"Fundamentals of PCI-DSS" Course Preview: Overview of the 12 Requirements
ฝัง
- เผยแพร่เมื่อ 29 ก.ย. 2024
- 🎓 FULL "3-in-1 Fraud Prevention, Dispute Resolution, PCI-DSS Masterclass" Course 🎓
bit.ly/fraud-d...
Including:
✅ 11.5 hours of video
✅ 112 lessons (with PDF slides + quizzes)
✅ Instructor support with Vasco via message
🎥 ALL Preview Lessons on TH-cam (Single Playlist) 🎥
bit.ly/pcidss-yt
------
Video transcript (possibly truncated due to char. limit):
Let's cover a brief overview of the 12 Requirements.
Before we really dive deep into every single
one of them, I just want to cover what the
list is, in general, and give you an introduction
on every single one of these.
Let's take a look.
The 12 Requirements of the PCI-DSS are, as
of version 3.2.1:
The first is about installing and maintaining
a firewall configuration to protect your card
data from traffic.
Requirement #2 is about not using defaults.
Default passwords, default accounts, and so
on, with the purpose of minimizing vulnerabilities.
Requirement #3 is about protecting stored
data, with strong encryption and proper key
management in your databases.
Then, Requirement #4 is about encrypting transmission
of sensitive data, especially across public
networks.
Requirement #5 is about protecting all systems
against malware, as well as keeping the antivirus
updated.
Requirement #6: Develop and maintain secure
systems and applications.
Including security requirements in your development
lifecycle, as well as applying patches in
a timely manner.
Requirement #7 is about restricting access
to sensitive data by need to know.
Minimize who has access to the data, and what
access every person has.
Requirement #8 is about identifying and authenticating
access to system components.
Every person has a unique ID, they use strong
authentication, and other measures, to make
sure that every action is tracked back to
the user.
Requirement #9 is about restricting physical
access.
Safely storing and moving physical media,
visitor control, and so on.
Requirement #10 is about tracking and monitoring
all access to networks and data.
In other words, logging, logging and more
logging!
Requirement #11 is about regular vulnerability
and penetration testing of systems and processes.
And finally, Requirement #12 is about maintaining
a policy, itself, that addresses information
security for all personnel.
Now, the original names are a bit complex,
so in practice, I've simplified them, and
these are the names that I'll use throughout
the course.
They help you memorize the requirements with
less words.
I call Requirement #1 "Keep a Firewall".
Have proper firewall rules, restrict unknown
traffic, have a firewall on all machines,
and use change management for changing every
firewall rule.
The second requirement is "No Defaults".
For obvious reasons.
Change all default passwords and all accounts,
isolate servers - one functionality, or one
security level for server, inventory your
assets, and remove all unneeded functionality.
It's about minimizing obvious vulnerabilities.
Requirement #3 is "Protect Stored
Data".
It's supposed to contrast with #4, which
is "Protect Transmitted Data", as these are
a mirror of each other.
So Requirement #3 is about limiting
the card data that you store to the essential,
properly purging it once you don't need it,
masking Personal Account
Numbers (PANs) that are written down, or stored,
and having proper key encryption and key lifecycle
management.
Key custodians, a defined cryptoperiod, and
so on.
Requirement #4, as stated, is "Protect
Transmitted Data".
Make sure the data are encrypted with strong
encryption in transit, including for public
wireless networks - such as satellite GPS,
GSM, as well as never sending plaintext Personal
Account Numbers (PANs).
Then, Requirement #5 is "Prevent Malware".
Very simple.
Have a proper antivirus software that is regularly
updated, that performs regular scans, and
that outputs regular logs, and that cannot
be disabled by individual users, through establishing
a policy.
So if Requirement #5 is about protection from
vulnerabilities
that others cause, #6 is about protecting
yourself from
the vulnerabilities that YOU cause.
It's about developing securely.
And it's not just your own applications.
It's
securing both off the shelf software, and
your own, with regular risk ranking, and patch
installation for critical risks, but also
including security requirements in the software
development lifecycle (SDLC) and in developer
training.
Your developers need to be able to deal with
code injections, buffer overflows, cross-site
scripting, and more.
The next three are related.
"Need-to-Know Access",
"Identify Access" and "Restrict Physical Access".
This is about digital protection.
This is about digital identification.
And this is about physical protection.
So, let's start with #7.
Need-to-Know Access.
As the name says, it defends the Principle
of Least Privilege, or PoLP.
