SlideShare une entreprise Scribd logo

Performing PCI DSS Assessments Using Zero Trust Principles

Télécharger en tant que PPTX, PDF
ControlCase
ControlCase

- PCI DSS Requirements & Secure Remote Working - Assessments In Work From Home (WFH) Scenario - Remote Security Testing - Key Aspects For Remote Assessments

Technologie
1  sur  34
PERFORMING PCI DSS ASSESSMENTS USING ZERO TRUST PRINCIPLES YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST
ControlCase Introduction Zero Trust Principles by PCI Requirement About PCI DSS Current State ControlCase Remote Assessment Methodology AGENDA © 2020 ControlCase. All Rights Reserved. 2 1 2 3 4 5
1 CONTROLCASE INTRODUCTION © 2020 ControlCase. All Rights Reserved. 3
ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. © 2020 ControlCase. All Rights Reserved. 4 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 275+10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
Solution - Certification and Continuous Compliance Services © 2020 ControlCase. All Rights Reserved. 5 “I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification and Continuous Compliance Services
Certification Services One Audit™ Assess Once. Comply to Many. © 2020 ControlCase. All Rights Reserved. 6 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity PCI SSF HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS CSA STAR Microsoft SSPA
ABOUT PCI DSS2 © 2020 ControlCase. All Rights Reserved. 7
What is PCI DSS Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Maintained by the PCI Security Standards Council (PCI SSC) • Established by leading payment card brands © 2020 ControlCase. All Rights Reserved. 8
PCI DSS Requirements © 2020 ControlCase. All Rights Reserved. 9 CONTROL OBJECTIVES REQUIREMENTS Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security
CURRENT STATE3 © 2020 ControlCase. All Rights Reserved. 10
Current State Many companies are implementing work-from-home policies, which challenge traditional IT Compliance and Cyber Security programs. © 2020 ControlCase. All Rights Reserved. 11 Organizations are expected to consider and review their processes on remote work. Due to restrictions on travel and physical meetings as a result of the coronavirus, PCI SSC has published guidance for assessors on the topic of remote assessments.
Automation In Remote Assessments © 2020 ControlCase. All Rights Reserved. 12 ACE • Automated Compliance Engine • Can collect evidence such as configurations remotely CDD • Data Discovery Solution • Can scan end user workstations for card data VAPT • Vulnerability Assessment & Penetration Testing • Can perform remote vulnerability scans and penetration tests LOGS • Log Analysis and Alerting • Can review log settings and identify missing logs remotely 1 2 3 4
ZERO TRUST PRINCIPLES PER PCI DSS REQUIREMENT 4 © 2020 ControlCase. All Rights Reserved. 13
PCI DSS Requirements © 2020 ControlCase. All Rights Reserved. 14 CONTROL OBJECTIVES REQUIREMENTS Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security
Personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the internet when outside the network and which are used to access the Cardholder Data Environment (CDE). Only required Inbound and Outbound access control rules are required to be configured on the personal firewall running on such workstations. Employees should not be able to disable or modify the configuration of personal firewall software. Requirement 1: Firewalls © 2020 ControlCase. All Rights Reserved. 15
Requirement 2: Configuration Scans © 2020 ControlCase. All Rights Reserved. 16 System configuration standards approved by organizations must be enforced on WFH users’ workstations. Maintain the inventory of workstations.
Increase the frequency of card data discovery scanning. Establish process to run automated secure data disposal on disks of workstations for WFH users. Reduce the exposure of full card numbers. Requirement 3: Protect Stored Cardholder Data © 2020 ControlCase. All Rights Reserved. 17
Applications accessible over internet should be accessed using HTTPS (TLS v1.2). Use VPN Connection with encryption for WFH users. Prohibit use of unofficial email and end-user messaging applications for sharing cardholder data. Requirement 4: Protect Cardholder Data In Transmission © 2020 ControlCase. All Rights Reserved. 18
Requirement 5: Antivirus and Malware © 2020 ControlCase. All Rights Reserved. 19 All systems should have an Anti-Virus solution installed and regularly updated. Users should not be able to disable the Anti-virus solution.
Requirement 6: Secure Applications © 2020 ControlCase. All Rights Reserved. 20 Regular patch management must be completed on WFH user workstations. Ensure that development workstations are not able to access remote production environments.
Requirement 7: Access Control © 2020 ControlCase. All Rights Reserved. 21 No regular user (except power users) should be able to access any system within CDE that stores, processes or transmits bulk cardholder data. Need-to-know basis access along with least privileges must be implemented to restrict access to cardholder data for WFH users.
Requirement 8: User IDs © 2020 ControlCase. All Rights Reserved. 22 All the WFH users must use two factor authentication to connect to cardholder data environment.
No realistic way to control physical access of personnel working from home. Ensure controls (such as Citrix) are in place that full cardholder data cannot be viewed or downloaded when working from home. Data Center reviews may have to be done using mobile cameras and or CCTV images/ photographs (with time stamp) based evidence. Requirement 9: Physical Security © 2020 ControlCase. All Rights Reserved. 23
Requirement 10: Logging and Monitoring © 2020 ControlCase. All Rights Reserved. 24 Ensure all user activities done on WFH workstations are logged. Ensure all WFH workstations are synchronizing time with designated NTP server.
Requirement 11: Vulnerability Management © 2020 ControlCase. All Rights Reserved. 25 Internal vulnerability assessment and penetration testing must be conducted for WFH workstations. Penetration tests emulating a work from home user scenario must be performed.
Requirement 12: Policies and Procedures © 2020 ControlCase. All Rights Reserved. 26 Provide Information Security Awareness Training to WFH users on how to secure their wireless network (if any).
CONTROLCASE REMOTE ASSESSMENT METHODOLOGY 5 © 2020 ControlCase. All Rights Reserved. 27
1 Automation (Remote scanning, evidence collection & testing) 2 Mechanisms to enable remote assessment (CCTV, phone cameras etc.) 3 Continuous compliance controls (such as more frequent user access reviews, scans and firewall ruleset reviews) 3 Key Areas Of Focus © 2020 ControlCase. All Rights Reserved. 28
1. Automation-driven for Remote Work From Home Testing © 2020 ControlCase. All Rights Reserved. 29 ACE • Automated Compliance Engine • Can collect evidence such as configurations remotely CDD • Data Discovery Solution • Can scan end user workstations for card data VAPT • Vulnerability Assessment & Penetration Testing • Can perform remote vulnerability scans and penetration tests LOGS • Log Analysis and Alerting • Can review log settings and identify missing logs remotely 1 2 3 4
2. Mechanisms to Enable Remote Assessments © 2020 ControlCase. All Rights Reserved. 30 Assessors should maintain their structure for an onsite audit but instead use video calling and screen sharing to provide evidence and conduct interviews as a part of the assessment. Data Center reviews may have to be done using mobile cameras and or CCTV images/photographs (with time stamp) based evidence. Prepare for additional time interviewing vis a vis traditional face to face interviews. Technology to upload and manage evidence to be shared between assessor and organization.
3. Continuous Compliance Enablement © 2020 ControlCase. All Rights Reserved. 31 The continuous compliance monitoring is a big value add to their audit and certification services, which is good for organizations that don’t have the team in-house. It’s a big differentiator for them. — VP of IT, Call Center / BPO Company 70% of company’s assets are non-compliant at some point in the year. Go beyond monitoring and alerting to predict, prioritize and remediate compliance risks before they become security threats. Address common non-compliant situations that leave you vulnerable all year long, including: • In-scope assets not reporting logs • In-scope assets missed from vulnerability scans • Critical, overlooked vulnerabilities due to volume • Risky firewall rule sets go undetected • Non-compliant user access scenarios not flagged “
Summary – Why ControlCase © 2020 ControlCase. All Rights Reserved. 32 “They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company
Access Now - Free Ebook PERFORMING PCI DSS ASSESSMENTS USING ZERO TRUST PRINCIPLES © 2020 ControlCase. All Rights Reserved. 33 https://www.controlcase.com/free-pci-ebook/
THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com

Recommandé

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 

Recommandé

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
Docker and Container Compliance
Docker and Container ComplianceDocker and Container Compliance
Docker and Container ComplianceControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Unanet
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 

Contenu connexe

Tendances

SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
Docker and Container Compliance
Docker and Container ComplianceDocker and Container Compliance
Docker and Container ComplianceControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Unanet
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 

Tendances (20)

SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
Docker and Container Compliance
Docker and Container ComplianceDocker and Container Compliance
Docker and Container Compliance
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
Huntsville GovCon Growth Summit 2020 - Summit 7 - Cybersecurity Maturity Mode...
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 

Similaire à Performing PCI DSS Assessments Using Zero Trust Principles

PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
Automate compliance with cloud guard dome9
Automate compliance with cloud guard dome9Automate compliance with cloud guard dome9
Automate compliance with cloud guard dome9John Varghese
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in CloudControlCase
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in CloudControlCase
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 

Similaire à Performing PCI DSS Assessments Using Zero Trust Principles (20)

PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler
 
Automate compliance with cloud guard dome9
Automate compliance with cloud guard dome9Automate compliance with cloud guard dome9
Automate compliance with cloud guard dome9
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in Cloud
 
PCI Compliance in Cloud
PCI Compliance in CloudPCI Compliance in Cloud
PCI Compliance in Cloud
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 

Plus de ControlCase

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyControlCase
 

Plus de ControlCase (17)

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
ISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of PrivacyISO 27001 In The Age Of Privacy
ISO 27001 In The Age Of Privacy
 

Dernier

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Dernier (20)

Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Performing PCI DSS Assessments Using Zero Trust Principles

