SlideShare une entreprise Scribd logo

PCI DSS Implementation: A Five Step Guide

AlienVault
AlienVault

Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization. AlienVault PCI DSS Compliance: https://www.alienvault.com/solutions/pci-dss-compliance Have a question? Ask it in our forum: http://forums.alienvault.com More videos: http://www.youtube.com/user/alienvaulttv AlienVault Blogs: http://www.alienvault.com/blogs AlienVault: http://www.alienvault.com

Technologie
1  sur  15
Télécharger pour lire hors ligne
PCI DSS Implementation: A 5 Step Guide www.alienvault.com
If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this paper you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.   The steps described in this paper are meant for readers already aware of each requirement within the PCI DSS. If you are not, you can head over to the PCI Standards Council website for a breakdown of all the requirements and then return to this paper for implementation and maintenance best practices. Additionally, the steps described here will be geared towards small to medium organizations that are required to comply with all components of the PCI DSS and not just portions of it. This resource was created in conjunction with Terra Verde Services. PCI DSS Implementation: A 5 Step Guide
PCI DSS Compliance Checklist The recipe for implementing and maintaining PCI DSS compliance includes the following five steps: • Determine Your True Business Requirements • Inventory Locations and Assets • Segment the Environment • Operationalize Controls • Automate Controls and Control Reporting
Often, most organizations don’t directly process credit cards. Instead they offload some of the risk to a third party. In this scenario you still need to ensure that the third- party is PCI compliant, but why incur the cost of PCI implementation and maintainance of all the controls if you don’t need to. There are many reasons why data is needed in organizations and most of the time it revolves around customer convenience or user experience. Although these are valid reasons, organizations should still do a thorough cost/benefit analysis on both short- term control PCI implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path. It’s important to keep in mind that PCI DSS compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. For instance, there will be long-term impacts including investments in training, personnel, and technology. Notice that technology is last here. Implementing PCI DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing. STEP 1Determine Your True Business Requirements
If you have determined that you truly have a business need to process credit card data, step 2 on your checklist should be to inventory all credit card locations and assets. This seems simple enough, but it’s often where many organizations struggle. Computers and computer networks are complex along with the politics in many organizations. Unless there are strong governance practices in place, it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features. For successful PCI implementation, you should be prepared to answer these fundamental questions about the PCI processing environment: STEP 2Inventory Locations and Assets • What business processes use credit card data? • Where is the cardholder data (CHD) stored? • How is the cardholder data (CHD) accessed? • What are the ports and protocols used when transmitting cardholder data (CHD)? • What technology assets are involved in the data flow? • Am I sure?
That last question from the previous slide is an interesting one. When performing GAP assessments, more often then not, you will find cardholder data flows that the customer was unaware of. Implementing PCI DSS is not just your best effort. If you have a breach, you may be on the hook for all those fraudulent transactions, as well as fines. Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your defined cardholder data flows and environments. Remember this is a process. You should expect to update inventories of flows and systems on an ongoing basis depending on business and technology changes. STEP 2Inventory Locations and Assets Continued
Now that you have located everything, it’s time to segment the technologies and, in some cases, the business processes that store, process, or transmit cardholder data. Even though PCI DSS does not require segmentation, it is a critical step in reducing short and long-term costs. Many organizations fail when they attempt to segment their environment for PCI DSS compliance. This occurs when they attempt to implement PCI DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have correctly segmented the PCI environment, only to find systems outside the segmented environment that process or store cardholder data. To ensure that this doesn’t happen at your organization, make sure that you segment your processing environment and implement inventory processes described above to validate whether cardholder data is flowing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in the correct network zones prior to being moved into production. STEP 3Segment the Environment
Once controls are in a PCI DSS compliant state, the checklist changes to maintaining that compliant state. A plan should be put into place to address how PCI DSS controls will be affected when employee turnover, employee promotion and changing priorities occur.  In fact, the PCI Standards Council made changes in PCI DSS v3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures. This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change. STEP 4Operationalize Controls
After implementing PCI DSS, here are some questions that may help you determine whether your control framework is operationalized for long-term success. • Is there support and awareness from your senior leadership team or board? • Is leadership fully aware of the contractual responsibility for securing cardholder data? • Are control owners assigned to each PCI control and do control owners understand their role in ensuring that the controls operate effectively? • Do written procedures exist for managing all control processes outlined within PCI DSS? • Do automated tools exist to help you operationalize ongoing security procedures (i.e. SIEM, vulnerability management, file integrity monitoring, etc.)? • Do automated tools exist to monitor the effectiveness of control activities? STEP 4Operationalize Controls Continued
The final step is actually a continuation of the concept of operationalizing controls. In order to ensure PCI compliance in the long-term, you must automate control activities. The primary reason for this is that no matter how hard we try, we humans are fallible. By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls. Here is a list of processes that can be quickly automated, given the right set of tools and/or capabilities. • Asset Discovery and Management • Logging and Security Event Monitoring • File Integrity Monitoring • Incident Response Tracking • Vulnerability Identification & Management • Default Password Checks • Firewall Rule Reviews • Wireless Rogue Access Point Detection • Access Provisioning & De-provisioning STEP 5Automate Controls and Control Monitoring
AlienVault Unified Security Management (USM) Asset Discovery and Management - An essential component of achieving PCI compliance is knowing what devices are in-scope, and the patch level. With AlienVault USM, you can automate the discovery and monitoring of the devices as well as the software deployed on them. Logging and Security Event Monitoring - AlienVault USM platform aggregates, correlates, and analyzes your security event monitoring. Over 2000 correlation rules eliminate the need for manual correlation and analysis of events. Incident Response Tracking - With USM, you can automatically identify and investigate security incidents with built-in threat intelligence, as well as manage the response. File Integrity Monitoring - File Integrity Monitoring (FIM) tracks who has accessed sensitive data as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.  Default Password Checks - Built-in, automated vulnerability assessment identifies the use of weak and default passwords, as well as host IDS and FIM will alert on the use of default passwords.
Must-have security Technologies for PCI DSS Compliance ALL IN A SINGLE PANE OF GLASS Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More >
Additional Resources Demonstrating compliance with PCI DSS is far from a trivial exercise. Hopefully this check list will help you on your quest to achieve and maintain PCI DSS compliance. Good Luck! To learn more about implementing and maintaining PCI DSS compliance, check out the following additional resources: • Solution Page: How AlienVault technology can help you with PCI DSS compliance • Webinar: PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting • Solution Page: PCI DSS Log Management & Monitoring • Solution Brief: Unify your Defenses and Accelerate PCI Compliance • Video: The Easier, Faster Path to PCI Compliance
Learn More about AlienVault At AlienVault, we’ve experienced firsthand just how frustrating and challenging security can be – the struggles with failing SIEM implementations; having to settle for inadequate security due to budget constraints; shelving hundreds of thousands of dollars of security software because it is just too hard to use; and, of course, the aftermath of security breaches that could have been prevented. We founded AlienVault to help organizations of all shapes and sizes achieve world-class security without the headaches and huge expense of other solutions. And we are passionate about our mission. Learn more about AlienVault
Learn More about Terra Verde Terra Verde has provided services to clients around the world. Large government agencies, Fortune 500 companies as well as small single-practitioner offices, have seen the value of our services and solutions. These services include assessing, designing and implementing technology solutions that are both secure and value- driven. As the largest Arizona headquartered security provider, we are your local one-stop-shop for all your security and compliance needs.  Learn More About Terra Verde

Recommandé

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 

Recommandé

A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
Steps to iso 27001 implementation
Steps to iso 27001 implementationSteps to iso 27001 implementation
Steps to iso 27001 implementation
Ralf Braga
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
Kriangkrai Chumsaktrakul
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
Dr Madhu Aman Sharma
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
Dr Madhu Aman Sharma
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
mcloete
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
Vigilant Software
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
NA Putra
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
Business Beam
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Stratos Lazaridis
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
David Ricketts
 

Contenu connexe

Tendances

Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
PECB
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Stratos Lazaridis
 

Tendances (20)

PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0Looking Forward to PCI DSS v4.0
Looking Forward to PCI DSS v4.0
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
27001 awareness Training
27001 awareness Training27001 awareness Training
27001 awareness Training
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Iso27001 Audit Services
Iso27001 Audit ServicesIso27001 Audit Services
Iso27001 Audit Services
 
Why ISO27001 For My Organisation
Why ISO27001 For My OrganisationWhy ISO27001 For My Organisation
Why ISO27001 For My Organisation
 
NQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation GuideNQA - ISO 27001 Implementation Guide
NQA - ISO 27001 Implementation Guide
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
What is ISO 27001 ISMS
What is ISO 27001 ISMSWhat is ISO 27001 ISMS
What is ISO 27001 ISMS
 
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
Integrating ISO/IEC 27001 and ISO 31000 for Effective Information Security an...
 
ISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdfISO 27005:2022 Overview 221028.pdf
ISO 27005:2022 Overview 221028.pdf
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
ISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdfISO Survey 2021: ISO 27001.pdf
ISO Survey 2021: ISO 27001.pdf
 
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdfISO 27001_2022 What has changed 2.0 for ISACA.pdf
ISO 27001_2022 What has changed 2.0 for ISACA.pdf
 
Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...Iso 27001 in images - sample slides from different levels of training, e.g. F...
Iso 27001 in images - sample slides from different levels of training, e.g. F...
 

Similaire à PCI DSS Implementation: A Five Step Guide

Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
Kelly Lam
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
Subhajit Bhuiya
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
Divya Kothari
 

Similaire à PCI DSS Implementation: A Five Step Guide (20)

PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 

Plus de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

Plus de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

PCI DSS Implementation: A Five Step Guide

  • 1. PCI DSS Implementation: A 5 Step Guide www.alienvault.com
  • 2. If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this paper you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.   The steps described in this paper are meant for readers already aware of each requirement within the PCI DSS. If you are not, you can head over to the PCI Standards Council website for a breakdown of all the requirements and then return to this paper for implementation and maintenance best practices. Additionally, the steps described here will be geared towards small to medium organizations that are required to comply with all components of the PCI DSS and not just portions of it. This resource was created in conjunction with Terra Verde Services. PCI DSS Implementation: A 5 Step Guide
  • 3. PCI DSS Compliance Checklist The recipe for implementing and maintaining PCI DSS compliance includes the following five steps: • Determine Your True Business Requirements • Inventory Locations and Assets • Segment the Environment • Operationalize Controls • Automate Controls and Control Reporting
  • 4. Often, most organizations don’t directly process credit cards. Instead they offload some of the risk to a third party. In this scenario you still need to ensure that the third- party is PCI compliant, but why incur the cost of PCI implementation and maintainance of all the controls if you don’t need to. There are many reasons why data is needed in organizations and most of the time it revolves around customer convenience or user experience. Although these are valid reasons, organizations should still do a thorough cost/benefit analysis on both short- term control PCI implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path. It’s important to keep in mind that PCI DSS compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. For instance, there will be long-term impacts including investments in training, personnel, and technology. Notice that technology is last here. Implementing PCI DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing. STEP 1Determine Your True Business Requirements
  • 5. If you have determined that you truly have a business need to process credit card data, step 2 on your checklist should be to inventory all credit card locations and assets. This seems simple enough, but it’s often where many organizations struggle. Computers and computer networks are complex along with the politics in many organizations. Unless there are strong governance practices in place, it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features. For successful PCI implementation, you should be prepared to answer these fundamental questions about the PCI processing environment: STEP 2Inventory Locations and Assets • What business processes use credit card data? • Where is the cardholder data (CHD) stored? • How is the cardholder data (CHD) accessed? • What are the ports and protocols used when transmitting cardholder data (CHD)? • What technology assets are involved in the data flow? • Am I sure?
  • 6. That last question from the previous slide is an interesting one. When performing GAP assessments, more often then not, you will find cardholder data flows that the customer was unaware of. Implementing PCI DSS is not just your best effort. If you have a breach, you may be on the hook for all those fraudulent transactions, as well as fines. Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your defined cardholder data flows and environments. Remember this is a process. You should expect to update inventories of flows and systems on an ongoing basis depending on business and technology changes. STEP 2Inventory Locations and Assets Continued
  • 7. Now that you have located everything, it’s time to segment the technologies and, in some cases, the business processes that store, process, or transmit cardholder data. Even though PCI DSS does not require segmentation, it is a critical step in reducing short and long-term costs. Many organizations fail when they attempt to segment their environment for PCI DSS compliance. This occurs when they attempt to implement PCI DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have correctly segmented the PCI environment, only to find systems outside the segmented environment that process or store cardholder data. To ensure that this doesn’t happen at your organization, make sure that you segment your processing environment and implement inventory processes described above to validate whether cardholder data is flowing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in the correct network zones prior to being moved into production. STEP 3Segment the Environment
