PCI DSS training 1-3 v3 BankAxept

[Virtual Presenter] Good afternoon everyone, I'm Alina Lapina and I'm here to present the fundamentals and structure of the Payment Card Industry Data Security Standard (PCI DSS). Today I'll be giving an overview of four distinct sessions and a questionnaire designed to help develop a secure payment card account data system at BankAxept. Let's get started!.

[Audio] Our presentation today focuses on the PCI DSS Training Developer and Operator BankAxept, 2023. In the next four sessions, we will cover the following requirements: session 1 covers an introduction to PCI DSS; session 2 focuses on requirement 3, while session 3 will discuss requirement 6; and finally, the fourth session will be a walkthrough of the written home exam answers. Join us as we explore each of these topics..

[Audio] We will be discussing the Payment Card Industry Data Security Standard (PCI DSS). This standard was created to ensure data security of payment card transactions and the protection of cardholder information. We'll be reviewing the requirements for developers, operators, and security personnel in order to be certified compliant with the standard. This session will cover the fundamentals of the PCI DSS standard and its importance in providing a secure environment for payment card processing..

[Audio] Participants of the PCI DSS training course will be able to comprehend the purpose of the standard, its structure, and how BankAxept implements these regulations to build a safe environment. We will investigate the plans, operations, held liable entities, and information materials used within the bank to fulfil all PCI DSS needs..

[Audio] At BankAxept, we are committed to meeting the security standards set by the Payment Card Industry Data Security Standard. Keeping our customers' personal data safe and secure is of the utmost importance to us. We have a dedicated team of experts responsible for developing and operating our PCI DSS training program to ensure our customers and their data are well-protected. We are continually working hard to adhere to the highest security standards to provide a safe and secure payment experience. " At BankAxept, we understand the importance of data security and the need to protect our customers' payment information. We are committed to meeting the Payment Card Industry Data Security Standard by providing a team of security experts and training programs. Our comprehensive security measures are designed to safeguard our customers' payments and ensure a safe and secure payment experience..

[Audio] The PCI SSC is an organization composed of leading payment brands, banks, merchants, processors and technology providers who are focused on securing the processing of payment transactions. They offer a set of unified security standards to assist businesses in protecting customer account data. Moreover, they offer training programs to equip financial institutions with the essential skills and knowledge to comprehend and effectively implement the PCI Security Standards Council's standards..

[Audio] The Payment Card Industry Security Standards Council is a global forum established by the payment card industry to promote the implementation of data security standards. Representatives from payment card companies and European payment organisations collaborate with a full-time staff to create, preserve and upgrade the PCI Security Standards. To discover further information, click on the link in the slide..

[Audio] PCI DSS is an information security standard designed to help organizations protect their data. The latest version, v4.0, was released in 2022 and provides updated security requirements and guidelines. Download it here to stay up to date..

[Audio] BankAxept is taking extensive steps to comply with the Payment Card Industry Data Security Standard (PCI DSS), which includes twelve requirements and 410 sub-requirements. Three, six, and ten of the requirements relate to operator/developer operations respectively. To safeguard customers’ data, BankAxept is implementing network security controls, secure configurations, strong cryptography for cardholder data, restricted access to system components and cardholder data, vulnerability management, secure systems and software, user authentication, physical access control, logging and monitoring of system and data access, regular security tests, and organizational policies for information security. BankAxept’s goal is to guarantee the secure management of account data and cardholder data as well as customers’ safety..

[Audio] Organizations can ensure the security of their cardholder data and other sensitive information by meeting the Payment Card Industry Data Security Standard (PCI DSS) which applies to all components of the cardholder data environment. This includes people, processes, and technologies such as network devices, servers, computing devices, and applications that store, process, or transmit cardholder data or sensitive authentication data..

[Audio] PCI DSS or Payment Card Industry Data Security Standard defines scope as the systems, people and processes involved with payment transactions and data storage. As such, as a PCI DSS Training Developer and Operator, it is necessary to develop training programs that cover the scope of any systems, people and processes that may be related to payment transactions and data storage..