  • 1. PERFORMING PCI DSS ASSESSMENTS USING ZERO TRUST PRINCIPLES YOUR IT COMPLIANCE PARTNER – GO BEYOND THE CHECKLIST
  • 2. ControlCase Introduction Zero Trust Principles by PCI Requirement About PCI DSS Current State ControlCase Remote Assessment Methodology AGENDA © 2020 ControlCase. All Rights Reserved. 2 1 2 3 4 5
  • 3. 1 CONTROLCASE INTRODUCTION © 2020 ControlCase. All Rights Reserved. 3
  • 4. ControlCase Snapshot CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES Go beyond the auditor’s checklist to: Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance. © 2020 ControlCase. All Rights Reserved. 4 • Demonstrate compliance more efficiently and cost effectively (cost certainty) • Improve efficiencies ⁃ Do more with less resources and gain compliance peace of mind • Free up your internal resources to focus on their priorities • Offload much of the compliance burden to a trusted compliance partner 1,000+ 275+10,000+ CLIENTS IT SECURITY CERTIFICATIONS SECURITY EXPERTS
  • 5. Solution - Certification and Continuous Compliance Services © 2020 ControlCase. All Rights Reserved. 5 “I’ve worked on both sides of auditing. I have not seen any other firm deliver the same product and service with the same value. No other firm provides that continuous improvement and the level of detail and responsiveness. — Security and Compliance Manager, Data Center Certification and Continuous Compliance Services
  • 6. Certification Services One Audit™ Assess Once. Comply to Many. © 2020 ControlCase. All Rights Reserved. 6 “You have 27 seconds to make a first impression. And after our initial meeting, it became clear that they were more interested in helping our business and building a relationship, not just getting the business. — Sr. Director, Information Risk & Compliance, Large Merchant PCI DSS ISO 27001 & 27002 SOC 1,2,3 & SOC for Cybersecurity PCI SSF HIPAA PCI P2PE GDPR NIST 800-53 PCI PIN PCI PA-DSS CSA STAR Microsoft SSPA
  • 7. ABOUT PCI DSS2 © 2020 ControlCase. All Rights Reserved. 7
  • 8. What is PCI DSS Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Maintained by the PCI Security Standards Council (PCI SSC) • Established by leading payment card brands © 2020 ControlCase. All Rights Reserved. 8
  • 9. PCI DSS Requirements © 2020 ControlCase. All Rights Reserved. 9 CONTROL OBJECTIVES REQUIREMENTS Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security
  • 10. CURRENT STATE3 © 2020 ControlCase. All Rights Reserved. 10
  • 11. Current State Many companies are implementing work-from-home policies, which challenge traditional IT Compliance and Cyber Security programs. © 2020 ControlCase. All Rights Reserved. 11 Organizations are expected to consider and review their processes on remote work. Due to restrictions on travel and physical meetings as a result of the coronavirus, PCI SSC has published guidance for assessors on the topic of remote assessments.
  • 12. Automation In Remote Assessments © 2020 ControlCase. All Rights Reserved. 12 ACE • Automated Compliance Engine • Can collect evidence such as configurations remotely CDD • Data Discovery Solution • Can scan end user workstations for card data VAPT • Vulnerability Assessment & Penetration Testing • Can perform remote vulnerability scans and penetration tests LOGS • Log Analysis and Alerting • Can review log settings and identify missing logs remotely 1 2 3 4
  • 13. ZERO TRUST PRINCIPLES PER PCI DSS REQUIREMENT 4 © 2020 ControlCase. All Rights Reserved. 13
  • 14. PCI DSS Requirements © 2020 ControlCase. All Rights Reserved. 14 CONTROL OBJECTIVES REQUIREMENTS Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes Maintain an information security policy 12.Maintain a policy that addresses information security
  • 15. Personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the internet when outside the network and which are used to access the Cardholder Data Environment (CDE). Only required Inbound and Outbound access control rules are required to be configured on the personal firewall running on such workstations. Employees should not be able to disable or modify the configuration of personal firewall software. Requirement 1: Firewalls © 2020 ControlCase. All Rights Reserved. 15
  • 16. Requirement 2: Configuration Scans © 2020 ControlCase. All Rights Reserved. 16 System configuration standards approved by organizations must be enforced on WFH users’ workstations. Maintain the inventory of workstations.
  • 17. Increase the frequency of card data discovery scanning. Establish process to run automated secure data disposal on disks of workstations for WFH users. Reduce the exposure of full card numbers. Requirement 3: Protect Stored Cardholder Data © 2020 ControlCase. All Rights Reserved. 17
  • 18. Applications accessible over internet should be accessed using HTTPS (TLS v1.2). Use VPN Connection with encryption for WFH users. Prohibit use of unofficial email and end-user messaging applications for sharing cardholder data. Requirement 4: Protect Cardholder Data In Transmission © 2020 ControlCase. All Rights Reserved. 18
  • 19. Requirement 5: Antivirus and Malware © 2020 ControlCase. All Rights Reserved. 19 All systems should have an Anti-Virus solution installed and regularly updated. Users should not be able to disable the Anti-virus solution.
  • 20. Requirement 6: Secure Applications © 2020 ControlCase. All Rights Reserved. 20 Regular patch management must be completed on WFH user workstations. Ensure that development workstations are not able to access remote production environments.
