jspωiki
Payment Card Industry Data Security Standard
Your trail: 

Overview#

Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded Payment Cards from the Payment Card Industry members.

Payment Card Industry Data Security Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council.

Payment Card Industry Data Security Standard was created to increase controls around Cardholder Data to reduce credit card fraud.

Validation of compliance is performed periodically, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.

Payment Card Industry Data Security Standard Requirements#

Payment Card Industry Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called "control objectives".

Each version of Payment Card Industry Data Security Standard has divided these twelve requirements into a number of sub-requirements differently, but the twelve high-level requirements have not changed since the inception of the standard.

Control objectives PCI DSS requirements#

Build and Maintain a Secure Network and Systems#

Maintain a Vulnerability Management Program#

  • 5. Protect all systems against malware and regularly update antivirus software or programs
  • 6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures#

Regularly Monitor and Test Networks#

Maintain an Information security Policy#

Many Versions#

"Secure Version of TLS"#

"Secure Version of TLS" is used in several of their documents which has been clarified "as defined by NIST.SP.800-52"

Multi-Factor Authentication[2]#

Payment Card Industry Data Security Standard requirement 8.3, requires the use of Multi-Factor Authentication for all remote network access that originates from outside the network to a Cardholder Data Environment (CDE).

Beginning with PCI-DSS version 3.2, the use of Multi-Factor Authentication is also required for all administrative access to the Card Data Environment (CDE), even if the user is within a trusted network.

Some clarification on Payment Card Industry Data Security Standard and Multi-Factor Authentication

Troy Leach, Payment Card Industry Data Security Standard's Chief Technology Officer clarifies this further by stating,[3] 

[A] significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity 
and grant access to sensitive information, even if they are within a trusted network…
The most important point is that the change to the requirement is intended for all administrative access into the cardholder data environment, even from within a company’s own network. 
This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.

More Information#

There might be more information for this subject on one of the following:
This page (revision-20) was last changed on 01-Jun-2018 11:20 by jim Top

Main page
About
Recent Changes
Tools Page

Lead Pages#

WikiEtiquette
Find pages
Unused pages
Undefined pages
Page Index
News


Site Maintained By -jim

Costs of Wiki

Donations#

If you like Ldapwiki, please consider a donation.

Donation for LDAPWiki


Active Sessions39
Uptime5d, 15h 24m 9s
Number of pages16334

JSPWiki v2.10.1
jspωiki
Please see our Copyright And Intellectual Property Page and Standard Disclaimer Pages!
JSPWiki v2.10.1