DWDW-2913'3-4I:(192/1.&1,21/+. 34-&A1,.:(-&A-/1.34-&&(-23++*-.;-
3=/2. ,+((.922.%;1D
[DWDX.12=23,2.-2(13.-.3.,,.-+=!3=,+((.922.%;1A/1 .1,/1(.(
:+94.-23.(-4 =-:+93:.+:(-&,+;13'132(-.113..-"1,;'3'129'2=23,2
.-4-93.-.3109(1-4I:(1922.%;1D
[DX-2913'3++-4I:(192,'-(2,21,(-3(-2 .++.;2C
1*/3911-3A
1 .1,/1(.(2-2
-139(3+.&2;'('113(-/1
09(1,-3WVD]D
RXVW[
- .1,4.-91(3=
-D X[
Requirement 5: Protect all systems against malware and regularly update
anti-virus software or programs
[DY-2913'3-4I:(192,'-(2,214:+=19--(-&---.3(2+.1+31=9212A9-+22
2/("++=93'.1(>=,-&,-3.-2I=I22(2 .1+(,(34,/1(.D
.3C-4I:(1922.+94.-2,=3,/.11(+=(2+.-+=( 3'1(2+&(4,33'-(+-A293'.1(>
=,-&,-3.-2I=I22(2D
-4I:(192/1.34.--23.(2+ .12/("/91/.2A(3
,923 .1,++=93'.1(>D(4.-+291(3=,2912,=+2.-3.(,/+,-3 .13'/1(.
. 4,91(-&;'('-4I:(192/1.34.-(2-.34:D
[DZ-2913'3291(3=/.+((2-./14.-+/1.912 .1/1.34-&2=23,2&(-23,+;11
.9,-3A(-92A-*-.;-3.++!3/142D
.3C(2*1-*(-&22'.9+2.-(-9231=23/1422;++2.-2(14.-. /.3-4+(,/3D.1<,/+A
1(31( .11-*(-&:9+-1(+(42,=(-+9.-2(14.-. 3'22.1A-H.13'+22("4.-=3'
:-.1A-H.13=/. 2=23,2!3D
3'.2 .1:+94-&:9+-1(+(42-22(&-(-&1(2*14-&2;(++:1=2.--.1&-(>4.-E2-:(1.-,-3-1(2*I
2222,-32313&=D(2*1-*(-&22'.9+A3,(-(,9,A(-4 =++:9+-1(+(42.-2(13.F'(&'1(2*G3.3'
-:(1.-,-3D
-(4.-3.3'1(2*1-*(-&A:9+-1(+(42,=.-2(1F1(4+G( 3'=/.2-(,,(--33'133.
3'-:(1.-,-3A(,/31(4+2=23,2A-H.1;.9+129+3(-/.3-4+.,/1.,(2( -.3122D<,/+2.
1(4+2=23,2,=(-+9291(3=2=23,2A/9+(I (-&:(2-2=23,2A322A-.3'12=23,23'323.1A
/1.22A.131-2,(31'.+13D
RXVW[
- .1,4.-91(3=
-D X\
Requirement 6: Develop and maintain secure systems and applications
\DX-2913'3++2=23,.,/.--32-2.%;11/1.33 1.,*-.;-:9+-1(+(42=(-23++(-&//+(+
:-.1I29//+(291(3=/3'2D
-23++1(4+291(3=/3'2;(3'(-.-,.-3'. 1+2D
.3C1(4+291(3=/3'22'.9+(-4".1(-&3.3'1(2*1-*(-&/1.22"-(-09(1,-3\DWD
I:F:+./(-31-+-<31-+2.%;1//+(4.-2N(-+9(-&;I2,(-(2314:223.//+(4.-2O
291+=A2 .++.;2C
-.1-;(3'
N .1<,/+A29193'-44.--+.&&(-&O
2.-(-9231=23-12-H.123/142D
-.1/.14-&(- .1,4.-291(3=3'1.9&'.933'2.%;1I:+./,-3+( =+
6!"+(($"+,'$$+'1*0$'("&,*&$$3+1$$++('#'*/+,'%+'1*0$'(3,!"*(*,37
I:G.++.;'-&.-31.+/1.222-/1.912 .1++'-&23.2=23,.,/.--32D'/1.222,923(-+9
