Implementation Workshop on Payment Card Industry- Data Security Standard (PCI-DSS) at Bangalore, INDIA, Feb 1-2, 2008
December 2007 by Frédéric Donnette, Global Security Mag
SISA announces the “Implementation workshop on Payment Card Industry Data Security (PCI-DSS)”. This workshop will help participants understand the requirements of PCI DSS and learn the implementation through interactive case studies.
The course is highly participative and follows a tried and tested format with alternates lecture sessions and practical exercises in breakout groups. The subject areas are:
PCI-DSS Background and Consequences of non-compliance
Scoping and Overview of 12 Requirements
Case Study & Detail discussion on each Requirements
The PCI DSS framework is divided into 12 security requirements (VISA refers to them as the ’Digital Dozen’) which are organized in six categories as follows:
1) Build and maintain a secure network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2) Protect cardholder data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
3) Maintain a vulnerability management program
Requirement 5: Use and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
4) Implement strong access control measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
5) Regularly monitor and test networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
6) Maintain an information security policy
Requirement 12: Maintain a policy that addresses information security for employees and contractors
• Closing Discussion (Experiences and Information sharing)
• Each main topic is presented as a lecture session followed by an exercise to ensure full understanding and consolidate the key learning points. Participants are encouraged to try out the implementation of PCI DSS requirements in the classroom environment.
The Payment Card Industry Data Security Standard (PCI-DSS) is a compliance initiative from the Payment Card Industry Standard council (PCI-SSC). PCI SSC is a body formed by major payment brands in the world namely MasterCard, VISA, American Express and Discover that dictates best-practice security standards for service providers (like Third Party Processors, Software Development Companies, Business Process Outsourcing, etc) and merchants (including e-commerce businesses) who handle credit card information. The standard involves on-site audits, self-administered audits, and network scanning, not all of which apply to everyone. This presentation will provide an overview of about the standard, who it applies to and what organizations are doing to be compliant with each component of the standard.
As credit card frauds have increased, the payment brands have also realized the need for enforcement of consistent and well established standards. The no. of phishing attempts recorded by all CERT’s across the world have been dramatically increased and many banks and support organizations like web hosting companies, transaction processors, etc. have been victims leading for immediate implementation of good practices in processing and storing of credit card information.
As per PCI-DSS all Merchants, Service Providers, Banks, Web Hosting Companies, Transaction Processors who are processing, storing, transmitting or switching cardholder data have to comply with PCI DSS standard. Incase the organization fails to comply with this standard the payment brand will take necessary action. Also if a fraud were to be perpetrated in any of these organizations, Payment Brands will hold these organizations (namely Merchants, Hosting Companies) liable for penalty and legal action apart from severe reputation loss. The PCI Data Security Standard consists of twelve basic requirements supported by more detailed sub-requirements.
SISA Information Security (P) Ltd. is a PCI SSC Qualified Security Assessor which has pioneered the approach towards structured PCI assessments and conducts public training workshops in India, Taiwan, Singapore and Malaysia. Consequently SISA certifies organizations on PCI-DSS Compliance. SISA Institute, a dedicated training arm of SISA Information Security (P) Ltd. conducts workshops on OCTAVE, ISO 27001, BCM, HIPAA and on PCI DSS. For more on SISA log onto www.sisa.in