[Audio] My team and I, as BankAxept's training developer and operator, are dedicated to providing our customers with the best experience when it comes to PCI DSS compliance. We strive to understand the scope and definitions of the CTSP protocol which helps us lessen scope and complexity, making our services more maintainable and secure. Additionally, by segmentation, we can minimize potential risks while guaranteeing our customers the highest levels of protection..

[Audio] Data security is of paramount importance for BankAxept. Primary Account Numbers (PAN) are the core of payment security as they can include Cardholder name, Expiration date and confidential authentication data. This information can be found in the full-track magnetic stripe data or its chip alternative and in the shape of a Personal Identification Number (PIN) or PIN Block. We, as PCI DSS developers and operators, must observe the strictest regulations of the Payment Card Industry, more specifically, PCI DSS 4, article 2. We ought to also determine the Card Verification Code, such as CAV2, CVC2, CVV2, and CID. Finally, it is important to be aware of the Bank Identification Number (BIN) at all times..

[Audio] The Executive Management of BankAxept is responsible for ensuring that the necessary measures needed to comply with PCI DSS are established. In this regard, the responsibility for compliance is spread throughout the organization from the CEO down to the IT Operations Team, who have the duty of instituting and maintaining the PCI DSS stipulations and managing third parties..

[Audio] BankAxept is dedicated to more than just adhering to the PCI DSS's standards. To achieve our goal of being a 2023 PCI DSS Training Developer and Operator, our people and organization must also be compliant. To this end, we have instituted training and programs to make sure that our staff and processes are up to the required standards..

[Audio] Compliance with PCI DSS standards is essential for organizations that handle card payments in order to protect and secure customers' sensitive information. This makes PCI DSS compliance not only a business requirement, but also a customer requirement. Following the PCI DSS requirements is a necessary step towards protecting customer data..

[Audio] At BankAxept, we understand that PCI DSS compliance is critical for the protection of our customers' data. We have taken steps to ensure that we adhere to the stringent security norms outlined by BITS and EMVCO, and have aligned ourselves with Gemalto's contractual requirements to create PCI DSS compliant solutions for our Payment Token Service Provider. This commitment to providing our customers with secure and reliable payment experiences is unwavering..

[Audio] At BankAxept, we adhere to the Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements developed by the Payment Card Industry Security Standards Council to protect safety and security of data and payments. To meet the BITS requirements, Apple requires that BankAxept run in a PCI DSS environment. In addition, we need to obtain Level 1 PCI DSS certification for both our xPays (DES) and ePayment (WIP) services, which are further divided into four levels depending on the volume of transactions. We strongly believe that it is our responsibility to keeping up with the standards and beyond in order to provide our customers with the best experience..

[Audio] BankAxept provides protection for crucial payment card information and confidential information. This security system guarantees the security of customers' data, stopping unauthorized access and utilization. BankAxept makes sure a secure and safe atmosphere for all payments and transactions..

[Audio] Staying abreast of PCI DSS requirements is an ongoing and continual endeavor. To ensure compliance, organizations must frequently check their systems for any security loopholes, implement any necessary corrections, and generate multiple documents every year including a Reporting of Compliance, an Attestation of Compliance, and a Self Assessment Questionnaire..

