Payment Card Industry (PCI ) - Data Security Standard (DSS): Introduction and Best Practices Michael Jacobs Development Architect - OpenEdge Session 119
© 2009 Progress Software Corporation. All rights reserved. What Is PCI-DSS? Payment Card Industry Security Standards Council Reduce credit card fraud from theft Applies end to end card data security 12 requirement sections Well known best practices Periodically updated Payment Card Industry – Data Security Standard 2
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Compliance Dependencies Merchants, card processors, card issuers OpenEdge payment applications Network & OS software OpenEdge middleware PCI council Service providers 3
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Compliance Varies 1,000,000 6,000,000 20,000 SAQ & Network audit QSA Audit & Network Audit SAQ & Network audit Card Transactions Compliance Process QSA: Qualified Security Assessors SAQ: Self Assessment Questionnaire 4
© 2009 Progress Software Corporation. All rights reserved. The Road To Payment Application Compliance Become informed Perform a self assessment If you resell your payment application Comply with PA-DSS (Payment Application Data Security Standard) Optional: get QSA audit If you develop your in-house payment applications Comply with PCI-DSS standard Certify your network and systems Remember, plan for next PCI-DSS and PA-DSS versions 5
© 2009 Progress Software Corporation. All rights reserved. Limit DSS Scope Defined by merchant implemented internal firewalls Behind firewall is in scope and DSS compliant Do not persistently store cardholder data Use DSS certified service provider Limiting The Impact Of Being Compliant 6 Networks Servers Payment applications Databases Non payment applications
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Requirements 1. Install a firewall configuration to protect cardholder data 2. Do not use vendor-supplied system passwords and security parameters Build and Maintain a Secure Network 7
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Requirements 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data over public networks Protect Cardholder Data 8
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Requirements 5. Use & update anti-virus software 6. Develop secure systems and applications Maintain a Vulnerability Management Program 9
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Requirements 7. Restrict access to cardholder data 8. Assign a unique ID to each person 10. Track & monitor access to network & cardholder data 9. Restrict physical access to cardholder data Implement Strong Access Measures 10
© 2009 Progress Software Corporation. All rights reserved. PCI-DSS Requirements 11. Regularly test security systems and processes 12. Maintain an information security policy Monitor & Test Networks 11
© 2009 Progress Software Corporation. All rights reserved. For More Information, Go To… PSDN OpenEdge Applications in a PCI-DSS Environment Web -PCI-DSS and PA-DSS standards -Payment application requirements -Self assessment questionnaire -List of validated payment applications Books PCI for Dummies 12
© 2009 Progress Software Corporation. All rights reserved. In Summary PCI-DSS & PA-DSS are collections of security best practices Plan your short and long term compliance strategy Use OpenEdge features to assist you in making your application PCI-DSS compliant 13
Payment Card Industry (PCI ) - Data Security Standard (DSS): Introduction and Best Practices Michael Jacobs Development Architect - OpenEdge Session 119