"Fundamentals of PCI-DSS" Course Preview: Overview of the 12 Requirements

🎓 FULL "3-in-1 Fraud Prevention, Dispute Resolution, PCI-DSS Masterclass" Course 🎓 https://bit.ly/fraud-dispute-course Including: ✅ 11.5 hours of video ✅ 112 lessons (with PDF slides + quizzes) ✅ Instructor support with Vasco via message 🎥 ALL Preview Lessons on YouTube (Single Playlist) 🎥 https://bit.ly/pcidss-yt ------ Video transcript (possibly truncated due to char. limit): Let's cover a brief overview of the 12 Requirements. Before we really dive deep into every single one of them, I just want to cover what the list is, in general, and give you an introduction on every single one of these. Let's take a look. The 12 Requirements of the PCI-DSS are, as of version 3.2.1: The first is about installing and maintaining a firewall configuration to protect your card data from traffic. Requirement #2 is about not using defaults. Default passwords, default accounts, and so on, with the purpose of minimizing vulnerabilities. Requirement #3 is about protecting stored data, with strong encryption and proper key management in your databases. Then, Requirement #4 is about encrypting transmission of sensitive data, especially across public networks. Requirement #5 is about protecting all systems against malware, as well as keeping the antivirus updated. Requirement #6: Develop and maintain secure systems and applications. Including security requirements in your development lifecycle, as well as applying patches in a timely manner. Requirement #7 is about restricting access to sensitive data by need to know. Minimize who has access to the data, and what access every person has. Requirement #8 is about identifying and authenticating access to system components. Every person has a unique ID, they use strong authentication, and other measures, to make sure that every action is tracked back to the user. Requirement #9 is about restricting physical access. Safely storing and moving physical media, visitor control, and so on. Requirement #10 is about tracking and monitoring all access to networks and data. In other words, logging, logging and more logging! Requirement #11 is about regular vulnerability and penetration testing of systems and processes. And finally, Requirement #12 is about maintaining a policy, itself, that addresses information security for all personnel. Now, the original names are a bit complex, so in practice, I've simplified them, and these are the names that I'll use throughout the course. They help you memorize the requirements with less words. I call Requirement #1 "Keep a Firewall". Have proper firewall rules, restrict unknown traffic, have a firewall on all machines, and use change management for changing every firewall rule. The second requirement is "No Defaults". For obvious reasons. Change all default passwords and all accounts, isolate servers - one functionality, or one security level for server, inventory your assets, and remove all unneeded functionality. It's about minimizing obvious vulnerabilities. Requirement #3 is "Protect Stored Data". It's supposed to contrast with #4, which is "Protect Transmitted Data", as these are a mirror of each other. So Requirement #3 is about limiting the card data that you store to the essential, properly purging it once you don't need it, masking Personal Account Numbers (PANs) that are written down, or stored, and having proper key encryption and key lifecycle management. Key custodians, a defined cryptoperiod, and so on. Requirement #4, as stated, is "Protect Transmitted Data". Make sure the data are encrypted with strong encryption in transit, including for public wireless networks - such as satellite GPS, GSM, as well as never sending plaintext Personal Account Numbers (PANs). Then, Requirement #5 is "Prevent Malware". Very simple. Have a proper antivirus software that is regularly updated, that performs regular scans, and that outputs regular logs, and that cannot be disabled by individual users, through establishing a policy. So if Requirement #5 is about protection from vulnerabilities that others cause, #6 is about protecting yourself from the vulnerabilities that YOU cause. It's about developing securely. And it's not just your own applications. It's securing both off the shelf software, and your own, with regular risk ranking, and patch installation for critical risks, but also including security requirements in the software development lifecycle (SDLC) and in developer training. Your developers need to be able to deal with code injections, buffer overflows, cross-site scripting, and more. The next three are related. "Need-to-Know Access", "Identify Access" and "Restrict Physical Access". This is about digital protection. This is about digital identification. And this is about physical protection. So, let's start with #7. Need-to-Know Access. As the name says, it defends the Principle of Least Privilege, or PoLP.