Just attended a PCI-DSS workshop organized by VISA, wow, sure was worth it. Have read the PCI-DSS docs a number of times but the whole classroom experience was very valuable.
Some important items worth noting:
- The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
- PCI DSS – Is the standard itself
- AIS – Is the enforcement program
- Data that can never be stored, unless you are a credit card issuer:
- Mag-stripe data
- CVV2
- PIN/PIN Block
- As per the requirements, you must notify your acquirer of a possible breach within 24 hours
- PCI DSS has about 230 requirements
- PCI DSS is based on fundamental data security practices:
- Data controls
- Network controls
- System level controls
- Application controls (Code reviews, app testing)
- Policies
- Physical Controls
- VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
- PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS