SlideShare une entreprise Scribd logo

Risk Factory: PCI - The Essentials

Télécharger en tant que PPT, PDF
Risk Crew
Risk Crew
1  sur  67
PCI: The Essentials
A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
The Essentials • What PCI compliance is and why its important • Understand how to identify potential risks to card data within your business • Foundation in data risk management • How to communicate the importance of PCI to stakeholders • The keys to achieving and maintaining compliance • How to avoid fines
The Standard
Where did it come from? Restaurants sue POS vendor over data breach: Dec’09  Nearly 100 customers had their identities stolen as a result of  "Aloha" POS software payments terminals that were not PCI-DSS  compliant. They have to pay for forensic audits to trace the  problems, reimburse fraud costs to the credit card companies and  pay for re-issuance of credit cards to affected individuals.
ADC Industry Forensics Security Best Results Practices Scans Advisory On Site Board PCI Data Security Audits Standard Self- Community Assessment Meeting Approved Questionnaire Proactive feedback Scanning from QSAs, Vendors ASVs and (ASVs) and Qualified POs Security Assessors (QSAs)
The Standard
Applies to: • Systems that store, process or transmit cardholder data • Systems that connect to them Compliance is mandatory – Enforced through merchant services agreements
6 Goals, 12 Requirements The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
264 Controls Requirement 1: Install and maintain a firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
The Structure
Cardholder Data? Magnetic stripe Chip Card account number Expiry date Card (PAN) number
Controls-2-Data
Scoping
De-Scoping • Network segmentation is not a PCI DSS control requirement • De-scoping is where you set the cost baseline for the project. • Take your time. • The more you can take out of scope – the less it will cost to implement the controls.
Quiz 1 1. The PCI DSS applies to all systems that ________, __________, or _________ card data. 2. The PCI DSS is comprised of _________ principles, ___________ requirements and 264 controls. 3. The PCI DSS is a checklist of controls. True/False? 4. Controls only apply to systems “in scope”. True/False? 5. We can store sensitive card holder data. True/False?
The Players
The Players  Card Brands  PCI Council  Acquirers  QSA  ASV  Merchants  Service Providers
Relationships Matrix Acquirer Merchant Service Provider Cardholder
Concerns & Consequences Cardholder Data Cardholder Targeted Victimized Government Media Regulatory Intervention Scrutiny Enforcement
Cardholder Data Exposure Service Service Provider Provider Payment Application
Service Providers  Businesses that facilitate: process, storage or transmission of card data on behalf of Merchant or Acquirer.  Any business requiring connectivity to a card holder network or application.
24
Quiz 2 1. The __________ issue fines for non-compliance. 2. A service provider is defined as either ______________ or __________________. 3. Merchant Levels are determined by the _________ of ___________ per __________. 4. QSAs are monitored by _______________ 5. The Acquirers set the compliance deadlines for the Merchants. True/False?
Compliance Process
Process
Key Documentation  Card Data Security Policy  Comprehensive Network Diagram  Evidence  3rd Party Agreements  End User Agreements  Security Vulnerability Scan Reports  Security Penetration Reports
Key Actions  Gap Analysis  Remediation  Monthly Acquirer Reports  Audit-ready (Evidence in place)  Pass ASV scan  Network Security Penetration Test  Application Security Penetration Test  Validation  RoC to Acquirer / Card Brands  Annual Revalidation
Process – not a checklist
• Identify • Minimise • Manage
Quiz 3 1. RoC is an acronym for ____________ on ____________. 2. AoC is an acronym for ____________ of ____________. 3. SaQ is an acronym fro _________ ________ ________. 4. I need to pass both an ASV scan and penetration test prior to validation. True/False. 5. These quizzes are getting on my nerves. True/False
Exercise
Situation: You have a bank owned terminal (BOT) taking credit card payments at your site. It is connected directly to the bank and is not connected to your local systems. Problem: Is it “in scope” of PCI DSS? Design a process for determining your answer. Dilemma: What problem do you still have?
The Policies
Framework
