PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following: - PCI DSS requirements that can be made business as usual - PCI DSS processes that can be made business as usual - Techniques and methodologies - Evidence to be provided to QSA for compliance - Key success factors - Challenges

1. PCI DSS 3.2 – Making Compliance
Business As Usual
By Kishor Vaswani – CEO, ControlCase

2. Agenda
• About PCI DSS
• Overview of changes
• PCI BAU by requirement number
• Implementation tips
• ControlCase solution
• Q&A
1

3. About PCI DSS

4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card brands
• Maintained by the PCI Security Standards Council
(PCI SSC)
2

5. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
3

6. Timeline of PCI DSS 3.x
4
• PCI 3.0 was effective Jan 1st, 2014
• Current version is PCI DSS 3.2

7. Overview of changes

8. Overview of 3.2 changes
5
SSL/early TLS
• Work towards remediation
• No new SSL/early TLS
• Service provider offering by June 30, 2016
• No SSL/early TLS after June 30, 2018
• Some exceptions for POS POI terminals
Display of PAN
• Permits display of PAN beyond first 6/last 4
• Justification and business need must exist
• Only the digits needed by business need must be displayed

9. Overview contd…
6
Multifactor Authentication
• All remote access must be multifactor
• All non console admin access to CDE must be multifactor effective Jan 31,
2018
• Multifactor can be at system or application layer
New Service Provider Requirements
• Maintain documented description of cryptographic architecture
• Detect and report on failures of critical security control systems
• Quarterly review to ensure personnel following security procedures
• Perform segmentation penetration test once every six months (Effective
Feb 2018)
• Executive management to establish responsibilities (Effective Feb 2018)

10. PCI DSS 3.2 Business As Usual by
Requirement Number

11. PCI Council Guidance on BAU
7
Monitoring of
security controls
• Firewalls
• IDS/IPS
• File Integrity Monitoring (FIM)
• Anti Virus
Ensuring failures
in security
controls are
detected and
responded
• Restoring the security control
• Identifying the root cause
• Identifying any security issues because of the failure
• Mitigation
• Resume monitoring of security control
• Segregation of duties between detective and
preventive controls

12. PCI Council Guidance on BAU
8
Review changes
to environment
• Addition of new systems
• Changes or organizational structure
• Impact of change to PCI DSS scope
• Requirement applicable to new scope
• Implement any additional security controls because of
change
• New hardware and software (and older ones) continue
to be supported and do not impact compliance
Periodic reviews
• Configuration
• Physical security
• Patches and Anti Virus
• Audit logs
• Access rights

13. Firewalls
9
People
- PCI project manager to
escalate non-compliance
- Segregation of duties
between operations
performing change and
compliance personnel
reviewing change
Process
- PCI impact analysis as part of
firewall change management
process
Technology
- Automated/Periodic ruleset
reviews
- Weekly port scans from CDE
to Internet to verify no
outbound connections

14. Configuration Standards
10
People
- PCI project manager to
escalate non-compliance
Process
- Periodic update to
configuration standards
- New infrastructure
onboarding process to include
PCI configuration standards
check
Technology
- Automated/Periodic
configuration scans
- Reminders to update
configuration standards
quarterly
- Technology to flag new assets
that have not formally
undergone PCI configuration
standards check

15. Protect Stored Cardholder Data
11
People
- PCI project manager to
escalate non-compliance to
highest levels within
organization
Process
- Periodic false positive
management
- Search for cardholder data
during roll out tests/quality
assurance
Technology
- Automated/Periodic
cardholder data scans
- Alerts in case of new
cardholder data found

16. Protect Cardholder Data in Transmission
12
People
- Training to ensure personnel
do not email/chat clear text
card data
- Personnel allocated to review
outbound data at random
Process
- Periodic review of modes of
transmission i.e. wireless,
chat, email etc.
Technology
- Automated technology to
monitor transmission of card
data through perimeter (e.g.
email, chat monitoring)