  • 8. Once controls are in a PCI DSS compliant state, the checklist changes to maintaining that compliant state. A plan should be put into place to address how PCI DSS controls will be affected when employee turnover, employee promotion and changing priorities occur.  In fact, the PCI Standards Council made changes in PCI DSS v3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures. This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change. STEP 4Operationalize Controls
  • 9. After implementing PCI DSS, here are some questions that may help you determine whether your control framework is operationalized for long-term success. • Is there support and awareness from your senior leadership team or board? • Is leadership fully aware of the contractual responsibility for securing cardholder data? • Are control owners assigned to each PCI control and do control owners understand their role in ensuring that the controls operate effectively? • Do written procedures exist for managing all control processes outlined within PCI DSS? • Do automated tools exist to help you operationalize ongoing security procedures (i.e. SIEM, vulnerability management, file integrity monitoring, etc.)? • Do automated tools exist to monitor the effectiveness of control activities? STEP 4Operationalize Controls Continued
  • 10. The final step is actually a continuation of the concept of operationalizing controls. In order to ensure PCI compliance in the long-term, you must automate control activities. The primary reason for this is that no matter how hard we try, we humans are fallible. By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls. Here is a list of processes that can be quickly automated, given the right set of tools and/or capabilities. • Asset Discovery and Management • Logging and Security Event Monitoring • File Integrity Monitoring • Incident Response Tracking • Vulnerability Identification & Management • Default Password Checks • Firewall Rule Reviews • Wireless Rogue Access Point Detection • Access Provisioning & De-provisioning STEP 5Automate Controls and Control Monitoring
  • 11. AlienVault Unified Security Management (USM) Asset Discovery and Management - An essential component of achieving PCI compliance is knowing what devices are in-scope, and the patch level. With AlienVault USM, you can automate the discovery and monitoring of the devices as well as the software deployed on them. Logging and Security Event Monitoring - AlienVault USM platform aggregates, correlates, and analyzes your security event monitoring. Over 2000 correlation rules eliminate the need for manual correlation and analysis of events. Incident Response Tracking - With USM, you can automatically identify and investigate security incidents with built-in threat intelligence, as well as manage the response. File Integrity Monitoring - File Integrity Monitoring (FIM) tracks who has accessed sensitive data as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.  Default Password Checks - Built-in, automated vulnerability assessment identifies the use of weak and default passwords, as well as host IDS and FIM will alert on the use of default passwords.
  • 12. Must-have security Technologies for PCI DSS Compliance ALL IN A SINGLE PANE OF GLASS Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More >
  • 13. Additional Resources Demonstrating compliance with PCI DSS is far from a trivial exercise. Hopefully this check list will help you on your quest to achieve and maintain PCI DSS compliance. Good Luck! To learn more about implementing and maintaining PCI DSS compliance, check out the following additional resources: • Solution Page: How AlienVault technology can help you with PCI DSS compliance • Webinar: PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting • Solution Page: PCI DSS Log Management & Monitoring • Solution Brief: Unify your Defenses and Accelerate PCI Compliance • Video: The Easier, Faster Path to PCI Compliance
  • 14. Learn More about AlienVault At AlienVault, we’ve experienced firsthand just how frustrating and challenging security can be – the struggles with failing SIEM implementations; having to settle for inadequate security due to budget constraints; shelving hundreds of thousands of dollars of security software because it is just too hard to use; and, of course, the aftermath of security breaches that could have been prevented. We founded AlienVault to help organizations of all shapes and sizes achieve world-class security without the headaches and huge expense of other solutions. And we are passionate about our mission. Learn more about AlienVault
  • 15. Learn More about Terra Verde Terra Verde has provided services to clients around the world. Large government agencies, Fortune 500 companies as well as small single-practitioner offices, have seen the value of our services and solutions. These services include assessing, designing and implementing technology solutions that are both secure and value- driven. As the largest Arizona headquartered security provider, we are your local one-stop-shop for all your security and compliance needs.  Learn More About Terra Verde