3' .++.;(-&C
I:G:D/13:+./,-3H323-:(1.-,-32 1.,/1.94.--:(1.-,-32A-- .13'2/14.-;(3'22
.-31.+2D
I:G:E/14.-. 9423;-:+./,-3H323-/1.94.--:(1.-,-32
I:G:F1.94.-3N+(:2O1-.392 .1324-&.1:+./,-3
I:G:G,.:+. 3233-.9-32 .1/1.94.-2=23,2.,4:
I:G:H'-&.-31.+/1.912 .13'(,/+,-34.-. 291(3=/3'2-2.%;1,.("4.-2,923(-+93'
.++.;(-&C
I:G:H:D.9,-34.-. (,/3D
I:G:H:E.9,-3'-&//1.:+=93'.1(>/142D
I:G:H:F9-4.-+(3=324-&3.:1( =3'33''-&.2-.3:12+=(,/33'291(3=. 3'2=23,D
I:G:H:G*I.93/1.912D
RXVW[
- .1,4.-91(3=
-D X]
Requirement 6: Develop and maintain secure systems and applications
I:H
122.,,.-.(-&:9+-1(+(42(-2.%;1I:+./,-3/1.2222 .++.;2C
1(-:+./12(-291.(-&3'-(092A(-+9(-&'.;3.:.(.,,.-.(-&:9+-1(+(42A-
9-123-(-&'.;2-2(4:3(2'-+(-,,.1=D
:+.///+(4.-22.-291.(-&&9(+(-2D
!0/$&*"$"-+$"+,,B7A7>,!*'/ !B7A7>=1*/**&,1",!"&/+,*3+,(*-+1!&,!"+0*+"'&'
1+(/$"+!7'10*5+"&/+,*3+,(*-+'*0/$&*"$",3%& %&,*/(,;'*2%($5,!
/"5
'(?A5/*'"& 5,7<5,!/**&,+,(*-+%/+,/+'*,!+
*)/"*%&,+7
I:H:D
-)4.-$;2A/149+1+=(-)4.-D+2..-2(1.,,-
-)4.-A-3'(-)4.-$;22;++2
.3'1(-)4.-$;2D
I:H:E9!1.:1$.;2
I:H:F
-2911=/3.&1/'(23.1&
I:H:G
-291.,,9-(4.-2
I:H:H
,/1./111.1'-+(-&
I:H:I++F'(&'1(2*G:9+-1(+(42(-4"(-3':9+-1(+(3=(-4"4.-/1.22N2"-(-
09(1,-3\DWOD
I:H:J1.22I2(321(/4-&NO
I:H:K
,/1./122.-31.+N29'2(-291(13.)31 1-2A (+913.1231(322A(13.1=31:12+A-
(+913.1231(3921223. 9-4.-2OD
RXVW[
- .1,4.-91(3=
-D X^
Requirement 6: Develop and maintain secure systems and applications
I:H:L1.22I2(310923 .1&1=NO
I:H:DC1.*-93'-44.--222(.-,-&,-3
)/"*%&,B7A7>="++,(*-/&-$
/&@=5?=>A5*1!"!",'%+*)/"*%&,7
I:I.1/9+(I (-&;//+(4.-2A122-;3'132-:9+-1(+(42.--.-&.(-&2(2--2913'2
//+(4.-21/1.33&(-23*-.;-6*2=(3'1. 3' .++.;(-&,3'.2C
:(;(-&/9+(I (-&;//+(4.-2:(,-9+.193.,3//+(4.-:9+-1(+(3=291(3=2222,-33..+2
.1,3'.2A3+23--9++=-%1-='-&2!"+++++%&,"+&',,!+%+,!0/$&*"$",3
+&+(*'*%'*)/"*%&,>>7?7
-23++(-&-93.,33'-(+2.+94.-3'3332-/1:-32;I26*2N .1<,/+A;I
//+(4.-"1;++O(- 1.-3. /9+(I (-&;//+(4.-2A3..-4-9++='*++31#D
I:J
-2913'3291(3=/.+((2-./14.-+/1.912 .1:+./(-&-,(-3(-(-&2912=23,2-//+(4.-2
1.9,-3A(-92A-*-.;-3.++!3/142D
Recap
WD '313'(!1-3//1.'23.,*9-1+@
XD -319-3-'2'23.13.&3'1@
YD '3(23'</34.-.
