Payment Card Industry Data Security Standard PCI DSS V3.2.1 Training Course

COURSE AIM

This training has been prepared for 2 days. 

Payment Card Industry Data Security Standard (PCI DSS) training includes determining the institution’s audit scope and environments where cardholder information is available, v3.2.1 requirements and an overview of the controls that can be applied to fulfill these requirements.

WHO SHOULD ATTEND?

• Internal Auditors who perform Information Technology (IT) audits of your organization,
• Project manager and auditor personnel to accompany the PCI DSS audit,
• Experts working in units related to PCI DSS compliance (security, network, system management, software development, etc.),
• Technical personnel working in your organization’s Risk and Compliance department can attend this training.

COURSE CONTENT

Introduction to PCI DSS

• Overview of PCI Security Standard Council and PCI Data Security Standard,
• PCI Terminologies and Relationships with Card Brands.

Card Brands Compliance Program, Requirements and Processes o Visa CISP/AIS program and requirements

• Master Card SDP program and requirements,
• American Express DSP program and requirements,
• SAQ (Self-Assessment Questionnaire) forms,
• ASV (Approved Scanning Vendor) scans.

PCI DSS v3.2.1 Training

• Prioritization Form,
• Onsite Inspection,
• RoC (Report on Compliance),
• AoC (Attestation of Compliance).

Security Violations and Vulnerabilities

• Security breaches and costs,
• Targeted resources,
• Examples,
• What to do in case of violation.

Sensitive Data

• Track Data,
• Primary Account Number (PAN),
• Luhn Formula,
• Security Code (CAV2/CID/CVC2/CVV2).

Compliance and Compliance Verification Process

• Scope,
• Network Separation,
• Sampling,
• The effect of Service Providers on compliance,
• Compliance and Daily Business Processes,
• Auditing and Reporting.

PCI DSS Requirements

• Creating and Managing a Secure Network,

• Firewall and network router controls,
• System setup and configuration controls of cardholder environments,

• Cardholder Data Protection,

• Process controls of storage, encryption, display and disposal of cardholder data,
• Passcodes, cardholder information transfer controls over open networks,

• Vulnerability Management Program Management,

• Anti-virus system checks,
• System update, application development, testing, change and security controls,

• Powerful Access Control Implementation,

• Cardholder access controls,
• Remote access systems, operating systems, application and database user accounts management controls,
• Physical access, security and media storage, distribution and disposal controls,

• Regular Monitoring and Testing of Networks,

• Security systems, operating systems, application and database systems and access to cardholder data record-keeping, review and retention controls,
• Security audit and monitoring controls,

• Maintaining Information Security Policies,

• Information security management infrastructure, authorities and responsibilities, risk management, documentation management controls.

Balancing (Compensatory) Controls

• Application area and method,
• Requirements,

Service Providers and Additional Controls,

• Shared Hosting Service Providers,
• Additional requirements that Service Providers must comply with.

Daha fazla bilgi için bizlere training@cfecert.co.uk adresinden ulaşabilirsiniz.