Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Card contents stored on network
As per scoping, use tools to find credit cards on network

Data Rentention Policy for PCI
http://vpf.mit.edu/site/content/download/11924/50757/file/MITPCISecurityPolicy.pdf

Cryptography and key management – HSM information
– https://wiki.opendnssec.org/display/DOCREF/HSM+Buyers%27+Guide
– https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/nshield-solo
– http://security.stackexchange.com/questions/36664/criteria-for-selecting-an-hsm

PKI design for PCI compliance
– http://social.technet.microsoft.com/Forums/windowsserver/en-US/0dfd74c7-5b18-4939-b147-350250f92ee2/pki-design-for-pci-compliancy?forum=winserversecurity

Secure USB
Many sites, e.g. http://secureusb.com.au/

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Buy server certificates
– www.thawte.com/
– www.verisign.com.au
– www.digicert.com/

Configure web servers to only use strong encryption
– http://httpd.apache.org/docs/current/ssl/ssl_howto.html
– http://technet.microsoft.com/en-us/library/cc962039.aspx
– https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Ensure that your servers are not vulnerable to Heartbleed
– https://lastpass.com/heartbleed/
– tif.mcafee.com/heartbleedtest
= safeweb.norton.com/heartbleed

Do not use cleartext protocols
– Remove the use of Telnet and FTP. Use SSH and sFTP.

Wireless security
– Do not use WEP. Use WPAv2 with a strong passphrase. Consider using MAC filtering.