1.,91.(-&142@
RXVW[
- .1,4.-91(3=
-D X_
Requirement 7: Restrict access to cardholder data by business need to know
J:D(,(3223.2=23,.,/.--32-1'.+133..-+=3'.2(-(:(9+2;'.2).109(1229'22D
J:D:D"-22-2 .1'1.+A(-+9(-&C
=23,.,/.--32-312.9123'3'1.+-23.22 .13'(1). 9-4.-
J:D:E231(3223./1(:(+&921
23.+23/1(:(+&2-221=3./1 .1,).12/.-2((+(42D
J:D:F22(&-222.-(-(:(9+/12.--+E2).+22("4.-- 9-4.-D
J:D:G09(1.9,-3//1.:+=93'.1(>/1422/( =(-&109(1/1(:(+&2D
J:E23+(2'-22.-31.+2=23, .12=23,2.,/.--323'31231(32222.-921E2-3.*-.;A-(2
233.F-=++G9-+222/("++=++.;D
'(222.-31.+2=23,,923(-+93' .++.;(-&C
J:E:D.:1&. ++2=23,.,/.--32
J:E:F 9+3F-=I++G27-&D
J:F-2913'3291(3=/.+((2-./14.-+/1.912 .11231(4-&223.1'.+131.9,-3A(-
92A-*-.;-3.++!3/142D
RXVW[
- .1,4.-91(3=
-D YV
Requirement 8: Identify and authenticate access to system components
K:D"--(,/+,-3/.+((2-/1.9123.-291/1./1921(-4"4.-,-&,-3 .1-.-I
.-29,19212-,(-(2313.12.-++2=23,.,/.--32
K:E
-(4.-3.22(&-(-&9-(09
A-291/1./1921I93'-44.-,-&,-3 .1-.-I.-29,19212-
,(-(2313.12.-++2=23,.,/.--32=,/+.=(-&3+23.-
. 3' .++.;(-&,3'.23.93'-43++9212C
.,3'(-&=.9*-.;A29'2/22;.1.1/22/'12
.,3'(-&=.9':A29'23.*-:(.12,131
.,3'(-&=.91A29'2(.,31(
K:F
-.1/.133;.I 3.193'-44.- .11,.3-3;.1*22.1(&(-4-& 1.,.932(3'-3;.1*=
/12.--+N(-+9(-&9212-,(-(2313.12O-++3'(1/142AN(-+9(-&:-.122 .129//.13.1
,(-3--OD
K:G.9,-3-.,,9-(393'-44.-/1.912-/.+((23.++9212(-+9(-&C
9(-.-2+4-&231.-&93'-44.-1-4+2
9(- .1'.;92122'.9+/1.333'(193'-44.-1-4+2
-23194.-2-.33.192/1:(.92+=92/22;.12
-23194.-23.'-&/22;.12( 3'1(2-=292/((.-3'/22;.1.9+.,/1.,(2D
K:H.-.392&1.9/A2'1A.1&-1(
2A/22;.12A.1.3'193'-44.-,3'.22 .++.;2C
-1(921
21(2+.11,.:D
'1921
2.-.3<(23 .12=23,,(-(2314.--.3'11(4+ 9-4.-2D
'1-&-1(921
21-.3923.,(-(231-=2=23,.,/.--32D
RXVW[
- .1,4.-91(3=
-D YW
Requirement 8: Identify and authenticate access to system components
K:I'1.3'193'-44.-,'-(2,2192N .1<,/+A/'=2(+.1+.&(+291(3=3.*-2A2,1312A
14"32A3DOA92. 3'2,'-(2,2,92322(&-2 .++.;2C
93'-44.-,'-(2,2,92322(&-3.-(-(:(9+.9-3--.32'1,.-&,9+4/+.9-32D
'=2(+-H.1+.&(+.-31.+2,923(-/+3.-291.-+=3'(-3-.9-3-923'3,'-(2,3.
