Daxko s PCI DSS Responsibilities

Similar documents
90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Total Security Management PCI DSS Compliance Guide

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

LOGmanager and PCI Data Security Standard v3.2 compliance

Payment Card Industry (PCI) Data Security Standard

FairWarning Mapping to PCI DSS 3.0, Requirement 10

The Prioritized Approach to Pursue PCI DSS Compliance

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

PCI DSS 3.2 AWARENESS NOVEMBER 2017

SECURITY PRACTICES OVERVIEW

Enabling compliance with the PCI Data Security Standards December 2007

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

Security Architecture

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

WHITE PAPER- Managed Services Security Practices

SECURITY & PRIVACY DOCUMENTATION

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI DSS COMPLIANCE 101

Attestation of Compliance, SAQ D

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

PCI DSS Compliance. White Paper Parallels Remote Application Server

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

PCI COMPLIANCE IS NO LONGER OPTIONAL

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

Juniper Vendor Security Requirements

ADDRESSING PCI DSS 3.0 REQUIREMENTS WITH THE VORMETRIC DATA SECURITY PLATFORM

Easy-to-Use PCI Kit to Enable PCI Compliance Audits

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Section 1: Assessment Information

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

A QUICK PRIMER ON PCI DSS VERSION 3.0

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

WHITE PAPER. PCI and PA DSS Compliance with LogRhythm

Commerce PCI: A Four-Letter Word of E-Commerce

Information Technology Procedure IT 3.4 IT Configuration Management

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring

Navigating the PCI DSS Challenge. 29 April 2011

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI Compliance for Power Systems running IBM i

Will you be PCI DSS Compliant by September 2010?

VMware vcloud Air SOC 1 Control Matrix

Insurance Industry - PCI DSS

The PCI Security Standards Council

PCI Compliance Updates

The Prioritized Approach to Pursue PCI DSS Compliance

GlobalSCAPE EFT Server. HS Module. High Security. Detail Review. Facilitating Enterprise PCI DSS Compliance

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

QuickBooks Online Security White Paper July 2017

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Projectplace: A Secure Project Collaboration Solution

Applying Oracle Technologies in PCI DSS certification process

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Payment Card Industry - Data Security Standard (PCI-DSS)

Payment Card Industry (PCI) Data Security Standard and Bsafe/Enterprise Security

PCI DSS Responsibility Matrix PCI DSS 3.2 Requirement

Donor Credit Card Security Policy

Information Security Controls Policy

Old requirement New requirement Detail Effect Impact

PCI DSS v3.2 Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD PCI DSS

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

in PCI Regulated Environments

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

WHITEPAPER. Evolve your network security strategy to protect critical data and ensure PCI compliance. Introduction Network Sentry...

Vendor Security Questionnaire

Achieving PCI Compliance: Long and Short Term Strategies

Third-Party Service Provider/Auto Club Group (ACG) PCI DSS Responsibility Matrix

Carbon Black PCI Compliance Mapping Checklist

Payment Card Industry Data Security Standards Version 1.1, September 2006

Rural Computer Consultants

Security and Compliance Powered by the Cloud. Ben Friedman / Strategic Accounts Director /

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CSP & PCI DSS Compliance on HPE NonStop systems

PaymentVault TM Service PCI DSS Responsibility Matrix

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

PCI PA-DSS Implementation Guide

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

INFORMATION SECURITY BRIEFING

01.0 Policy Responsibilities and Oversight

Payment Card Industry (PCI) Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Data Security Standard

The Common Controls Framework BY ADOBE

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Transcription:

! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise stores, processes, or transmits the customer s cardholder data or sensitive authentication data. All of Daxko's PCI DSS responsibilities have been reviewed as being PCI compliant by a certified third party QSA (Quality Security Assessor). The following is Daxko s PCI DSS responsibility for the Daxko Operations application. Requirement 1 Install & maintain a firewall configuration to protect cardholder data Daxko engages a managed services partner named Hosting.com (Hosting) for the purpose of managing the hosting environment and equipment. As part of this agreement, Hosting provides exclusive management of the hosting environment s network infrastructure for Daxko Operations servers. The formal process for configuring the firewalls, load balancers, VPN concentrators, etc. utilized within the Hosting infrastructure is owned by the Daxko TechOps team. Daxko has verified their formal process regarding firewall configuration and leverages a combination of Daxko policies/procedures to meet the PCI DSS requirements. It should be noted that Daxko also hosts infrastructure components at Amazon Web Services (AWS) that contain PCI data. The formal process for configuring the firewalls utilized within the Daxko AWS infrastructure is owned by the Daxko TechOps team. Daxko has verified their formal process regarding firewall configuration and leverages a combination of Daxko policies/procedures to meet the PCI DSS requirements. A critical criterion in the evaluation of potential hosting partners such as Hosting and AWS was whether or not the particular vendor under consideration was PCI DSS compliant. Compliance of the hosting partner with the PCI DSS requirements ensures that Daxko is therefore compliant with a subset of the PCI DSS requirements by virtue of the fact that we fully outsource those services to a PCI DSS compliant vendor. In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, Daxko has established a formal policy and supporting procedures regarding Production Change Control. Change control has become a critical issue due in large part to regulatory compliance purposes and the need to fully document the change control process for accountability and tracking changes. Hence, Daxko has developed and implemented a comprehensive Change Control program for Daxko Operations application.!

Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. Daxko has reviewed and implemented industry-accepted configuration/hardening standards for Daxko Operations server components for the purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives. The list of industry-leading security standards, benchmarks and frameworks reviewed includes, but is not limited to the following (Security Standards Council 2017): SysAdmin Audit Network Security (SANS) http://www.sans.org National Institute of Standards and Technology (NIST) http://www.nist.gov Center for Internet Security (CIS) http://www.cisecurity.org Requirement 3 Protect stored cardholder data Daxko will ensure that the displaying of the Primary Account Number (PAN) within Daxko Operations adheres to the following condition in order to comply with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017): Primary Account Numbers (PAN) displayed on screen will always be masked, with the first six and last four digits being the maximum number of digits to be displayed. Daxko has encrypted cardholder data based on the requirements with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017). Requirement 4 Encrypt transmission of cardholder data across open, public networks Daxko employs secure file transmission techniques to ensure the successful and secure delivery of all files for Daxko Operations application. In each case, a nightly job runs and generates the files for transmission and encrypts them. These files are either uploaded on our SFTP site or sent via a web service call. The method of transmission and the format of the files are pre-determined with the third party vendor during contract negotiation. Requirement 5 Protect all systems against malware and regularly update anti-virus software or programs Daxko has established a formal policy and supporting procedures regarding Anti -Virus software and updates for Daxko Operations servers. Daxko will ensure that the Anti-Virus policy adheres to the conditions that comply with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017)

Requirement 6 Develop & maintain secure systems and application Daxko has established a formal policy and supporting procedures regarding security patch management for Daxko Operations servers. As such, all patches and security updates are to be pushed out in a formalized and secure manner, with all critical patches installed within one (1) month of release from a vendor or other approved third party. Requirement 7 Restrict access to cardholder data by business need to know Daxko will ensure that the data control and access control of it's team members for Daxko Operations servers adhere to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017): Access rights for privileged users are restricted to the fewest privileges necessary to perform job responsibilities Privileges are assigned to individuals based on job classification and function, such as Role -Based Access Control (RBAC) An authorization form is required for all access, which must specify required privileges, and must be approved by appropriate management Access controls are implemented via an automated access control system Access control systems are in place on all system components Access control systems are configured to enforce privileges assigned to individuals based on job classification and function Access control systems have a deny all setting User access to, user queries of, and user actions on databases within the cardholder environment are through programmatic methods only Direct access or queries to databases are restricted to database administrators Application IDs for databases within the cardholder environment can only be used by applications, and not be individual users and other processes

Requirement 8 Identify and authenticate access to system component Daxko will ensure that the Unique I.D. and Authentication Methods policy adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017) for all team members that have access to Daxko Operations servers. All users are assigned a unique I.D. for access to system components or cardholder data. All users are assigned a unique password for access to system components or cardholder data. Incorporate multi-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators and third parties. Render all passwords unreadable during transmission and storage on all system components. Requirement 9 Restrict physical access to cardholder data It should be noted that Daxko outsources product hosting to a managed service provider called Hosting and Amazon Web Services (AWS). A critical criterion in the evaluation of potential hosting partners was whether or not the particular vendor under consideration was PCI DSS compliant. Compliance of the hosting partner with the PCI DSS requirements ensures that Daxko is therefore compliant with a s ubset of the PCI DSS requirements by virtue of the fact that we fully outsource those services to a PCI DSS compliant vendor. Requirement 10 Track & monitor all access to network resources and cardholder data Daxko will ensure that systems auditing for the Daxko Operations application adheres to the following conditions for purposes of complying with the Payment Card Industry Data Security Standards (PCI DSS) initiatives (Security Standards Council 2017): Procedures are in place to ensure all Daxko Operations system components in the cardholder environment are audited for access, with the audit event tied to the individual user accessing the system. Audit trails are implemented for all system components to capture the following events: o Individual accesses to cardholder data o All actions taken by any individual with root or administrative privileges o Access to all audit logs o Invalid logical access attempts o Use of identification and authentication mechanisms o Initialization of the audit logs o Creation and deletion of system-level objects

Requirement 11 Regularly test security systems and processes Daxko has partnered with Alert Logic, an intrusion-detection system to detect and/or prevent intrusions into the Daxko Operations network. Alert Logic monitors all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alerts Daxko personnel to suspected compromises. Daxko deploys a file-integrity monitoring tool to alert personnel to unauthorized modification of critical Daxko Operations files, configuration files, or content files. The file-integrity monitoring system is configured to perform critical file comparisons on a weekly basis. Daxko executes internal and external network vulnerability scans quarterly for Daxko Operations servers. Daxko, through a third-party qualified security assessor, performs external, internal and application penetration testing of Daxko Operations at least once a year Requirement 12 Maintain a policy that addresses information security for all personnel Daxko takes security very seriously and as a result publishes various information security policies on our internal web site for all team members to access and review. In addition, new team members to Daxko are required to take a PCI Compliance and Essentials course. Each year all Daxko team members must complete a security awareness refresher course. Also, the Daxko Incident Response Team also undergoes annual security breach training.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback