![Page 1: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/1.jpg)
PCI ComplianceTechnical Overview
![Page 2: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/2.jpg)
RM PCI Calendar
Dec 2005: Began PCI 15.1 development
Feb 2006: Initial PCI Audit
Sept 2006: Official 15.1 PCI Release
Sept 2006: Validation Report sent to VISA
Jan 2007: VISA approves certification
![Page 3: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/3.jpg)
Card Data Compromises 40% of all compromises involve a
restaurant Top 5 compromises:
Full track data retention Default accounts Insecure remote access Non-use of security tools (antivirus,
encryption) SQL injection
![Page 4: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/4.jpg)
Terms and Definitions PCI DSS: Payment Card Industry Data
Security Standard PABP: Payment Application Best
Practices RM is a validated payment application
that meets the PCI PABP So what is “PCI Compliance”? Hint: It’s
not simply installing RM 15.1.
![Page 5: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/5.jpg)
The PCI Compliant SiteRestaurant must use PCI PABP validated POS
application, properly configured, implementing proper procedures, and installed following all site-specific PCI guidelines and rules.
That’s 4 areas needing attention: Use PABP validated applications Proper configuration Proper procedures Follow site guidelines
![Page 6: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/6.jpg)
1. Use PABP validated applications Use RM 15.1 (final release Sept 2006
or later) Use certified credit card processing
gateways (e.g. Mercury Payment Systems, PC Charge, Datacap)
![Page 7: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/7.jpg)
2. Proper Configuration Follow ASI PCI configuration guidelines:
RM and Reseller PCI Guidance Doc Logging, Audit Trail Admin Password Expiration
![Page 8: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/8.jpg)
3. Proper Procedures Enforcing limited access to RM Server
machine. Internet use from Server machine Remote access (allowed only during
incident) No emailing of card data
![Page 9: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/9.jpg)
4. Site Guidelines Secure RM Server (credit card server)
Physical access Logical access (open ports) Firewalled
Network Remote Access 2-factor authentication
(VPN + PCAnywhere passwords) And Wireless …
![Page 10: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/10.jpg)
4. Site Guidelines (WiFi) Enable WPA with key rotation Change SSID from default Turn off SSID broadcast Implement MAC address filtering Install firewall services between APs
and RM Server Port/Service Restrictions
Only: TCP 80, DNS 53, ICMP
![Page 13: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/13.jpg)
Network w/ WiFiInternet
SymbolWS2000
![Page 14: PCI Compliance Technical Overview. RM PCI Calendar Dec 2005: Began PCI 15.1 development Feb 2006: Initial PCI Audit Sept 2006: Official 15.1 PCI Release](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649e865503460f94b891a1/html5/thumbnails/14.jpg)
Thank you
Questions?