The structure. The Requirement Dwcription at the X.X level organizes and the requirements that fall under it. The Defined Approach Requirements and Testing Procedures the traditional method for implementing and validating PCl DSS using the Requirements and Proædures defined in the standard. The Approach Objective is the intended goal or outcome for the requirement. It must be met by entities using a Customized Approach. Most PCl DSS requirements have this D expectations for entities and assessors when the Approach is Entities following the Defined Approach can refer to the Customized Approach Objective as guidance, but the objective does not replace or supersede the Defined Approach Requirements and Testing Procedures Defined Approach Requirements 3.42 When using ret-note-access technologies. technical controls prevent cop a of PAN for all or those with xplicit authorization and a business need. Customized Approach Objective PAN cannot be copied or relocated by unauthoriæi using remote-access technologies _ Applicability Notes Storing or remating PAN onto local hard drives, removable electronic media. and other devices brings these devices into tor PCl DSS. This requirement is a best practiæ until 31 March 2025, after which it will be required and must be fully during a PCl OSS assessment. Applicability Notes apply to both the Defined and Approach. information that affects how the is interpreted in the context Of the entity or in scoping. These notes are an integral part Of PCl DSS and must be fully considered during an assessment. Defined Approach Testing 3.4.2.a Examine documented policies and prcxedures and evidence for technical controls that prevent copy and/or relcxation of PAN when remote-access onto hard drives or removable electronic to verity the following. Technical controls prevent all not from copying and/or relæating PAN. A list of with to ctVY and/or relocate PAN is maintained. with the , explicit authorization and defined business need. 3.4.2.b Examine cnnlguratims for rernote-u:ess techno@es to verify that technical controls to prevent copy and/or relocation of PAN for all unless explicitly authorized. 3.4.2.c Observe prcx:esses and interview to verity that only gwsmnel with dcxumented. explicit authorization and a legitimate. defined business need have COPY and/or relcx:ate PAN when using rernote- s technolcÜes. For each new PCl DSS V4.o requirement with an extended implementation period. Guidance Relcution of PAN to unauthorized devices is a common way for this data to be obtained and used fraudulently. Methods to ensure that only those with explicit authorization and a legitimate business reason can copy or relocate PAN minimizes the risk Of unauthorized persons gaining access to PAN. Gocx:i Practice Copying and relæation of PAN should only be done to storage devices that are cwmissible authorized for that individual. Definitions A virtual desktop is an example of a remote- access Storage devices include, but are not limited to. lcx:al hard drives. virtual drives, removable electronic media. network drives. and cloud Examples F Information Vendor dcEurnentation for the re in use will provide information a the system settings needed to implement this Guidance provides information to understand how to meet a requirement. is not required to be — it does not replace or extend any PCl DSS requirernent. Not every Guidance wction descritE•d here is preent for each requirement. Not every section will be present for ea&. Purpose describes the goal, benefit, threat to be avoided; why the requirement exists. A Good Practice can considered by the entity when meeting a requirement. Definitions Terms that may help understand the requirement. Examples describe ways a requirement wuld met. Further Information references to relevant external dwumentation..

[Audio] At BankAxept, we ensure our DevOps team have the data to fulfil PCI DSS requirements. In the case of breaches or serious incidents, our teams have to report and seek advice from contractors utilizing the contact details provided. We want our teams to be aware of our regulations and carry out risk evaluation and internal inspections. Furthermore, if there are errors and minor incidents, our teams must record, solve and report to the contractors in line with the relevant templates. This is our pledge to remain compliant with PCI DSS..

[Audio] At BankAxept, we have developed a rigorous compliance program to ensure that all our operations and services are in line with PCI DSS standards. We have implemented policies and procedures to guide our staff in every operation we undertake as well as regularly updating our risk management systems. Quarterly self-assessments are performed to identify any areas of non-compliance and enable us to address any potential gaps between current practices and PCI DSS requirements. Through these activities, BankAxept is committed to secure, reliable and compliant services to its customers..

[Audio] When it comes to PCI DSS compliance, it is not always possible to meet the requirements. In these cases, compensating controls and technical reasons must be considered and documented, along with outlining any business constraints and how they correlate with the PCI DSS. This will help guarantee the safety and compliance of payment data..

[Audio] We are discussing the implications of PCI DSS on BankAxept in 2023. Organizations that store, process or transmit cardholder data must be compliant with the PCI DSS. Encrypted cardholder data still carries risks that must be addressed. If BankAxept outsources services to Basefarm, BankAxept remains accountable for certification and compliance. Our environment is compliant because our hardware security module meets the PCI DSS requirements. All developers and operators must ensure the PCI DSS requirements are met on a daily basis. A breach of any PCI DSS requirement is treated the same as a data breach and relevant documentation must be maintained and up to date..

