My notes on the first three requirements. These were run through pretty quickly.
This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council
Req 1 - Firewall definitions
Need to establish firewall and router standards
Install firewalls on any mobile or employee owned computers which connect through the internet (use personal firewall software)
Restrict/prohibit access from public and untrusted networks.
Allow only intended services
Dilbert on firewalls (Not from the seminar)
Req 2 - No default passwords
This was continually reinforced throughout the entire seminar. This is "low hanging fruit" for a hacker. Usually a google search will produce default passwords.
Encrypt all non-console administrative access
Don't share your password (Not from the seminar)
Dilbert on forgotten passwords (Not from seminar)
Req 3 - Protect stored data
Store only the minimum required data. Consider retention policies and data disposal.
Do not store authentication data after authorization
Mask Personal Account Number (PAN) when displayed - you can only show the first 6 and last 4 numbers.
Create a quarterly process to identify purge candidates
No comments:
Post a Comment