Training Course: Understanding PCI-DSS

Description

The PCI DSS is designed to protect credit card users from the unwanted exposure of card holder data and sensitive information. It defines required and suggested requirements for organizations that store, process, or transmit cardholder or related sensitive data. This course explains PCI DSS requirements in the context of the larger framework of IT Security, and will help organizations understand the motivation for each requirement. Strategies for the successful implementation of each requirement will be examined.

Audience

Managers and staff of entities that must be PCI DSS compliant.

Duration

1 Day

Objectives

  • Understand the purpose and motivation for the PCI DSS
  • Clearly understand who must comply with PCI DSS
  • Be familiar with the terms and vocabulary of PCI DSS
  • Understand the Assessment Process
  • Be familiar with analyzing the Scope of an Assessment
  • Be familiar with the content of a Report on Compliance (RoC)
  • Understand PCI DSS compliance
  • Be familiar with all PCI DSS Requirements
  • Understand how to engage a PCI DSS Qualified Security Assessor

Setup

  • None

Text

  • Course Workbook

Prerequisites

  • None

Outline

Topic 1:     Introduction

  • Welcome
  • Motivation
  • Objectives
  • Terms and Concepts
  • PCI DSS Applicability
  • PCI DSS Compliance
  • Course Overview
  • PCI DSS Requirements Overview

Topic 2:     IT Security Concepts and Terms

  • Malware
  • Vulnerabilities, Threats, and Attacks
  • Vulnerabilities and Threats
  • Countermeasures
  • Policies and Procedures
  • Risks and Risk Management
  • Risk Analysis and Mitigation
  • Defense in Depth
  • Security Domains
  • Security vs. Convenience
  • Security Goals
  • Security Resources
  • Quiz

Topic 3:     PCI DSS Requirements

Network Security

  • Requirement 1: Install and Maintain a Firewall Configuration…
  • Firewall Configuration and Management
  • Requirement 2: Do Not Use Vendor-supplied Defaults…
  • Password and Configuration Management

Protecting Cardholder Data

  • Requirement 3: Protecting Stored Cardholder Data
  • Information Classification and Handling
  • Storage and Encryption
  • Requirement 4: Encrypt Transmission of Cardholder Data…
  • Information Classification and Handling
  • Encrypting Data in Motion

Maintain a Vulnerability Management Program

  • Requirement 5: Use and Regularly Update Anti-virus Software…
  • Anti-Virus Solutions
  • Platform and Application Security
  • Requirement 6: Develop and Maintain Secure Systems and Applications
  • Patch Management
  • Risk and Threat Management
  • Platform and Application Security
  • Change Management

Implement Strong Access Control Measures

  • Requirement 7: Restrict Access to Cardholder Data…
  • Roles and Responsibilities
  • Least Privilege and Permissions Management
  • Access Control Mechanism(s)
  • Requirement 8: Assign a Unique ID to each Person…
  • Account Management
  • Authentication
  • Password Policies
  • Requirement 9: Restrict Physical Access to Cardholder Data
  • Physical Security
  • Monitoring and Logging
  • Information Classification and Handling
  • Information Disposal and Destruction

Regularly Monitor and Test Networks

  • Requirement 10: Track and Monitor All Access to Network Resources…
  • Monitoring and Logging
  • Requirement 11: Regularly Test Security Systems and Processes
  • Testing
  • Penetration Testing
  • Intrusion Detection / Prevention Systems

Maintain an Information Security Policy

  • Requirement 12: Maintain a Policy That Addresses Information Security…
  • Policies and Procedures
  • Roles and Responsibilities
  • Vendor Management
  • Incidence Response
  • Quiz

Topic 4:     The PCI DSS Assessment Process

  • Qualified Security Assessors (QSA)
  • Engaging a QSA
  • Determination of Scope
    • Determining Scope
    • Network Segmentation
    • Wireless Access Points
    • Third Party Solutions
  • Sampling of Facilities and Systems
  • Compensating Controls
  • Maintaining Compliance

Topic 5:     The Report on Compliance (RoC)

  • Purpose and Use
  • Report Content
    • Executive Summary
    • Scope of Work and Approach Taken
    • Details of Reviewed Environment
    • Contact Information and Report Date
    • Quarterly Scan Results
    • Findings and Observations

Appendix     Quiz Answers

Appendix     Additional Resources