PCI and Security Experiences at 2Checkout.com Warner W. Moore Sr. Manager, Enterprise Architecture 2Checkout.com, Inc. 

Introduction I’ve been working in IT for over 10-years. Specializing in security, high availability, and Open Source technologies. Been working with PCI since its inception. 2Checkout.com provides online payment services. We’re serious about security. So serious, we use it as a selling point. 

What is PCI? The Payment Card Industry Data Security Standard (PCI DSS) is a comprehensive security standard, which governs organizations that transact credit cards. While PCI DSS does not govern all industries, it covers many fundamentals that can be considered essential to a secure technology environment across all industries. 

PCI Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications 

PCI Requirements Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security 

Culture of Security With the introduction of PCI to 2Checkout in 2005, we created a culture of security through education and training. This was further enabled by support from all levels of management. We supported our policies enabling security with our actions and our funding. This culture of security has enabled our continual compliance, while reducing risk throughout the company. Auditors witnessing the staffs’ security awareness increases their confidence. 

Some Essentials While there are many methods specific to different platforms and businesses, there are some essentials that I have consistently prove valuable. You must first address the fundamentals! (No default passwords and update your software.) Some of these essentials include: •  Central Logging (Read your logs!) •  Host based (filesystem) IDS •  Security standards enforced consistently •  Production change control 

Closing Keeping technology secure is important work. Demand is growing, which is further fostered by PCI and other compliance standards. Security knowledge is expected with all IT staff. 

All Done Questions?