Some important items worth noting:

• The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
• PCI DSS - Is the standard itself
• AIS - Is the enforcement program
• Data that can never be stored, unless you are a credit card issuer:
  • Mag-stripe data
  • CVV2
  • PIN/PIN Block
• As per the requirements, you must notify your acquirer of a possible breach within 24 hours
• PCI DSS has about 230 requirements
• PCI DSS is based on fundamental data security practices:
  1. Data controls
  2. Network controls
  3. System level controls
  4. Application controls (Code reviews, app testing)
  5. Policies
  6. Physical Controls
• VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
• PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS
• Suggested Tools for Network Monitoring:
  • Vericept
  • Trustwave
  • Vontu
  • 403labs
• Suggested Tools for System Hardening:
  • http://www.sans.org
  • http://www.CISSECURITY.org
  • Security Expressoin
  • Enterprise Security Manager
  • GFI
• Encryption Vendors
  • RSA
  • Safenet(Ingrain)
  • Vormetric
  • Nubridges
  • DECRU
  • nCipher
  • Entrust
• Web-application firewalls
  • http://www.breach.com (Based on MOD Security)
    • ModSecurity Pro
    • WebDefend
  • Imperva Securesphere
  • BIG-IP Application Security Manager
• Logging Tools
  • Consul Insight
  • http://www.loglogic
  • KIWI Syslog
• File Integrity Monitoring (PCI Reqs: 10.1--->10.7)
  • F-Times
  • AIDA
  • Tripwire
  • GFI
  • Symantec ESM
  • Symantec Intact