&(-22D
K:J++223.-=32.-3(-(-&1'.+13N(-+9(-&22=//+(4.-2A,(-(2313.12A-++.3'1
9212O(21231(32 .++.;2C
++921223.A921091(2. A-9214.-2.-32213'1.9&'/1.&1,,4,3'.2D
-+=32,(-(2313.12':3'(+(3=3.(13+=22.1091=322D
//+(4.-
2 .132//+(4.-2-.-+=92=3'//+(4.-2N--.3=(-(:(9+9212.1.3'1-.-I
//+(4.-/1.222OD
K:K-2913'3291(3=/.+((2-./14.-+/1.912 .1(-4"4.--93'-44.-1.9,-3A(-92A
-*-.;-3.++!3/142D
RXVW[
- .1,4.-91(3=
-D YX
Requirement 9: Restrict physical access to cardholder data
L:D2//1./1(3 (+(3=-31=.-31.+23.+(,(3-,.-(3.1/'=2(+223.2=23,2(-3'1'.+13
-:(1.-,-3D
L:E:+.//1.9123.2(+=(24-&9(2'3;-.-2(3/12.--+-:(2(3.12A3.(-+9C
-4 =(-&-;.-2(3/12.--+.1:(2(3.12N .1<,/+A22(&-(-&&2O
'-&23.22109(1,-32
:.*(-&.131,(-4-&.-2(3/12.--+-</(1:(2(3.1(-4"4.-N29'2
&2OD
22,92393'.1(>-2.-(-(:(9+). 9-4.-D
22(21:.*(,,(3+=9/.-31,(-4.-A-++/'=2(+22,'-(2,2A29'2*=2A2212A3DA
11391-.1(2+D
_DZ
,/+,-3/1.9123.(-4 =-93'.1(>:(2(3.12
_D['=2(++=291++,(D
_D^231.=,(;'-(3(2-.+.-&1- .192(-22.1+&+12.-2
_D_1.33:(23'3/391/=,-313:((13/'=2(+(-314.-;(3'3'1 1.,3,/1(-&-2924394.-D
_DWV-2913'3291(3=/.+((2-./14.-+/1.912 .11231(4-&/'=2(+223.1'.+131.9,-3A(-92A-*-.;-
3.++!3/142D
RXVW[
- .1,4.-91(3=
-D YY
Requirement 10: Track and monitor all access to network resources and
cardholder data
DC:D
,/+,-39(331(+23.+(-*++223.2=23,.,/.--323.'(-(:(9+921D
DC:E
,/+,-393.,39(331(+2 .1++2=23,.,/.--323.1.-231933' .++.;(-&:-32C
DC:E:D++(-(:(9+9212223.1'.+13
DC:E:E++4.-23*-=-=(-(:(9+;(3'1..3.1,(-(2314:/1(:(+&2
DC:E:F223.++9(331(+2
DC:E:G
-:+(+.&(+226,/32
DC:EH2. -'-&23.(-4"4.--93'-44.-,'-(2,2K(-+9(-&93-.3+(,(33.14.-. -;
.9-32-+:4.-. /1(:(+&2K-++'-&2A(4.-2A.1+4.-23..9-32;(3'1..3.1,(-(2314:
/1(:(+&2
DC:E:I
-(4+(>4.-A23.//(-&A.1/92(-&. 3'9(3+.&2
DC:E:J14.--+4.-. 2=23,I+:+.)32
Requirement 10: Track and monitor all access to network resources and
cardholder data
RXVW[
- .1,4.-91(3=
-D YZ
Requirement 10: Track and monitor all access to network resources and
cardholder data
DC:H919(331(+22.3'=--.3+31D
DC:H:D(,(3:(;(-&. 9(331(+23.3'.2;(3').I1+3-D
