Information Security Policies and PCI DSS Standards

Information Security Policy Document Control

• The document outlines high-level policy objectives for information security and applies to people, processes, and IT systems within the organization.

• The policy emphasizes the protection of information assets, outlining potential consequences of breaches in information security.

• It delineates roles and responsibilities for personnel, line management, and senior management, emphasizing the importance of personnel education and awareness.

• Network security measures include firewall management, documentation, architecture, and configuration, as well as regulations for wireless networks.

• System builds are required to adhere to configuration build standards and system management services, with a focus on removing default settings and using strong encryption.

• Data security measures cover data storage, transmission, and specific requirements for handling cardholder data, including encryption and authorization protocols.

• The policy outlines requirements for anti-virus deployment, patching, and vulnerability management, including the application of critical security updates and vulnerability tracking.

• It defines standards for software development, change management, and access control, emphasizing the need to follow specific procedures for system access.

• Physical security policies cover site access and media security, while system logging requirements include configurations, time settings, and audit trail security.

• Network testing protocols encompass wireless testing, vulnerability scanning, and penetration testing, with specific requirements for intrusion detection and prevention systems and file integrity monitoring.

• The document includes a user declaration and outlines PCI requirements, including the installation and maintenance of firewall configurations, encryption of cardholder data, and other security measures.

• It also contains an annex with a glossary of terms and references to industry standards such as the Payment Card Industry Data Security Standard (PCI DSS).PCI DSS and Security Requirements Summary

• PCI DSS is the standard developed by PCI Security Standards Council for entities that store, process, or transmit cardholder data.

• Requirement 9 mandates assigning a unique ID to each person with computer access.

• Requirement 10 involves restricting physical access to cardholder data.

• Requirement 11 necessitates tracking and monitoring all access to network resources and cardholder data.

• Requirement 12 mandates regularly testing security systems and processes.

• Annex A provides a glossary of terms, including definitions for PCI DSS and insecure service.

• Insecure service refers to any service that transmits data in an unencrypted format or is susceptible to well-known attacks or vulnerabilities.

• A public network is any network not managed by the organization and can be monitored or intercepted by other entities.

• DMZ (Demilitarized Zone) is a subnet that contains an organization's external-facing services and is exposed to a larger, untrusted network.

• Inbound traffic refers to traffic coming from outside the organization flowing into the organization via routers or firewalls.

• Outbound traffic refers to traffic coming from inside the organization flowing out via routers or firewalls.

• Sensitive Authentication Data (SAD) includes full magnetic stripe data, PINs, PIN blocks, and the primary account number (PAN).