Misc

Video guide: PCI DSS and the 12 Requirements

    Requires Free Membership to View

Diana Kelley and Ed Moyle, co-founders of the consultancy Security Curve, know a thing or two about compliance with the Payment Card Industry Data Security Standard. In this series of instructional videos, Ed and Diana step through each of the 12 PCI compliance requirements, review common questions that they hear when doing assessments, then finally address possible compensating controls that can be used if you cannot meet a given requirement.

Use the links below to jump directly to information on specific PCI compliance requirements:

 

PCI REQUIREMENT 1: FIREWALLS  


The requirement calls for "stateful inspection" devices separating the Internet from the cardholder environment. Documentatation is also necessary to ilustrate how the firewalls are deployed and maintained. But do you need a firewall for every store? And what about the use of routers?

Watch the Requirement 1 video

 

 


 

PCI REQUIREMENT 2: DEFAULTS  


To meet PCI Requirement 2, you'll need to learn how to document a secure configuration by removing vendor-enabled passwords and unnecessary services. Security features like encryption for administrative connections will also need to be enabled. Diana Kelley and Ed Moyle review common questions and gotchas, including what to do with hosting providers.

Watch the Requirement 2 video

 

 


 

PCI REQUIREMENT 3: PROTECT DATA  


Simple enough, right? Not necessarily, especially with the infamous sub-requirement 3.4, which explains how to protect stored permanent account numbers. In this section, learn when to use encryption on cardholder data and when to store sensitive authentication data.

Watch the Requirement 3 video

 

 

 



 

PCI REQUIREMENT 4: ENCRYPT TRANSMISSIONS  


When your permanent account numbers are travelling over the Internet or other public network, that data needs to be encrypted. But what about WEP? Diana Kelley explains why it's usually easier to rely on TLS or IPsec.

Watch the Requirement 4 video

 

 

 



 

PCI REQUIREMENT 5: ANTIVIRUS  


You probably have this requirement taken care of. It's certainly important to scan for malware and viruses (and don't forget about spyware, too!). But what about antivirus for UNIX and mainframes? What about HIPS or POS systems? In this section, the PCI duo explain what kinds of tools and technologies will help you pass Requirement 5.

Watch the Requirement 5 video

 

 

 


 

PCI REQUIREMENT 6: SYSTEMS AND APPLICATIONS  


What does it mean exactly to "develop and maintain secure systems and applications?" Make sure that you're developing and testing applications using secure coding techniques. It's also critical to have processes to make sure that systems are secure against vulnerabilities. Also, external Web applications now require external code review OR an application firewall. But which is best?

Watch the Requirement 6 video

 

 

 


 

PCI REQUIREMENT 7: RESTRICT ACCESS  


This requirement is actually fairly intuitive. The important task is to have documented processes and policies in place that can prove that you've limited who has access to cardholder data. But do you need an automated access control system? Ed Moyle and Diana Kelley point out the main reason why organizations may not meet Requirement 7.

Watch the Requirement 7 video

 

 


 

PCI REQUIREMENT 8: UNIQUE IDs  


In a nutshell, Requirement 8 calls for individual identification for anyone and everyone who has access to cardholder data. In this section, the PCI experts review a common challenge: two-factor authentication for administration.

Watch the Requirement 8 video

 

 


 

PCI REQUIREMENT 9: PHYSICAL ACCESS  


For Requirement 9, basic physical controls are required for the facilities that process cardholder data. Does that mean cameras are required? Are retail locations exempt? Ed Moyle and Diana Kelley review common pitfalls, esepcially when comany cultures are resistant to badges.

Watch the Requirement 9 video

 

 

 



 

PCI REQUIREMENT 10: AUDITING  


Don't panic. Although the requirement calls for the tracking and monitoring of all access to network resources and card holder data, the main objective is to maintain system logs and have procedures that use and retain them. So does that mean you have to review the logs every day? Or do you need to use a log aggregator or correlation engine? Find out.

Watch the Requirement 10 video

 

 


 

PCI REQUIREMENT 11:TESTING  


PCI Requirement 11 is a popular one, according to Diana Kelley. According to this part of the standard you must conduct quarterly wireless and external scans, as well as annual penetration tests. Diana Kelley explains whether or not file integrity monitoring or Tripwire will help you meet Requirement 11. Also: do you know what happens if you miss a required test?

Watch the Requirement 11 video

 

 


 

PCI REQUIREMENT 12: POLICY  


Last but not least, it's important that you author and maintain a body of policy documentation of how you will address the Data Security Standard requirements. One common question that seems to appear when maintaining a policy that addresses information security: How should new hires be screened? You may have a lot of documentation already, but there's a good chance that you don't have all that you need.

Watch the Requirement 12 video



Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

Ed Moyle is currently a manager with CTG's information security solutions practice, providing strategy, consulting and solutions to clients worldwide, as well as a founding partner of Security Curve. Ed was previously Vice President and Information Security Officer for Merrill Lynch Investment Managers (MLIM,) where he was responsible for coordinating all aspects of information security within the business unit. Ed is co-author of "Cryptographic Libraries for Developers", and a frequent contributor to the Information Security industry as author, public speaker, and analyst.

 

 

 

This was first published in June 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: