The first two requirements of PCI DSS version 3.2.1 are to build and maintain secure networks and systems. You'll learn to understand what each requirement asks for and discover practical guidance from experienced PCI assessors.
The key to achieving PCI DSS compliance is a thorough knowledge of each of the sub-requirements and how they will be assessed. In this course, PCI DSS: Infrastructure Security, you’ll learn how to interpret PCI DSS requirements 1 and 2, and apply them to your organization. First, you’ll learn how PCI DSS wants a firewall configuration to be built and maintained to protect cardholder data. Next, you’ll explore the requirement to not use vendor-supplied defaults for systems passwords and other security parameters. Finally, you’ll discover practical insights about both requirements from experienced PCI assessors.
When you’ve finished with this course you will have the skills and knowledge to apply PCI DSS requirements 1 and 2 to any organization’s environment and to determine whether it is compliant with the demands of the standard.
Course Overview Hello. My name is John Elliott. Welcome to the course, PCI DSS: Infrastructure Security. I'm a data protection specialist with a particular interest in protecting payment card data. In this course, I bring together the theoretical knowledge of PCI DSS requirements 1, 2, 3, and 4, along with practical experience of how the standard really works. And I'm Jacob Ansari. I'm a Qualified Security Assessor, or QSA, with Schellman & Company, and I'm qualified to access many of the PCI standards including PCI DSS, PA-DSS, and PDPE. I've been an assessor for 14 years, and I've been doing this since the predecessor standards to PCI DSS. In this course, we will cover PCI DSS requirement 1, which is concerned with how firewalls are deployed and managed. We'll also go through requirement 2, removing the default settings from hardware, operating systems, and applications, so reducing the attack surface. We're going to look at how to protect card holder data at rest by deletion, truncation, tokenization, and encryption and protecting cardholder data in transit. For each PCI DSS requirement, I'm going to cover what the standard says, what it means, and what will be accessed by a QSA. Then Jacob and I will discuss some of the key practical aspects of getting compliant and being assessed. Ideally, you'll already understand the basics of payment card processing and PCI DSS, but if you just want to get to grips with a requirement, you'll be able to jump straight in with no problems. By the end of this course, you'll have a great understanding of both the theory and the practice to help you implement the infrastructure requirements of PCI DSS. We do hope you will join us to learn the theory and practice behind PCI DSS requirements 1, 2, 3, and 4 with the PCI DSS: Infrastructure Security course, here at Pluralsight.