[Audio] We will discuss the third requirement of PCI DSS, which focuses on the protection of stored cardholder data. We will learn what it entails and how to ensure compliance and secure the handling of credit card information. Additionally, we will discuss the technical and procedural measures needed to protect the environment where the cardholder data is stored..

[Audio] BankAxept recognizes the need for secure data protection and has implemented the PCI DSS framework in compliance with global data protection regulations like GDPR. Through the implementation of multiple layers of security, such as data retention, storage prevention of sensitive data, masking of the primary account number, encryption key protection, and rendering the PAN unreadable, BankAxept safeguards the safety of our customers..

[Audio] BankAxept is committed to data retention and disposal. Our data policies and procedures limit data storage amount and retention time, as well as specify specific retention requirements and processes for secure deletion of data when no longer needed. Quarterly processes are instituted to identify and securely delete stored cardholder data that exceeds defined retention. To protect customer data and remain compliant with the PCI DSS, no data is stored anywhere else..

[Audio] BankAxept takes the safety and security of customer data extremely seriously. We adhere to strict PCI DSS standards and do not store any sensitive data at any point, even after authorization. Tokenization is used for extra security and our database model is constantly being upgraded and improved to meet the highest security standards. Furthermore, we offer robust logging and audit practices for added assurance. In this way, BankAxept can be relied upon to provide secure services..

[Audio] BankAxept take privacy and data security seriously and comply with the PCI DSS standards. According to the PCI DSS, the first six and last four digits of a customer's Payment Card Number should be masked when displayed. This is done to ensure that only personnel with a legitimate business need can see the full number..

[Audio] To guarantee the security of our customers' data, we comply with PCI DSS regulations for storing credit and debit card numbers. We do this through a variety of encryption and tokenization methods to make the card numbers unreadable. Strategies we use include one-way hashes based on strong cryptography, truncation, index tokens, and pads, and strong cryptography with associated key-management processes and procedures. Our commitment to data security is a top priority so make sure to take the necessary steps to guarantee that all card numbers are securely stored..

[Audio] BankAxept, 2023, follows a strict key management protocol in order to ensure the protection of sensitive financial data. This protocol includes weekly assessments to confirm key rotation dates, as well as the establishment of necessary credentials and key rotation procedures in the event of a breach. Moreover, a documented description of the cryptographic architecture, including details of all algorithms, protocols, and key characteristics, is maintained. Access to cryptographic keys is restricted to only those who have a need to know..

[Audio] To secure key storage for PCI DSS Training Developer and Operator BankAxept for 2023, we need to ensure that all secret and private keys used to encrypt or decrypt cardholder data are stored using one of three methods: encrypted with a key-encrypting key, within a secure cryptographic device, or as two full-length key components or key shares. All of these methods should be in line with an industry-accepted method. We use Payment HSM Luna - NIST Certified, and HSM Gateway for access, policies and procedures. Additionally, it is necessary to maintain an inventory of secure cryptographic devices and their components..

[Audio] As an expert in key management, BankAxept is committed to securing its customers' data. To this end, we have implemented a comprehensive approach to key management, designed to ensure the highest levels of security. This includes the generation of strong cryptographic keys, secure key distribution, secure storage of keys, rotation of keys that are no longer valid, and manual key management operations with split knowledge and dual control. We also employ truststores and keystores, as well as mutual TLS and PGP, to protect our customers' data. Our procedures are in-line with industry best practices, including those defined by NIST Special Publication 800-57..

[Audio] All parties involved in developing, using or operating BankAxept must be familiar with the procedures and policies for safeguarding stored cardholder data. Our team has compiled a comprehensive guide with policies and operational procedures for PCI DSS Training to ensure the highest level of security. This guide is regularly updated to be in line with the latest security standards..

[Audio] At BankAxept, we understand that protecting customer data is paramount. That's why we aim to comply with PCI DSS requirements to the highest standard. This includes limiting and encrypting CHD and other sensitive information. In addition, we are also compliant with GDPR regulations. In order to ensure further security, we never store sensitive information in our system. Full PANs must not be available in the same environment as hashed PANs. To ensure all data is protected, it is equally important to secure the encryption key and access credentials..

[Audio] This slide looks at the third PCI DSS requirement 6 - Develop and maintain secure systems and applications. The objective is to stay updated with security patches and to regularly review the security of your systems. Processes for secure code development should be put in place, as well as identify and address security vulnerabilities and security testing. Each of these steps will be discussed in more detail so that they can be implemented accordingly..

[Audio] At BankAxept, we understand the importance of data security and are dedicated to upholding stringent security requirements. As part of the Payment Card Industry Data Security Standard (PCI DSS) we are required to develop and maintain secure systems and applications. Our team of experts is devoted to developing innovative solutions and improving our existing security infrastructure to ensure all our customers' data is kept safe and secure. We take this responsibility seriously and are committed to providing our customers with the highest possible levels of trust and security..

[Audio] To ensure a secure system, its dependencies must be regularly scanned. When a severity 7 vulnerability is found, the responsible component is alerted through an email and must resolve the issue within 30 days using a Jira ticket from the assigned template, or through suppression in Jenkins and recorded with a yellow sign. However, this process may hide future vulnerabilities, even those with a higher severity. To prevent this, a system has been put in place to identify security vulnerabilities through external sources, and rate them as 'high', 'medium' or 'low'. Moreover, all software and components should be updated with security patches when released and within one month. A dashboard at http://bax-util-build1.p1.osl.basefar monitors all data..

[Audio] BankAxept is committed to providing the highest level of security for its customers. To meet this goal, our applications are built and operated in accordance with the PCI Data Security Standard. This includes developing and releasing applications securely, following industry standards and best practices, and using secure authentication and logging methods. Additionally, all custom code is carefully inspected prior to release to ensure any corrections have been properly made and approved. By employing these secure practices, BankAxept can ensure a safe and secure experience for all customers..

[Audio] We must ensure that our PCI DSS Training Developer and Operator BankAxept processes have rigorous change control and change management processes in place. This requires documenting justifications, back-out procedures, assessments, and the approval of changes from both a technical and business perspective via Jira, and supervising change types - standard, normal, and emergency. All data must be anonymized and changes to system components must be subjected to established change control processes and procedures. Additionally, PROD data must not be used for DEV/TEST and all test data and accounts must be deleted before the system is put into PROD. Finally, changes must be documented, approved by relevant parties, tested for security impacts, and have established back-out procedures..

[Audio] It is essential for us as effective bank operators to understand the importance of secure coding practices. To make sure our software is as secure as it can be, secure coding practices must be a part of our Software Development Life Cycle. We need to educate our developers and operators in common coding vulnerabilities such as injections, buffer overflflows and insecure communications. High risk vulnerabilities as well as web application related vulnerabilities such as cross-site scripting, access control and authentication management must all be considered. Adhering to security guidelines like OWASP, SANS CWE Top and CERT Sec coding will help keep our software secure and compliant..

[Audio] In order to comply with PCI DSS Training for BankAxept in 2023, we must detect any new or known threats that may be present in the production environment. This will be achieved through quarterly penetration testing, internal audits, and risk assessments. Additionally, a Major Incident Management Procedure has been set in place and automated technical solutions have been implemented to detect and prevent web-based attacks. Lastly, a Security Service Desk has been established to register any security incidents and manage vulnerabilities..

[Audio] Ensuring that all parties involved in the development and maintenance of the BankAxept system are aware of the security policies in place requires following the procedures outlined in the Confluence page. This is to understand the risks associated with any deviations from the standard practices and to have the necessary knowledge to mitigate these risks..

[Audio] To ensure the security of our systems, educating, being aware, and training are crucial. Having the team discuss and ask each other questions can help to raise their level of consciousness surrounding the potential risks, and how to effectively prevent them..

[Audio] Reaching the end of our session, we invite you to take part in a post-questionnaire related to the topics we have discussed. Your feedback is invaluable and we thank you in advance for taking the time to complete this survey. Have a great day..