Policies 1. INTRODUCTION • Required for the protection of client card data. 2. APPLICABILITY • All employees, contractors and 3rd party suppliers. 3. COMPLIANCE • Compliance Manager monitors & enforces • Collaborative effort • Non-compliance = disciplinary action 4. REVIEW, UPDATES & MAINTENANCE • Annual • 30 days after significant changes 5. EXCEPTIONS • Require Compliance Manager’s prior approval 6. PROGRAM MANAGEMENT
Policies 6.1 ANNUAL DOCUMENTATION • Current network diagram • Card data asset register • Card data flow diagram clearly indicating all credit card dependant business processes • List of all roles having access to card data • 3rd Party Statements of Compliance 6.2 INFORMATION SECURITY RISK ASSESSMENTS • Annually • Prior to significant changes 6.3 MINIMISE HOLDINGS 6.4 CARD DATA ASSET REGISTER • Maintain current list of all devices hosting card data 6.5 ASSET CLASSIFICATION • Hardware & software marked “Company Confidential”
Policies 6.6 EMPLOYEE CHECKS • Staff with access to card data = criminal & credit checks 6.7 SECURITY TRAINING • Initial • Annual update 6.8 3rd PARTY CONNECTIVITY AGREEMENTS • Condition of connectivity 6.9 3rd PARTY COMPLIANCE 6.10 3rd PARTY AUDITS • Initial • Annual verification
Policies 6.11 NETWORK SECURITY VULNERABILITY SCANNING • Done quarterly – Pass – submitted to Acquirer 6.12 NETWORK SECURITY PENETRATION TESTING • Annually • After significant changes 6.13 APPLICATION SECURITY PENETRATION TESTING • Applies to all application process/store/transmit • Conducted prior to launch • After significant changes • Annually 7. SYSTEM SECURITY 7.1 FIREWALL & ROUTER CONFIGURATIONS • As stated in Annex
Policies 7.2 PASSWORDS & SECURITY ADMINISTRATION • Vendor accounts & defaults removed • Admin access encrypted • Configuration security build standards 7.3 CARD DATA STORAGE • Minimise! • Data Retention Policy • Do not store authentication data 7.4 CARD DATA TRANSMISSION • Encrypted when sent over public networks (email, etc.) 7.5 ANTI-VIRUS MANAGEMENT • Software on all systems that process, store or transmit card data 7.6 SYSTEM MONITORING • Quarterly testing for wireless - Implement IDS - File integrity monitoring
Policies 8. APPLICATION SECURITY • Software security development lifecycle procedures • Change control procedures as detailed in Annex • Patches • Process to keep up to date with new application threats 9. LOGS & RECORDS • System logs as detailed in Annex 10. SYSTEM USER SECURITY • Need to know • Password • Screensaver, lock outs 11. PHYSICAL ACCESS CONTROLS • Facility access control, locks alarms • Visitor badging • Protection of hard copy card data
Quiz 4 1. The Card Data Security Policy only applies to your employees. True/False? 2. __________ is responsible for 3rd party compliance verification. 3. Credit and criminal records checks need to be conducted for all employees. True/False? 4. Identification badges are required for access to any facility. True/False? 5. This guy uses way too much mousse in his hair. True/False.
The Controls
Controls Requirement 1: Install and maintain firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
Evidence • Types • Observation (configuration or process) • Documentation • Interview • Technical (monitoring of network traffic) • Required for each and every control !
Controls Example Requirement 1: Install and maintain firewall configuration to protect cardholder data. 1.1 Establish firewall configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  Observation (configuration)  Observation (process)  Documentation (firewall rule set)  Interview (systems administrator)  Technical (monitoring of network traffic)
Policy Example Requirement 12: Maintain a policy that addresses information security for employees and contractors. 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status. Observation (configuration)  Observation (process)  Documentation (policy)  Interview (receptionist)  Technical (none)
Compensating Controls • Used only when a specific control cannot be implemented due to a business process • Implement “risk-based” supplementary control(s) • Designed for the business • Accepted by the business • Must be accompanied by supporting evidence • Accompanied by supporting processes