  • 21. Requirement 7: Access Control © 2020 ControlCase. All Rights Reserved. 21 No regular user (except power users) should be able to access any system within CDE that stores, processes or transmits bulk cardholder data. Need-to-know basis access along with least privileges must be implemented to restrict access to cardholder data for WFH users.
  • 22. Requirement 8: User IDs © 2020 ControlCase. All Rights Reserved. 22 All the WFH users must use two factor authentication to connect to cardholder data environment.
  • 23. No realistic way to control physical access of personnel working from home. Ensure controls (such as Citrix) are in place that full cardholder data cannot be viewed or downloaded when working from home. Data Center reviews may have to be done using mobile cameras and or CCTV images/ photographs (with time stamp) based evidence. Requirement 9: Physical Security © 2020 ControlCase. All Rights Reserved. 23
  • 24. Requirement 10: Logging and Monitoring © 2020 ControlCase. All Rights Reserved. 24 Ensure all user activities done on WFH workstations are logged. Ensure all WFH workstations are synchronizing time with designated NTP server.
  • 25. Requirement 11: Vulnerability Management © 2020 ControlCase. All Rights Reserved. 25 Internal vulnerability assessment and penetration testing must be conducted for WFH workstations. Penetration tests emulating a work from home user scenario must be performed.
  • 26. Requirement 12: Policies and Procedures © 2020 ControlCase. All Rights Reserved. 26 Provide Information Security Awareness Training to WFH users on how to secure their wireless network (if any).
  • 27. CONTROLCASE REMOTE ASSESSMENT METHODOLOGY 5 © 2020 ControlCase. All Rights Reserved. 27
  • 28. 1 Automation (Remote scanning, evidence collection & testing) 2 Mechanisms to enable remote assessment (CCTV, phone cameras etc.) 3 Continuous compliance controls (such as more frequent user access reviews, scans and firewall ruleset reviews) 3 Key Areas Of Focus © 2020 ControlCase. All Rights Reserved. 28
  • 29. 1. Automation-driven for Remote Work From Home Testing © 2020 ControlCase. All Rights Reserved. 29 ACE • Automated Compliance Engine • Can collect evidence such as configurations remotely CDD • Data Discovery Solution • Can scan end user workstations for card data VAPT • Vulnerability Assessment & Penetration Testing • Can perform remote vulnerability scans and penetration tests LOGS • Log Analysis and Alerting • Can review log settings and identify missing logs remotely 1 2 3 4
  • 30. 2. Mechanisms to Enable Remote Assessments © 2020 ControlCase. All Rights Reserved. 30 Assessors should maintain their structure for an onsite audit but instead use video calling and screen sharing to provide evidence and conduct interviews as a part of the assessment. Data Center reviews may have to be done using mobile cameras and or CCTV images/photographs (with time stamp) based evidence. Prepare for additional time interviewing vis a vis traditional face to face interviews. Technology to upload and manage evidence to be shared between assessor and organization.
  • 31. 3. Continuous Compliance Enablement © 2020 ControlCase. All Rights Reserved. 31 The continuous compliance monitoring is a big value add to their audit and certification services, which is good for organizations that don’t have the team in-house. It’s a big differentiator for them. — VP of IT, Call Center / BPO Company 70% of company’s assets are non-compliant at some point in the year. Go beyond monitoring and alerting to predict, prioritize and remediate compliance risks before they become security threats. Address common non-compliant situations that leave you vulnerable all year long, including: • In-scope assets not reporting logs • In-scope assets missed from vulnerability scans • Critical, overlooked vulnerabilities due to volume • Risky firewall rule sets go undetected • Non-compliant user access scenarios not flagged “
  • 32. Summary – Why ControlCase © 2020 ControlCase. All Rights Reserved. 32 “They provide excellent service, expertise and technology. And, the visibility into my compliance throughout the year and during the audit process provide a lot of value to us. — Dir. of Compliance, SaaS company
  • 33. Access Now - Free Ebook PERFORMING PCI DSS ASSESSMENTS USING ZERO TRUST PRINCIPLES © 2020 ControlCase. All Rights Reserved. 33 https://www.controlcase.com/free-pci-ebook/
  • 34. THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE TO YOUR IT COMPLIANCE PROGRAM. www.controlcase.com (US) + 1 703.483.6383 (INDIA) + 91.22.62210800 contact@controlcase.com

Notes de l'éditeur

  1. Organizations of all sizes rely on ControlCase’s certification and continuous compliance services to dramatically cut the time, cost and burden out of IT compliance. Unlike traditional consulting firms, we bring a partnership approach versus an auditor mentality to every engagement. We go beyond the checklist and provide the expertise, guidance and automation needed to more efficiently and cost effectively demonstrate and maintain compliance. Whether you're looking to satisfy regulatory requirements, meet customer demand or establish confidence with prospective customers, with ControlCase as your compliance partner, your workforce will be free to focus on their strategic priorities, and you’ll eliminate the hassle and reduce the stress associated with certification and continuous compliance.
  2. https://www.controlcase.com/free-pci-ebook/?fbclid=IwAR2ususGDWXR4QKPxujft5Ai5JXwag8DOwpzOP5wqpoF-Z7vqoD-0_8_Z-Q