DC:H:E1.339(331(+"+2 1.,9-93'.1(>,.("4.-2D
DC:H:F1.,/3+=*9/9(331(+"+23.-31+(>+.&21:1.1,(3'3(2(#9+33.+31D
DC:H:G1(3+.&2 .1<31-+I (-&3'-.+.&(2.-3.291A-31+(>A(-31-++.&21:1.1,(:(D
DC:H:H2"+I(-3&1(3=,.-(3.1(-&.1'-&I34.-2.%;1.-+.&23.-2913'3<(24-&+.&3--.3
'-&;(3'.93&-14-&+132N+3'.9&'-;3(-&2'.9+-.392-+13OD
Requirement 10: Track and monitor all access to network resources and
cardholder data
RXVW[
- .1,4.-91(3=
-D Y[
Requirement 10: Track and monitor all access to network resources and
cardholder data
DC:K-2913'3291(3=/.+((2-./14.-+/1.912 .1,.-(3.1(-&++223.-3;.1*12.912
-1'.+131.9,-3A(-92A-*-.;-3.++!3/142D
RXVW[
- .1,4.-91(3=
-D Y\
Requirement 11: Regularly test security systems and processes.
DD:D
,/+,-3/1.2223.323 .13'/12-. ;(1+2222/.(-32N^VXDWWOA-33-(-4 =++
93'.1(>-9-93'.1(>;(1+2222/.(-32.-09131+=2(2D
DD:E9-(-31-+-<31-+-3;.1*:9+-1(+(3=2-23+2309131+=-%1-=2(&-("-3'-&(-3'
-3;.1*N29'2-;2=23,.,/.--3(-23++4.-2A'-&2(--3;.1*3./.+.&=A"1;++19+,.("4.-2A
/1.939/&12OD
DD:F
,/+,-3,3'..+.&= .1/-314.-324-&3'3(-+923' .++.;(-&C
22.-(-9231=I/3/-314.-324-&//1.'2N .1<,/+A
^VVIWW[O
-+92.:1& .13'-41/1(,31-1(4+2=23,2
-+92324-& 1.,.3'(-2(-.932(3'-3;.1*
-+92324-&3.:+(3-=2&,-34.--2./I194.-.-31.+2
"-2//+(4.-I+=1/-314.-32323.(-+9A3,(-(,9,A3':9+-1(+(42+(23(-09(1,-3\D[
"-2-3;.1*I+=1/-314.-32323.(-+9.,/.--323'329//.13-3;.1* 9-4.-22;++2./14-&
2=23,2
-+921:(;-.-2(14.-. 3'132-:9+-1(+(42</1(-(-3'+23WX,.-3'2
/("213-4.-. /-314.-324-&129+32-1,(4.-4:(42129+32D
DD:F
,/+,-3,3'..+.&= .1/-314.-324-&3'3(-+923' .++.;(-&C
22.-(-9231=I/3/-314.-324-&//1.'2N .1<,/+A
^VVIWW[O
-+92.:1& .13'-41/1(,31-1(4+2=23,2
-+92324-& 1.,.3'(-2(-.932(3'-3;.1*
-+92324-&3.:+(3-=2&,-34.--2./I194.-.-31.+2
"-2//+(4.-I+=1/-314.-32323.(-+9A3,(-(,9,A3':9+-1(+(42+(23(-09(1,-3\D[
"-2-3;.1*I+=1/-314.-32323.(-+9.,/.--323'329//.13-3;.1* 9-4.-22;++2./14-&
2=23,2
-+921:(;-.-2(14.-. 3'132-:9+-1(+(42</1(-(-3'+23WX,.-3'2
/("213-4.-. /-314.-324-&129+32-1,(4.-4:(42129+32D
RXVW[
- .1,4.-91(3=
-D Y]
Requirement 11: Regularly test security systems and processes.