Compensating Controls   Information Required Explanation 1. Constraints List constraints precluding compliance with the original Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each requirement. require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user. 1. Objective Define the objective of the original control; identify the The objective of requiring unique logins is twofold. First, it is not considered acceptable objective met by the compensating control. from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action. 1. Identified Risk Identify any additional risk posed by the lack of the Additional risk is introduced to the access control system by not ensuring all users have a original control. unique ID and are able to be tracked. 1. Definition of Compensating Controls Define the compensating controls and explain how they Company XYZ is going to require all users to log into the servers from their desktops using address the objectives of the original control and the the SU command. SU allows a user to access the “root” account and perform actions increased risk, if any. under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account. 1. Validation of Compensating Controls Define how the compensating controls were validated Company XYZ demonstrates to assessor that the SU command being executed and that and tested. those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges 1. Maintenance Define process and controls in place to maintain Company XYZ documents processes and procedures to ensure SU configurations are not compensating controls. changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged
Quiz 5 1. Name the four types of evidence generally required. 2. If you cannot implement a control you will fail the audit. True/False? 3. Compensating controls are _________ based and must be accepted by ___________________. 4. When designing a compensating control you must always consider the ____________ objective. 5. If I just nod once and a while, this guys actually thinks I’m listening to him. True/False.
Project Management
Milestones • Risk based prioritisation of implementation of the controls established by card brands • Milestone 1 – identify what you have, where you have it and write policies to protect it. • Milestone 2 – Network integrity • Milestone 3 – Code integrity • Milestone 4 – Logs & records • Milestone 5 – Incidents • Miles 6 – Auditing & testing
Timelines • Missed deadline • Milestones 1-4 • Validation • SAQ • AoC to Acquirer • Annual Recertification
How will you get there? • By starting and maintaining momentum! • Document everything • Monthly Acquirer reports • Quick resolution of questions • Compensating controls • Site visits – practice audits • Disseminating information
2 Words Due diligence
The Messages
Intent Give PCI a Chance! Minimise risk to card holder data
Business Messages Card brand service requirements Regulatory requirement Losses impact our clients Lost client confidence = Lost £ System down time = Lost £ Repair costs = Lost £ Data theft & fraud = Lost £ Reputation losses = Lost £ Fines = Lost £
Employee  Security of our customer credit card data is critical to our mission.  We’ve implemented a detailed security program to protect this data.  Security is your responsibility.  Security is everyone’s responsibility.  Failure to meet this responsibility…  We need your help and suggestions.
Partner  Protection of our customer data is mission critical to us.  We have implemented a PCI DSS compliance program and are pending formal certification.  Regulatory compliance is a shared responsibility.  Connectivity to our systems require compliance to PCI DSS controls as a condition of contract.  How can we help you?
Customer  We are implementing a PCI DSS compliance program and are pending formal certification.  We require all of our partners and suppliers to meet PCI DSS controls  We have implemented a rigorous security testing program to ensure the security integrity of our systems.  Protection of your personnel data is critical to our business.  If you have any question regarding our policies – do not hesitate to contact us.
Last Quiz 1. Name a business message. 2. Name a employee message. 3. Name a client message. 4. Name a partner message. 5. Name all five members of the original Jackson 5.
The Close
If Nothing Else, Remember • PCI DSS is a “risk management framework” • Implementation does not guarantee security • A framework only serves to identify, minimise and manage the risk of compromise. • At the day’s end - You still own the risk.
• Identify • Minimise • Manage
26 Dover Street London United Kingdom +44 (0)20 3170 8955 +44 (0)20 3008 6011 (fax) 67

