PCI DSS Business as Usual

© 2019 ControlCase All Rights Reserved
PCI DSS Business as Usual
Webinar
Your IT Compliance Partner –
Go Beyond the Checklist

Our Agenda 2
4
2
3
Your IT Compliance
Partner –
Go beyond the
checklist
ControlCase Introduction
About PCI DSS
PCI DSS Business as Usual by
Requirement Number
Key Implementation Tips
ControlCase Solution5
1

ControlCase Introduction1

ControlCase Snapshot 4
Certification and ContinuousCompliance Services
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and
maintaining IT compliance
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
• Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden
to a trusted compliance partner
1000+
Clients
275+
Security Experts
10,000+
IT Security Certifications

Solution - Certification and Continuous Compliance Services 5
“I’ve worked on both sides of
auditing. I have not seen any
other firm deliver the same
product and service with the
same value. No other firm
provides that continuous
improvement and the level of
detail and responsiveness.”
Security and Compliance
Manager, Data Center

Certification Services 6
OneAudit – Collect Once, Certify Many
PCI DSS ISO 27001 &
27002
SOC 1, SOC 2, SOC 3,
& SOC for Cybersecurity HITRUST CSF
HIPAA PCI P2PE GDPR NIST 800-53
PCI PIN PCI PA-DSS FedRAMP PCI 3DS
“You have 27 seconds to make a
first impression. And after our
initial meeting, it became clear
that they were more interested
in helping our business and
building a relationship, not just
getting the business.”
Sr. Director, Information Risk &
Compliance, Large Merchant

About PCI DSS2

What is PCI DSS
8
8
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting
payment card account data
• Established by leading payment card brands
• Maintained by the PCI Security Standards Council (PCI SSC)

PCI DSS Requirements 9
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management
program
5. Use and regularly update anti-virus software on all systems commonly affected
by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy 12. Maintain a policy that addresses information security

PCI DSS Business as Usual by Requirement Number3

PCI Council Guidance on BAU 11
Monitoring of
security controls
• Firewalls
• IDS/IPS
• File Integrity Monitoring (FIM)
• Anti Virus
Ensuring failures
in security
controls are
detected and
responded
• Restoring the security control
• Identifying the root cause
• Identifying any security issues because of
the failure
• Mitigation
• Resume monitoring of security control
• Segregation of duties between detective and
preventive controls

PCI Council Guidance on BAU 12
Review changes to
environment
• Addition of new systems
• Changes or organizational structure
• Impact of change to PCI DSS scope
• Requirement applicable to new scope
• Implement any additional security controls
because of change
• New hardware and software (and older ones)
continue to be supported and do not impact
compliance
Periodic reviews
• Configuration
• Physical security
• Patches and Anti Virus
• Audit logs
• Access rights

Requirement 1: Firewalls 13
People
- PCI project manager to
escalate non-compliance
- Segregation of duties
between operations
performing change and
compliance personnel
reviewing change
Process
- PCI impact analysis as part
of firewall change
management process
Technology
- Automated/Periodic ruleset
reviews
- Weekly port scans from
CDE to Internet to verify no
outbound connections

Requirement 2: Configuration Scans 14
People
Process
- Periodic update to
configuration standards
- New infrastructure
onboarding process to
include PCI configuration
standards check
Technology
- Automated/Periodic
configuration scans
- Reminders to update
configuration standards quarterly
- Technology to flag new assets
that have not formally undergone
PCI configuration standards
check

Requirement 3: Protect Stored Cardholder Data 15
People
escalate non-compliance to
highest levels within
organization
Process
- Periodic false positive
management
- Search for cardholder data
during roll out tests/quality
assurance
Technology
- Automated/Periodic
cardholder data scans
- Alerts in case of new
cardholder data found

Requirement 4: Protect Cardholder Data In Transmission 16
People
- Training to ensure
personnel do not email/chat
clear text card data
- Personnel allocated to
review outbound data at
random
Process
- Periodic review of modes of
transmission i.e. wireless,
chat, email etc.
Technology
- Automated technology to
monitor transmission of
card data through perimeter
(e.g. email, chat monitoring)

Requirement 5: Antivirus and Malware 17
People
Process
- Process to ensure all
assets are protected by
antivirus
- Process to implement
antivirus and anti-malware
on all new systems being
deployed
Technology
- Technology to detect any
systems that do not have
anti virus/anti malware
installed

Requirement 6: Secure Applications 18
People
- Segregation of
development and security
duties
- Periodic training of
developers to security
standards such as OWASP
Process
- Continuous scanning of
applications
- Scanning of applications as
part of SDLC
- Code review as part of
SDLC
- Review of QA/test cases on
a periodic basis to ensure
all of them have a security
checkpoint and approval
Technology
- Application scanning
software
- Code review software
- Identification of instances
where changes have
occurred to applications
- Application firewalls

