Copyright 2008 - 2011 TurboPCI, Inc. All rights reserved. PCI Compliance Security Awareness Training...

Copyright 2008 - 2011 TurboPCI, Inc. All rights reserved.

PCI Compliance

Security Awareness Training31 December 2011

What is PCI Compliance?Before 2006, all payment card brands (Visa,

AMEX, MasterCard, Discover, and JCB) had created their own programs to combat credit/debit card fraud. With the increase in fraud, this became very expensive to manage.

The brands joined together to create the Payment Card Industry Security Standards Council (PCI SSC).

The PCI SSC developed an enforceable set of ‘best practices’ standards called the Payment Card Industry Data Security Standards (PCI DSS).

Copyright 2008-2011 TurboPCI, Inc.All rights reserved.

What is PCI Compliance?Any business that accepts credit/debit cards

as payment from their customers must be compliant with some or all of the PCI DSS (called ‘Requirements’), based on how they do business.


Security PolicyAll Coast Guard MWR workforce members

(including employees, contractors, temporary employees, consultants, etc.) must comply with the PCI policies and procedures.

Workforce members must always protect their customers’ cardholder data at all times.

Before, during and after every transaction If the data is stored in electronic format If the data is printed on any reports/documents


Security PolicyAll workforce members will report any security

incident that they become aware of or suspect may have occurred.

Any and all technologies used to access cardholder data must be approved by the MWR Program. Examples of technologies:

Credit/Debit Card Swipe Machines Computers using payment applications that store cardholder

data Any remote computers (laptops, home PCs, smart phones,

etc.) used by workforce members to access MWR systems containing cardholder data.

Any changes made to these technologies must be documented and approved (i.e., upgrade of an application, change of a card swipe machine, etc.)Copyright 2008-2011 TurboPCI, Inc.

All rights reserved.

Workforce ScreeningNew workforce members, and members

being promoted, will be subject to background checks as limited by law

Copyright 2008-2011 TurboPCI, Inc. All rights reserved.

Service Providers PolicyAll service providers with which cardholder

data is shared must adhere to the PCI DSS requirements and must sign an agreement acknowledging that the service provider is responsible for the security of cardholder data the provider possesses.


Incident Response PolicyIf a security incident should occur involving

cardholder data, workforce members must follow the security incident reporting guidelines found in Commandant Instruction 5260.5, Privacy Incident Response, Notification, and Reporting Procedures for Personally Identifiable Information (PII).

Some examples of a security incident could be: Customer mistakenly leaves their card behind and it is

stolen from the MWR Program site before it can be returned.

A computer containing a payment application that stores cardholder data is infected by a virus.


Acceptable Use PolicyFor IT resources (PCs, laptops, smart phones,

etc.) accessing cardholder data:Users will be permitted access to computer

resources upon approval by the appropriate department director or supervisor.

Users must have no expectation of privacy as to any communication on or information stored within IT resources. Because of the need to protect the MWR resources, the confidentiality of information stored on any computer device belonging to MWR is not guaranteed.


Acceptable Use PolicyUsers are responsible for exercising good

judgment regarding the reasonableness of personal use. If there is any uncertainty, users must consult their supervisor or manager.

Such personal use must not interfere with a user fulfilling his or her job responsibilities, interfere with other users' access to resources, or be excessive as determined by management.

For security and network maintenance purposes, authorized MWR workforce members may monitor equipment, systems and network traffic at any time.


Acceptable Use PolicyWorkforce members must take all necessary steps to

prevent unauthorized access to Special Handling/Controlled Access Only information, specifically cardholder data.

Sharing user identification and/or password information with any other person is strictly prohibited.

Keep passwords secure. Authorized users are responsible for the security of their passwords and accounts. All user level passwords must be changed every 90 days.

All PCs, laptops and workstations must be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the host will be unattended.


Acceptable Use PolicyBecause information contained on portable

computers is especially vulnerable, special care will be exercised.

Postings by users from an MWR email address to newsgroups must contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of MWR, unless posting is in the course of business duties.

All hosts used by the user that are connected to MWR IT resources, whether owned by the user or MWR, shall be continually executing approved virus-scanning software with a current virus database.

Copyright 2008 2011 TurboPCI, Inc.All rights reserved.

Acceptable Use PolicyUsers must use extreme caution when opening

unexpected e-mail attachments received from any sender, which may contain viruses, e-mail bombs, or Trojan horse code.

User access privileges will be granted on a need-to-know (least privilege) basis.


Unacceptable UsesThe following activities are strictly prohibited,

with no exceptions:Violations of the rights of any person or company

protected by copyright, trade secret, patent or other intellectual property, including, but not limited to, pirated software.

Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws.

Introduction of malicious programs into MWR IT resources (e.g., viruses, worms, Trojan horses, root kits, etc.).


Unacceptable UsesRevealing your account password to others or

allowing use of your account by others. This includes family and other household members when work is being done at home.

Using MWR IT resources to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.

Making fraudulent offers of products, items, or services originating from any MWR email account.

Making statements about warranty, expressly or implied, unless it is a part of normal job duties.


Unacceptable UsesEffecting security breaches or disruptions of

network communication. Security breaches include, but are not limited to, accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access, unless these duties are within the scope of regular duties.

Executing any form of network monitoring which will intercept data not intended for the user's host, unless this activity is a part of the user's normal job/duty.


Unacceptable UsesCircumventing user authentication or security of

any host, network or account. Using any program/script/command, or sending

messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

Providing information about, or lists of, MWR users to outside parties.

Sending unencrypted cardholder’s account numbers in email, by chat, or by any other electronic means.


Unacceptable UsesUnauthorized use of any instant messenger

programs (i.e. AIM, Microsoft Messenger, Trillion etc), personal profile spaces (including MySpace, Facebook, Hotmail, Match, etc) or file sharing (peer-to-peer) software.


Wrap UpAlways protect your customers’ cardholder

data, whether in electronic or hard copy (written) form.

PCI Compliance is mandatory.Any violations of the PCI DSS Requirements

could result in the MWR Program losing the ability to accept debit/credit cards from their customers.

Be smart and follow the policies and procedures!


Copyright 2008 - 2011 TurboPCI, Inc. All rights reserved. PCI Compliance Security Awareness Training...

Documents

Transcript of Copyright 2008 - 2011 TurboPCI, Inc. All rights reserved. PCI Compliance Security Awareness Training...