DD:G2(-3192(.-I34.--H.1(-3192(.-I/1:-4.-3'-(0923.33-H.1/1:-3(-3192(.-2(-3.3'
-3;.1*D
.-(3.1++31#33'/1(,31. 3'1'.+13-:(1.-,-32;++231(4+/.(-32(-3'
1'.+13-:(1.-,-3A-+13/12.--+3.292/3.,/1.,(22D
/++(-3192(.-I34.--/1:-4.--&(-2A2+(-2A-2(&-39129/3.3D
DD:H/+.='-&I34.-,'-(2,N .1<,/+A"+I(-3&1(3=,.-(3.1(-&3..+2O3.+13/12.--+3.
9-93'.1(>,.("4.-. 1(4+2=23,"+2A.-"&914.-"+2A.1.-3-3"+2B-.-"&913'2.%;13.
/1 .1,1(4+"+.,/1(2.-23+23;*+=D
DD:I-2913'3291(3=/.+((2-./14.-+/1.912 .1291(3=,.-(3.1(-&-324-&1.9,-3A(-92A
-*-.;-3.++!3/142D
Recap
WD (1;++(2109(13.1:(;:1=LLLLLLLLLLD
XD LLLLLLLLLLLL(2++.;3.23.1(-
.1+&(4,392(-22109(1,-3D
YD -4:(1922.%;1(2109(13.(,/+,-3(-LLLLLLLLLLLLLLLD
[D <31-+-21109(13..-LLLLLLLLLLLLD
\D +:-3/3'21109(13.(-23++LLLLLLLLLLLD
RXVW[
- .1,4.-91(3=
-D Y^
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:D23+(2'A/9+(2'A,(-3(-A-(22,(-3291(3=/.+(=D
DE:D:D:(;3'291(3=/.+(=3+23--9++=-9/33'/.+(=;'-3'-:(1.-,-3'-&2D
DE:E
,/+,-31(2*I2222,-3/1.223'3C
2/1 .1,3+23--9++=-9/.-2(&-("-3'-&23.3'-:(1.-,-3N .1<,/+A09(2(4.-A,1&1A
1+.4.-A3DOA
-4"21(4+2232A3'132A-:9+-1(+(42A-
29+32(- .1,+1(2*2222,-3D
Requirement 12: Maintain a policy that addresses information security for all
personnel.
-2913'292&/.+((2109(13' .++.;(-&C
DE:F:D</+((3//1.:+=93'.1(>/142
DE:F:E93'-44.- .192. 3'3'-.+.&=
DE:F:F+(23. ++29':(2-/12.--+;(3'22
DE:F:G,3'.3.913+=-1(+=31,(-.;-1A.-33(- .1,4.-A-/91/.2N .1<,/+A++(-&A
.(-&A-H.1(-:-3.1=(-&. :(2O
DE:F:H/3+922. 3'3'-.+.&=
RXVW[
- .1,4.-91(3=
-D Y_
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:F:I/3+-3;.1*+.4.-2 .13'3'-.+.&(2
DE:F:DC.1/12.--+22(-&1'.+13:(1,.3I223'-.+.&(2A/1.'((33'./=(-&A,.:(-&A-
23.1&. 1'.+13.-3.+.+'11(:2-1,.:++31.-(,(A9-+22</+((3+=93'.1(> .1
"-92(-22-D
'13'1(2-93'.1(>92(-22-A3'92&/.+((2,923109(13'3/1.33(-.1-;(3'++
//+(+
09(1,-32D
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:H:D23+(2'A.9,-3A-(231(93291(3=/.+((2-/1.912D
DE:H:F23+(2'A.9,-3A-(231(93291(3=(-(-312/.-2-2+4.-/1.9123.-2914,+=-
!4:'-+(-&. ++2(394.-2D
DE:H:G,(-(231921.9-32A(-+9(-&(4.-2A+4.-2A-,.("4.-2D
DE:H:H .-(3.1-.-31.+++223.3D
DE:I
,/+,-3 .1,+291(3=;1-22/1.&1,3.,*++/12.--+;1. 3'(,/.13-. 1'.+13
291(3=D
RXVW[
- .1,4.-91(3=
-D ZV
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:I:D93/12.--+9/.-'(1-3+23--9++=D
,!'+&0*3(&"& '&,!*'$',!(*+'&&$&,!"*$0$'++,',!*!'$*,7
WXD\DX09(1/12.--+3.*-.;+&3+23--9++=3'33'=':1-9-123..3'291(3=/.+(=-
/1.912D
DE:J1-/.3-4+/12.--+/1(.13.'(13.,(-(,(>3'1(2*. 6*2 1.,(-31-+2.912DN<,/+2.
