Monday, May 20, 2013

Seminar Notes - Requirements 1, 2 and 3

My notes on the first three requirements.  These were run through pretty quickly.

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 1 - Firewall definitions

Need to establish firewall and router standards

Install firewalls on any mobile or employee owned computers which connect through the internet (use personal firewall software)

Restrict/prohibit access from public and untrusted networks.

Allow only intended services

Dilbert on firewalls (Not from the seminar)

Req 2 -  No default passwords

This was continually reinforced throughout the entire seminar.  This is "low hanging fruit" for a hacker.  Usually a google search will produce default passwords.

Encrypt all non-console administrative access

Don't share your password (Not from the seminar)
Dilbert on forgotten passwords (Not from seminar)

Req 3 - Protect stored data

Store only the minimum required data.  Consider retention policies and data disposal.

Do not store authentication data after authorization

Mask Personal Account Number (PAN) when displayed - you can only show the first 6 and last 4 numbers.

Create a quarterly process to identify purge candidates

No comments:

Post a Comment