PCI Basics
Who does PCI DSS apply to?
All entities that store, process and/or transmit cardholder data.
Why does Grubhub have to comply with PCI DSS standards?
Grubhub accepts credit card payments
When does PCI DSS v4 go into effect?
April 1, 2024 (phase 1) and April 1, 2025 (all)
What does PCI DSS stand for?
Payment Card Industry Data Security Standard
True or False;
Your Security Awareness training is a requirement for PCI compliance
TRUE
How many PCI requirements are there?
12 major requirements
Who is responsible for the security of credit card payments at Grubhub?
Everyone at Grubhub.
Who is ultimately accountable for maintaining PCI compliance?
Executive Leadership
What is the unique number on credit and debit cards that identifies the cardholder account is called?
Primary Account Number or PAN
How would a Grubhub employee get access to the CDE?
Submit a Service Desk ticket
What is an example of a PCI violation?
Credit Card information stored on your Grubhub laptop / workstation.
Who are Grubhub's payment processors?
Braintree (PayPal), Stripe, Worldpay
Will the new requirement mandating that all internal vulnerability scanning be performed using authenticated scanning impact Grubhub?
False - Grubhub already does authenticated scanning
What is MFA / 2FA?
Multi Factor Authentication / Two Factor Authentication
True or False;
It's okay to temporarily save a credit card number in a Google doc for a diner or Corp client if you delete it within 48 hours
FALSE - It is never OK to store credit card numbers
What are the five major credit card companies that came together to form the PCI council?
MasterCard, American Express, Visa, JCB International and Discover
What are some of the services that are in Grubhub's PCI scope?
Tokenizer, Payments, Corp Self Service, Umami, cciframe
What are some of the new requirements and elements in PCI DSS v4?
Requirements RACI, Targeted Risk Analysis, Script Inventories, Semi-Annual Scope Review, HW and SW Inventories, System and App Account Management, Certificate Inventory, etc.
What does CDE stand for?
Cardholder Data Environment
If your device that you use for Okta verify or DUO is lost or stolen, you should do what?
Reach out to your manager and Service Desk
What credit card elements can never be stored?
Card Verification Code (CVV/CV2), Full Track, PIN Block
How would you report a suspected breach of credit card information?
Report it on Slack in #tech-oncall and include @cybersecurity
How can Grubhub meet PCI specific requirements using new technologies and processes? (Example - Zero Trust)
Use the Customized Approach
Credit Card Account Data is divided into two elements, SAD & CHD. Which element can never be stored after authorization?
SAD (Sensitive Authentication Data)
Which of the two PCI compliance reports can be shared with Grubhub partners such as Corporate clients, Merchants, etc.?
Attestation of Compliance (AoC)