*&1.9-'*2(-+9/1:(.92,/+.=,-3'(23.1=A1(,(-+1.1A1(3'(23.1=A-1 1-'*2DO
'*,!'+(',&-$(*+'&&$,'!"*'**,"&('+"-'&++/!++,'*+!"*+1!''&$3!0++,''&*
&/%*,-%1!&"$",-& ,*&+-'&5,!"+*)/"*%&,"+*'%%&-'&'&$37
DE:K
(-3(--(,/+,-3/.+((2-/1.9123.,-&21:(/1.:(12;(3';'.,1'.+13(22'1A
.13'3.9+!33'291(3=. 1'.+13A2 .++.;2C
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:K:F-2913'1(2-23+(2'/1.22 .1-&&(-&21:(/1.:(12(-+9(-&/1./19(+(&-/1(.13.
-&&,-3D
DE:K:G
(-3(-/1.&1,3.,.-(3.121:(/1.:(12E
.,/+(-233923+23--9++=D
RXVW[
- .1,4.-91(3=
-D ZW
Requirement 12: Maintain a policy that addresses information security for all
personnel.
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:DC
,/+,-3-(-(-312/.-2/+-D/1/13.12/.-(,,(3+=3.2=23,1'D
DE:DC:D133'(-(-312/.-2/+-3.(,/+,-3(-3':-3. 2=23,1'D-2913'/+-1222
3' .++.;(-&A3,(-(,9,C
.+2A12/.-2((+(42A-.,,9-(4.--.-332313&(2(-3':-3. .,/1.,(2(-+9(-&-.4"4.-.
3'/=,-31-2A3,(-(,9,
/("(-(-312/.-2/1.912
92(-221.:1=-.-4-9(3=/1.912
3*9//1.222
.:1&-12/.-22. ++1(4+2=23,.,/.--32
RXVW[
- .1,4.-91(3=
-D ZX
Requirement 12: Maintain a policy that addresses information security for all
personnel.
DE:DC:E233'/+-3+23--9++=D
DE:DC:F2(&-32/("/12.--+3.:(++.-XZH]2(23.12/.-3.+132D
DE:DC:G1.:(//1./1(331(-(-&3.23!;(3'291(3=1'12/.-212/.-2((+(42D
DE:DC:H
-+9+132 1.,291(3=,.-(3.1(-&2=23,2A(-+9(-&93-.3+(,(33.(-3192(.-I34.-A(-3192(.-I
/1:-4.-A"1;++2A-"+I(-3&1(3=,.-(3.1(-&2=23,2D
DE:DC:I:+.//1.223.,.( =-:.+:3'(-(-312/.-2/+-.1(-&3.+22.-2+1--3.
(-.1/.13(-9231=:+./,-32D
D
31(-(-& .1(2(.-,*12
D
31(-(-& .1:+./12
P<313. 3'
922+-
RXVW[
- .1,4.-91(3=
-D ZY
PCI Success Plan*
]D .-93
(2*2222,-3
_D /2(2922(.--&1,-33;--(-31-+23*'.+12
WWD 1(.(231(-&.,,(6,4-&23.3*(2(.-2
WXD (+23.-1:(;++23.(29223'-(+'++-&2-&1,-3;(3'
P<313. 3'
922+-
THANK YOU
Q
D
RXVW[
- .1,4.-91(3=
-D ZZ