An Introduction to PCI DSS (updated)

by under Getting Started

By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS).  Unfortunately, this is not the case.  Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.

Even for those versed in PCI DSS, there are benefits to understanding its origins.  The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.

(continue reading…)

, , 5 Comments more...

Penetration Testing and PCI DSS

by under Penetration Testing

Penetration TestingPCI DSS Requirement 11.3 specifies that all organizations who store, process or transmit cardholder information must include penetration tests as part of their information security program. These tests are separate and distinct from the vulnerability scans required by section 11.2.

Back in 2008, the PCI DSS Security Standards Council released clarifications to the penetration testing requirements that directly answered some of the most common penetration testing questions. In addition, the release of PCI DSS 2.0 included additional information on these tests. Below, we attempt to address some of the most commonly asked questions about PCI DSS penetration tests.

What must PCI DSS penetration tests include?

The standard requires that penetration tests include two elements: network layer penetration tests and application layer penetration tests. While the composition of the network layer tests is left to the discretion of the tester, the standard specifies that the following elements must be included in the application layer tests:

(continue reading…)

No tags 1 Comment more...

PCI DSS Vulnerability Scanning Requirements

by under Vulnerability Scanning

The Payment Card Industry Data Security Standard (PCI DSS) requires that merchants accepting credit cards conduct regular vulnerability scans of their environment in order to identify potential security flaws. Merchants often have questions about the scanning requirements and we provide the answers to some of the most commonly asked questions below. If you don’t see your question answered, feel free to ask it in the comments section!

What vulnerability scans does PCI DSS require?

PCI DSS requires that merchants perform both internal and external vulnerability scans on a regular basis to ensure that your cardholder data environment meets current security standards. The standard requires two different types of vulnerability scan:

  • External scans should be performed from outside your organization’s network and include all of your external IP addresses. These scans provide you with a view of the vulnerabilities that a hacker might exploit to gain an initial foothold on your network.
  • Internal scans should take place from a sufficient number of locations within your network to assess the security posture of all systems within the cardholder data environment. This provides an internal view of your security and points out flaws that an attacker could exploit after gaining initial access to your network.

(continue reading…)

No tags 6 Comments more...

PCI DSS Requirement 11.1: Wireless Network Scans and Rogue Access Points

by under Wireless

PCI DSS requirement 11.1 mandates the use of wireless scanners in your cardholder environment on at least a quarterly basis to ensure that rogue wireless networks are not present. The text of the requirement reads “Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identify all wireless devices in use.”

There are several possible ways that you can meet this requirement in your organization. Here are a few suggestions:

(continue reading…)

No tags 2 Comments more...

PCI DSS Requirement 4.1: Protecting Cardholder Data with SSL and TLS

by under Encryption, Web Security

PCI DSS requirement 4.1 requires the use of secure sockets layer (SSL) or other strong cryptography to protect cardholder data while in transit over public networks. Specifically, the standard requires that:

”Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.”

In this article, we take a look at what this means for you as a PCI DSS professional.  We begin with an overview of how the Secure Sockets Layer (SSL) works, define an “open, public network” and then explore what you need to do to validate your PCI DSS compliance in this area.

(continue reading…)

, , 10 Comments more...

  • PCI Compliance Guide

  • Free PCI DSS Newsletter

  • Search

  • Categories

    • Copyright © 1996-2010 PCI DSS Guru. All rights reserved.