Recommandé

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
LeviKnight
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 

Recommandé

Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Pci dss v2
Pci dss v2Pci dss v2
Pci dss v2
LeviKnight
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
Kimberly Simon MBA
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
Nhat Phan Canh
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
Torstein Hansen
 
PCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4auditPCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4audit
Prep4Audit
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
ControlCase
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 

Contenu connexe

Tendances

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 

Tendances (20)

PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 
PCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4auditPCI DSS Requirements & Security Assessment Procedures | Prep4audit
PCI DSS Requirements & Security Assessment Procedures | Prep4audit
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 

Similaire à Risk Factory: PCI - The Essentials

pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
Miminten
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit
The Circuit
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
Dermot Clarke
 

Similaire à Risk Factory: PCI - The Essentials (20)

pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The Circuit
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 

Plus de Risk Crew

Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
Risk Crew
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013
Risk Crew
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
Risk Crew
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Crew
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data Leakage
Risk Crew
 

Plus de Risk Crew (19)

Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a Hacker
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 Numbers
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best Practice
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big Data
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data Leakage
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron?
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back Door
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an Identity
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
 

Risk Factory: PCI - The Essentials

  • 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
  • 3. The Essentials • What PCI compliance is and why its important • Understand how to identify potential risks to card data within your business • Foundation in data risk management • How to communicate the importance of PCI to stakeholders • The keys to achieving and maintaining compliance • How to avoid fines
  • 5. Where did it come from? Restaurants sue POS vendor over data breach: Dec’09  Nearly 100 customers had their identities stolen as a result of  "Aloha" POS software payments terminals that were not PCI-DSS  compliant. They have to pay for forensic audits to trace the  problems, reimburse fraud costs to the credit card companies and  pay for re-issuance of credit cards to affected individuals.
  • 6.
  • 7. ADC Industry Forensics Security Best Results Practices Scans Advisory On Site Board PCI Data Security Audits Standard Self- Community Assessment Meeting Approved Questionnaire Proactive feedback Scanning from QSAs, Vendors ASVs and (ASVs) and Qualified POs Security Assessors (QSAs)
  • 9. Applies to: • Systems that store, process or transmit cardholder data • Systems that connect to them Compliance is mandatory – Enforced through merchant services agreements
  • 10. 6 Goals, 12 Requirements The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls requirements Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  • 11. 264 Controls Requirement 1: Install and maintain a firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
  • 13. Cardholder Data? Magnetic stripe Chip Card account number Expiry date Card (PAN) number
  • 16. De-Scoping • Network segmentation is not a PCI DSS control requirement • De-scoping is where you set the cost baseline for the project. • Take your time. • The more you can take out of scope – the less it will cost to implement the controls.
  • 17. Quiz 1 1. The PCI DSS applies to all systems that ________, __________, or _________ card data. 2. The PCI DSS is comprised of _________ principles, ___________ requirements and 264 controls. 3. The PCI DSS is a checklist of controls. True/False? 4. Controls only apply to systems “in scope”. True/False? 5. We can store sensitive card holder data. True/False?
  • 19. The Players  Card Brands  PCI Council  Acquirers  QSA  ASV  Merchants  Service Providers
  • 20. Relationships Matrix Acquirer Merchant Service Provider Cardholder
  • 21. Concerns & Consequences Cardholder Data Cardholder Targeted Victimized Government Media Regulatory Intervention Scrutiny Enforcement
  • 22. Cardholder Data Exposure Service Service Provider Provider Payment Application
  • 23. Service Providers  Businesses that facilitate: process, storage or transmission of card data on behalf of Merchant or Acquirer.  Any business requiring connectivity to a card holder network or application.