Requirement 7 & 8: Access Control and User IDs 19
People
- Segregation of personnel
provisioning IDs and review
of user access
Process
- Periodic review of user
access
- Attestation of user access
- Onboarding procedures
- Termination procedures
Technology
- Role based access control
- Single sign on
- Use of LDAP/AD/TACACS
for password management

Requirement 9: Physical Security 20
People
- Designation of a person at
every site as a site
coordinator
Process
- Periodic walkthroughs and
random audits of physical
security
- Weekly review of CCTV
and badge logs
- Periodic review of scope
Technology
- Alarms to report
malfunction of devices such
as cameras and badge
access readers

Requirement 10: Logging and Monitoring 21
People
- Personnel to actively
monitor logs 24/7/365
Process
- Periodic review of asset
inventory
- Periodic review of scope
- Process to ensure logs from all
assets are feeding the SIEM
solution
- Restoration of logs from 12
months back every week/month
Technology
- Security and Event
Management (SIEM)
- Technology to identify new
assets not covered within
SIEM

Requirement 11: Vulnerability Management 22
People
- Segregation of personnel
responsible for scanning vs
remediation of anomalies
Process
- Ongoing review of target
assets vs asset inventory
for appropriateness/change
- Periodic testing of IDS/IPS
effectiveness through
random penetration
tests/vulnerability scans
Technology
- Automated scanning
technology
- Technology to manage
false positives and
compensating controls
- Asset management
repository
- File Integrity Monitoring
(FIM) technology

Requirement 12: Policies and Procedures 23
People
- Coordination between
procurement and
compliance personnel
Process
- PCI DSS requirements tied
to procurement process
- PCI anomalies to be
tracked within vendor/third
party management solution
Technology
- Vendor management/Third
party management solution

Key Implementation Tips4

Key Quarterly Themes 25
Segregation
of duties
Technology
operating
effectively
Automation
Dedicated
PCI project
manager
Repeatability
Periodic
Reviews

Calendar of Reminders Tracking Back to Controls 26

Dashboard for Tracking Activities 27

ControlCase Solution5

Predictive Continuous Compliance Services 29
70%
Of company’s assets are non-
compliant at some point in the year.
• Address common non-compliant situations that leave you
vulnerable all year long, including:
• In-scope assets not reporting logs
• In-scope assets missed from vulnerability scans
• Critical, overlooked vulnerabilities due to volume
• Risky firewall rule sets go undetected
• Non-compliant user access scenarios not flagged
• Go beyond monitoring and alerting to predict, prioritize
and remediate compliance risks before they become
security threats
“The continuous compliance
monitoring is a big value add
to their audit and certification
services, which is good for
organizations that don’t have
the team in-house. It’s a big
differentiator for them.”
VP of IT, Call Center/BPO
Company
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services

Predictive Continuous Compliance Services 30
Automation-
DrivenSkyCAM
Partnership
Approach
IT Certification
Services
Continuous Compliance
Services
What is Continuous Compliance
 Quarterly review of 20-25 high impact/high risk questions
 Technical review of vulnerability scans, log management, asset list and other available automated
systems
Benefits of Continuous Compliance
 Eliminates the need for potential major last minute audit findings
 Reduces effort for final audit by approximately 25%
 Reduces the risk of technical shortcomings such as,
 Quarterly scans missed certain assets
 Logs from all assets not reporting
Deliverable of Continuous Compliance

Automation-driven 31
SkyCAM IT Compliance Portal — Automation-driven certification and continuous compliance

Summary – Why ControlCase 32
“They provide excellent service, expertise and technology. And, the
visibility into my compliance throughout the year and during the audit
process provide a lot of value to us.”
Dir. of Compliance, SaaS company
Your IT Compliance Partner –
Go beyond the auditor’s checklist

Email
contact@controlcase.com
Telephone
Americas +1.703-483-6383
India: +91.22.50323006
Social Media
Conection Suport
www.facebook.com/user
www.linkedin.com/user
Visit our website
www.controlcase.com
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE
TO YOUR
IT COMPLIANCE PROGRAM

PCI DSS Business as Usual

PCI DSS Business as Usual

Recommandé

Contenu connexe

Tendances

Tendances(20)

Similaire à PCI DSS Business as Usual

Similaire à PCI DSS Business as Usual(20)

Plus de ControlCase

Plus de ControlCase(15)

Dernier

Dernier(20)

PCI DSS Business as Usual

Notes de l'éditeur