Category Archives: PCI

PCI Security Awareness Training

One of the most important parts of securing your data is ensuring that your employees have a good understanding of security. Here is a great resource to get your employees trained for free.   http://usa.visa.com/merchants/risk_management/data_security_demo/popup.html

Posted in PCI | Comments closed

Sample Incident Response Plan

1)      The person who discovers the incident will call the grounds dispatch office. List possible sources of those who may discover the incident. The known sources should be provided with a contact procedure and contact list. Sources requiring contact information may be: a)      Helpdesk b)      Intrusion detection monitoring personnel c)      A system administrator d)     A […]

Also posted in Procedures and Documentation | Comments closed

PCI Lawsuit

Wired has an article outlining a new lawsuit started by a merchant regarding fines levied by Visa and Mastercard after they have determined a breach of security in the merchants systems. The merchant states that they had no way of disputing the allegations that there was a breach of security allowing card numbers to be […]

Posted in PCI | Comments closed

Network Diagram

Here is a very simple network diagram showing the physical connections from the internet to the various network segments. You will notice that there are 3 distinct zones, each separated from the others with a firewall. This is required by PCI standards. Only the DMZ should have direct access to and from the internet the […]

Also posted in Procedures and Documentation | Comments closed

Security Tasks Calendar

The following tasks should be conducted on a periodic basis. Probably the best way to do this is to setup appointments in your calendar software. Each time a task is completed it should be documented with a ticket in your ticketing system (for example Mantis) and signed off by at least two different parties.   […]

Also posted in Procedures and Documentation | Comments closed

PCI Section 1.3

1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.

Also posted in PCI Section 1 | Comments closed

PCI Section 1.2

1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An ―untrusted network is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity’s ability to control or manage.

Also posted in PCI Section 1 | Comments closed

Firewall Change Request Form

Change Number __________ Submitted By ____________ Signature ______________ Date _____________ Approved By ____________ Signature _______________ Date _____________ Implemented By ___________ Signature ______________ Date _____________ Source____________________ Destination____________________ Port____________________ Action____________________ Business Purpose____________________ For any insecure services, protocols, or ports please provide description of additional security controls put into place to mediate the risk. Examples of insecure services, protocols, […]

Also posted in Procedures and Documentation | Comments closed

Firewall Ruleset Documentation Spreadsheet

Audit Date ________________ Audited By ________________  Signature _________________ Approved By _______________    Signature __________________ No. Source Destination Port Action Business Purpose Change Request Number Mitigating Controls 1 Any www.domain.com(192.168.2.111) HTTP(80) Allow Allow outside computers to connect to webserver on port 80 1125 2 Any www.domain.com(192.168.2.111) HTTPS(443) Allow Allow outside computers to connect to webserver on […]

Also posted in Procedures and Documentation | Comments closed

Firewall Security Standard

Firewalls must be placed at each Internet Connection and between the DMZ and  the internal network zone. The Security Officer must approve all changes made to the firewall. IT Admins are the only ones that shall have access to make changes to the firewall. All changes to the firewall must follow the Firewall Change Procedure […]

Also posted in Procedures and Documentation | Comments closed