Sunday, May 19, 2013

Seminar Notes - Requirements 4, 5 and 6

This information was presented by Emma Sutcliffe, Director of Standards Coordination, PCI Security Standards Council

Req 4 - Encrypt encryption across public networks

Use strong cryptology, such as:
- Secure Sockets Layer (SSL) [link],
- IP Security (IPSEC)  [link],
- Secure Shell (SSH) [link]

Never send unprotected Personal Account Numbers (PAN) by end user technologies such as email, chat, instant messaging (IM), etc.

Req 5 - Use and regularly update anti-virus

Prevent malware
Use on all systems
Make sure antivirus is current and running.
Generate audit logs
Retain logs for 12 months, ensure that 3 months are readily viewable.

Req 6 - Develop and maintain secure systems and applications

Install vendor-supplied security patches within one month of release.
You must have the most recently released patches
Identify and assign a risk ranking to newly discovered vulnerabilities
Address critical issues within one month
Address less critical issues within three months
Develop software based on industry standard best practices
Follow change control [link]
Address threats and vulnerabilities on an ongoing basis.

No comments:

Post a Comment