- It was introduced in 2004 by American Express,Discover,MasterCard, and Visa in response to security breaches and financial losses within the credit card industry.
- Since 2006 the standard has been financial losses maintained by the PCI standards council , a "global organization,(IT) maintains,evolves and promotes payment card industry standards for the safety of cardholder data across the globe.
- Now comprised of American Express,discover,JCB International,MasterCard, Visa Inc.
- Applies to all entities that store,process and/or transmit cardholder data.
- Covers technical and operational practices for system components included in or connected to environments with cardholder data.
- PCI DSS 3.2 includes a total of 264 requirements grouped under 12 main requirements.
Goals and Requirements
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement string Access control Measures.
- Regularly monitor and Test networks.
- Maintain an information security policy.
Scope
The Cardholder Data Environment (CDE):people,process and technology that store,process or transmit cardholder data or sensitive authentication data.
Cardholder Data:
- Primary Account Number (PAN)
- PAN + Cardholder Name + service code
Sensitive Authentication Data
Security-related information used to authenticate cardholders /authorize payment card transactions.
Determining Scope
1.People
- Compliance Personnel
- Human Resources
- IT personnel
- Developers
- System Admin and Architects
- Network Administrators
- Security Personnel
2.Process
- IT Governance
- Audit Logging
- File Integrity Monitoring
- Access Management
- Patching
- Network Device Management
- Security Assessment
- Anti-virus
3.Technology
- Internal Network Segmentation
- Cloud application platform container
- Virtual LAN.
PCI Requirement
- Approved Scanning Vendor (ASV) scans (quarterly,external,third party)
- Use PCI scan policy in Nessus for internal vulnerabilities scans.
- File Integrity Monitoring (FIM)
- Firewall review frequency every 6 months.
- Automated logoff of idle session after 15 minutes.
- Responsibility Matrix.
CIS(Center for Internet Security) Critical Security Control
- The CIS controls are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
- The CIS controls are developed by a community of IT experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices.
- The experts who develop the CIS controls come from a wide range of sectors including retail,manufacturing,healthcare,education,government,defense and others.
CIS controls 7.1 Implementation groups
- Implementation Group3: A mature organization with significant resources and cybersecurity experience to allocate to sub-controls.
- Implementation Group2: An organization with moderate resources and cybersecurity expertise to implement sub-controls.
- Implementation Group1:An organization with limited resources and cybersecurity expertise available to implement sub-controls.
Client system administration and cybersecurity
- Cloud and mobile computing.
- New Devices,new applications and new services.
- Endpoint devices are the front lines of attack.
Common type of endpoint attack
- Spear phishing: An email imitating a trusted source designed to target a specific person or department.
- Water Hole: Malware placed on a site frequently visited by an employee or group of employees.
- Ad Network Attacks:Using Ad networks to place malware on a mahine through Ad software.
- Island Hopping:Supply chain infiltration.