pci compliance technical overview. rm pci calendar dec 2005: began pci 15.1 development feb 2006:...

PCI ComplianceTechnical Overview

RM PCI Calendar

Dec 2005: Began PCI 15.1 development

Feb 2006: Initial PCI Audit

Sept 2006: Official 15.1 PCI Release

Sept 2006: Validation Report sent to VISA

Jan 2007: VISA approves certification

Card Data Compromises 40% of all compromises involve a

restaurant Top 5 compromises:

Full track data retention Default accounts Insecure remote access Non-use of security tools (antivirus,

encryption) SQL injection

Terms and Definitions PCI DSS: Payment Card Industry Data

Security Standard PABP: Payment Application Best

Practices RM is a validated payment application

that meets the PCI PABP So what is “PCI Compliance”? Hint: It’s

not simply installing RM 15.1.

The PCI Compliant SiteRestaurant must use PCI PABP validated POS

application, properly configured, implementing proper procedures, and installed following all site-specific PCI guidelines and rules.

That’s 4 areas needing attention: Use PABP validated applications Proper configuration Proper procedures Follow site guidelines

1. Use PABP validated applications Use RM 15.1 (final release Sept 2006

or later) Use certified credit card processing

gateways (e.g. Mercury Payment Systems, PC Charge, Datacap)

2. Proper Configuration Follow ASI PCI configuration guidelines:

RM and Reseller PCI Guidance Doc Logging, Audit Trail Admin Password Expiration

3. Proper Procedures Enforcing limited access to RM Server

machine. Internet use from Server machine Remote access (allowed only during

incident) No emailing of card data

4. Site Guidelines Secure RM Server (credit card server)

Physical access Logical access (open ports) Firewalled

Network Remote Access 2-factor authentication

(VPN + PCAnywhere passwords) And Wireless …

4. Site Guidelines (WiFi) Enable WPA with key rotation Change SSID from default Turn off SSID broadcast Implement MAC address filtering Install firewall services between APs

and RM Server Port/Service Restrictions

Only: TCP 80, DNS 53, ICMP

Basic NetworkInternet

http://images.google.com/imgres?imgurl=http://image.compusa.com/prodimages/50/f16a1d3e-81dd-4d3d-84d5-763d5409ce7f.gif&imgrefurl=http://www.compusa.com/products/product_info.asp%3Fproduct_code%3D50664359&h=200&w=200&sz=8&hl=en&start=1&tbnid=xqNawkGWPrjgTM:&tbnh=104&tbnw=104&prev=/images%3Fq%3Dnetwork%2Bswitch%26svnum%3D10%26hl%3Den%26sa%3DG

Network w/ WiFiInternet

http://images.google.com/imgres?imgurl=http://image.compusa.com/prodimages/50/f16a1d3e-81dd-4d3d-84d5-763d5409ce7f.gif&imgrefurl=http://www.compusa.com/products/product_info.asp%3Fproduct_code%3D50664359&h=200&w=200&sz=8&hl=en&start=1&tbnid=xqNawkGWPrjgTM:&tbnh=104&tbnw=104&prev=/images%3Fq%3Dnetwork%2Bswitch%26svnum%3D10%26hl%3Den%26sa%3DG

Network w/ WiFiInternet

SymbolWS2000

Thank you

Questions?

pci compliance technical overview. rm pci calendar dec 2005: began pci 15.1 development feb 2006:...

Documents

pci releasesept

pci pabpso

sitespecific pci guidelines

com access point

pci compliant siterestaurant

initial pci auditsept

access points

server machineremote