17. Antivirus and Malware
13
People
- PCI project manager to
escalate non-compliance
Process
- Process to ensure all assets
are protected by antivirus
- Process to implement
antivirus and anti-malware on
all new systems being
deployed
Technology
- Technology to detect any
systems that do not have anti
virus/anti malware installed

18. Secure Applications
14
People
- Segregation of development
and security duties
- Periodic training of
developers to security
standards such as OWASP
Process
- Continuous scanning of
applications
- Scanning of applications as
part of SDLC
- Code review as part of SDLC
- Review of QA/test cases on a
periodic basis to ensure all of
them have a security
checkpoint and approval
Technology
- Application scanning software
- Code review software
- Identification of instances
where changes have occurred
to applications
- Application firewalls

19. Access Control and User IDs
15
People
- Segregation of personnel
provisioning IDs and review of
user access
Process
- Periodic review of user access
- Attestation of user access
- Onboarding procedures
- Termination procedures
Technology
- Role based access control
- Single sign on
- Use of LDAP/AD/TACACS for
password management

20. Physical Security
16
People
- Designation of a person at
every site as a site
coordinator
Process
- Periodic walkthroughs and
random audits of physical
security
- Weekly review of CCTV and
badge logs
- Periodic review of scope
Technology
- Alarms to report malfunction
of devices such as cameras
and badge access readers

21. Logging and Monitoring
17
People
- Personnel to actively monitor
logs 24/7/365
Process
- Periodic review of asset inventory
- Periodic review of scope
- Process to ensure logs from all
assets are feeding the SIEM solution
- Restoration of logs from 12 months
back every week/month
Technology
- Security and Event
Management (SIEM)
- Technology to identify new
assets not covered within
SIEM

22. Vulnerability Management
18
People
- Segregation of personnel
responsible for scanning vs
remediation of anomalies
- PCI project manager to
escalate non-compliance
Process
- Ongoing review of target
assets vs asset inventory for
appropriateness/change
- Periodic testing of IDS/IPS
effectiveness through random
penetration
tests/vulnerability scans
Technology
- Automated scanning
technology
- Technology to manage false
positives and compensating
controls
- Asset management repository
- File Integrity Monitoring (FIM)
technology

23. Policies and Procedures
19
People
- Coordination between
procurement and compliance
personnel
Process
- PCI DSS requirements tied to
procurement process
- PCI anomalies to be tracked
within vendor/third party
management solution
Technology
- Vendor management/Third
party management solution

24. PCI DSS Requirements
20
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security

25. Key Implementation Tips

26. Key Themes
21
Segregation
of duties
Technology
operating
effectively
Automation
Dedicated
PCI project
manager
Repeatability
Periodic
Reviews

27. Dashboard for tracking activities
22

28. Calendar of reminders/tracking back to controls
23

29. ControlCase Solutions

30. Compliance as Usual (CaU)
› This solution aims to capitalize on your current compliance and
security investment by actually monitoring and analyzing the data you
collect
› ControlCase will draw data from client’s security controls (log
management systems, security scanners and other security systems)
and systematically analyze and evaluate this data on an ongoing basis
to develop a business as usual layer into the business.
› The deliverables will be:
• A periodic compliance status report that reflects data from all your
security controls.
• Outline of remediation actions required to maintain compliance with
multiple regulations.

31. Value of Compliance as Usual (CaU)
• Alert on relevant items ONLY (i.e. our value is in providing compliance information
not just raw scan results)
• How do we alert on relevant items within SLA’s
› We know your compliance scope
› We know what will result in non certification
› We map the risks of vulnerabilities, sensitive data and log alerts to compliance
› We map all logs to the relevance compliance requirements such as daily
reports
• ControlCase will take ownership of this and deliver within established SLA’s

32. To Learn More About PCI Compliance…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
25

33. Thank You for Your Time