  • 24. 24
  • 25. Quiz 2 1. The __________ issue fines for non-compliance. 2. A service provider is defined as either ______________ or __________________. 3. Merchant Levels are determined by the _________ of ___________ per __________. 4. QSAs are monitored by _______________ 5. The Acquirers set the compliance deadlines for the Merchants. True/False?
  • 28. Key Documentation  Card Data Security Policy  Comprehensive Network Diagram  Evidence  3rd Party Agreements  End User Agreements  Security Vulnerability Scan Reports  Security Penetration Reports
  • 29. Key Actions  Gap Analysis  Remediation  Monthly Acquirer Reports  Audit-ready (Evidence in place)  Pass ASV scan  Network Security Penetration Test  Application Security Penetration Test  Validation  RoC to Acquirer / Card Brands  Annual Revalidation
  • 30. Process – not a checklist
  • 32. Quiz 3 1. RoC is an acronym for ____________ on ____________. 2. AoC is an acronym for ____________ of ____________. 3. SaQ is an acronym fro _________ ________ ________. 4. I need to pass both an ASV scan and penetration test prior to validation. True/False. 5. These quizzes are getting on my nerves. True/False
  • 34. Situation: You have a bank owned terminal (BOT) taking credit card payments at your site. It is connected directly to the bank and is not connected to your local systems. Problem: Is it “in scope” of PCI DSS? Design a process for determining your answer. Dilemma: What problem do you still have?
  • 37. Policies 1. INTRODUCTION • Required for the protection of client card data. 2. APPLICABILITY • All employees, contractors and 3rd party suppliers. 3. COMPLIANCE • Compliance Manager monitors & enforces • Collaborative effort • Non-compliance = disciplinary action 4. REVIEW, UPDATES & MAINTENANCE • Annual • 30 days after significant changes 5. EXCEPTIONS • Require Compliance Manager’s prior approval 6. PROGRAM MANAGEMENT
  • 38. Policies 6.1 ANNUAL DOCUMENTATION • Current network diagram • Card data asset register • Card data flow diagram clearly indicating all credit card dependant business processes • List of all roles having access to card data • 3rd Party Statements of Compliance 6.2 INFORMATION SECURITY RISK ASSESSMENTS • Annually • Prior to significant changes 6.3 MINIMISE HOLDINGS 6.4 CARD DATA ASSET REGISTER • Maintain current list of all devices hosting card data 6.5 ASSET CLASSIFICATION • Hardware & software marked “Company Confidential”
  • 39. Policies 6.6 EMPLOYEE CHECKS • Staff with access to card data = criminal & credit checks 6.7 SECURITY TRAINING • Initial • Annual update 6.8 3rd PARTY CONNECTIVITY AGREEMENTS • Condition of connectivity 6.9 3rd PARTY COMPLIANCE 6.10 3rd PARTY AUDITS • Initial • Annual verification
  • 40. Policies 6.11 NETWORK SECURITY VULNERABILITY SCANNING • Done quarterly – Pass – submitted to Acquirer 6.12 NETWORK SECURITY PENETRATION TESTING • Annually • After significant changes 6.13 APPLICATION SECURITY PENETRATION TESTING • Applies to all application process/store/transmit • Conducted prior to launch • After significant changes • Annually 7. SYSTEM SECURITY 7.1 FIREWALL & ROUTER CONFIGURATIONS • As stated in Annex
  • 41. Policies 7.2 PASSWORDS & SECURITY ADMINISTRATION • Vendor accounts & defaults removed • Admin access encrypted • Configuration security build standards 7.3 CARD DATA STORAGE • Minimise! • Data Retention Policy • Do not store authentication data 7.4 CARD DATA TRANSMISSION • Encrypted when sent over public networks (email, etc.) 7.5 ANTI-VIRUS MANAGEMENT • Software on all systems that process, store or transmit card data 7.6 SYSTEM MONITORING • Quarterly testing for wireless - Implement IDS - File integrity monitoring
  • 42. Policies 8. APPLICATION SECURITY • Software security development lifecycle procedures • Change control procedures as detailed in Annex • Patches • Process to keep up to date with new application threats 9. LOGS & RECORDS • System logs as detailed in Annex 10. SYSTEM USER SECURITY • Need to know • Password • Screensaver, lock outs 11. PHYSICAL ACCESS CONTROLS • Facility access control, locks alarms • Visitor badging • Protection of hard copy card data
  • 43. Quiz 4 1. The Card Data Security Policy only applies to your employees. True/False? 2. __________ is responsible for 3rd party compliance verification. 3. Credit and criminal records checks need to be conducted for all employees. True/False? 4. Identification badges are required for access to any facility. True/False? 5. This guy uses way too much mousse in his hair. True/False.
  • 45. Controls Requirement 1: Install and maintain firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
  • 46. Evidence • Types • Observation (configuration or process) • Documentation • Interview • Technical (monitoring of network traffic) • Required for each and every control !
  • 47. Controls Example Requirement 1: Install and maintain firewall configuration to protect cardholder data. 1.1 Establish firewall configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  Observation (configuration)  Observation (process)  Documentation (firewall rule set)  Interview (systems administrator)  Technical (monitoring of network traffic)
  • 48. Policy Example Requirement 12: Maintain a policy that addresses information security for employees and contractors. 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status. Observation (configuration)  Observation (process)  Documentation (policy)  Interview (receptionist)  Technical (none)
  • 49. Compensating Controls • Used only when a specific control cannot be implemented due to a business process • Implement “risk-based” supplementary control(s) • Designed for the business • Accepted by the business • Must be accompanied by supporting evidence • Accompanied by supporting processes
  • 50. Compensating Controls   Information Required Explanation 1. Constraints List constraints precluding compliance with the original Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each requirement. require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user. 1. Objective Define the objective of the original control; identify the The objective of requiring unique logins is twofold. First, it is not considered acceptable objective met by the compensating control. from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action. 1. Identified Risk Identify any additional risk posed by the lack of the Additional risk is introduced to the access control system by not ensuring all users have a original control. unique ID and are able to be tracked. 1. Definition of Compensating Controls Define the compensating controls and explain how they Company XYZ is going to require all users to log into the servers from their desktops using address the objectives of the original control and the the SU command. SU allows a user to access the “root” account and perform actions increased risk, if any. under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account. 1. Validation of Compensating Controls Define how the compensating controls were validated Company XYZ demonstrates to assessor that the SU command being executed and that and tested. those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges 1. Maintenance Define process and controls in place to maintain Company XYZ documents processes and procedures to ensure SU configurations are not compensating controls. changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged
  • 51. Quiz 5 1. Name the four types of evidence generally required. 2. If you cannot implement a control you will fail the audit. True/False? 3. Compensating controls are _________ based and must be accepted by ___________________. 4. When designing a compensating control you must always consider the ____________ objective. 5. If I just nod once and a while, this guys actually thinks I’m listening to him. True/False.
  • 53. Milestones • Risk based prioritisation of implementation of the controls established by card brands • Milestone 1 – identify what you have, where you have it and write policies to protect it. • Milestone 2 – Network integrity • Milestone 3 – Code integrity • Milestone 4 – Logs & records • Milestone 5 – Incidents • Miles 6 – Auditing & testing
  • 54. Timelines • Missed deadline • Milestones 1-4 • Validation • SAQ • AoC to Acquirer • Annual Recertification
  • 55. How will you get there? • By starting and maintaining momentum! • Document everything • Monthly Acquirer reports • Quick resolution of questions • Compensating controls • Site visits – practice audits • Disseminating information
  • 56. 2 Words Due diligence
  • 58. Intent Give PCI a Chance! Minimise risk to card holder data
  • 59. Business Messages Card brand service requirements Regulatory requirement Losses impact our clients Lost client confidence = Lost £ System down time = Lost £ Repair costs = Lost £ Data theft & fraud = Lost £ Reputation losses = Lost £ Fines = Lost £
  • 60. Employee  Security of our customer credit card data is critical to our mission.  We’ve implemented a detailed security program to protect this data.  Security is your responsibility.  Security is everyone’s responsibility.  Failure to meet this responsibility…  We need your help and suggestions.
  • 61. Partner  Protection of our customer data is mission critical to us.  We have implemented a PCI DSS compliance program and are pending formal certification.  Regulatory compliance is a shared responsibility.  Connectivity to our systems require compliance to PCI DSS controls as a condition of contract.  How can we help you?
  • 62. Customer  We are implementing a PCI DSS compliance program and are pending formal certification.  We require all of our partners and suppliers to meet PCI DSS controls  We have implemented a rigorous security testing program to ensure the security integrity of our systems.  Protection of your personnel data is critical to our business.  If you have any question regarding our policies – do not hesitate to contact us.
  • 63. Last Quiz 1. Name a business message. 2. Name a employee message. 3. Name a client message. 4. Name a partner message. 5. Name all five members of the original Jackson 5.
  • 65. If Nothing Else, Remember • PCI DSS is a “risk management framework” • Implementation does not guarantee security • A framework only serves to identify, minimise and manage the risk of compromise. • At the day’s end - You still own the risk.
  • 67. 26 Dover Street London United Kingdom +44 (0)20 3170 8955 +44 (0)20 3008 6011 (fax) 67

Notes de l'éditeur

  1. Your security soul
  2. It’s a jungle out there
  3. Templates such as solutions architecture documents, RFIs, RFPs,
  4. An enlightened security pilgrim is worth his weight in gold to your organization.