Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking. However, with the right approach it can be substantially less burdensome. In this webcast, we will provide background and recommendations to help you make the best possible decisions regarding PCI for your PaaS-based application. If you currently accept, or are contemplating accepting a payment card on your web application, this webcast is for you. In this presentation you will learn about: -An overview of PCI -How to scope your environment for PCI compliance -Ways to make compliance more manageable, and -Things to consider when approaching PCI compliance on a PaaS provider. To view the full webcast on-demand: http://pages.engineyard.com/an-introduction-to-pci-compliance-on-a-paas.html

1. Engine Yard - Confidential

2. Ryan Gurney
Director, Security & Compliance
Engine Yard
rgurney@engineyard.com
02/28/2012

3. • Overview of PCI
• Make PCI Manageable
• Scope Effectively
• PCI on PaaS
• Q&A
02/28/2012 3

4. 02/28/2012 4

5. Requirements for storing, processing
or transmitting payment card data
Endorsed by the major card brands
Four levels of validation depending on
transaction volume
Enforced through incentives, fines
or termination of privileges
02/28/2012 5

6. Data Security Key Areas of Focus
Build and
Maintain a
Secure Network
Protect
Cardholder Data
Information Network
Maintain a Security Security
Vulnerability Policies
Management
Program
PCI Encryption
Implement Strong Remediation Logging Key Management Log Review
Access Control Strategy Access Control
Measures & Management
Maintain an
Information File Integrity
Security Policy Monitoring
Regularly Monitor
and Test Networks Vulnerability
Management
02/28/2012 6

7. • Being PCI compliant does
not provide assurances that a
data breach will not occur.
Of the card accepting
merchants that sustained a
data breach in 2009, 21% of
them had previously been
validated as PCI-compliant.
• The average cost of a data
breach globally is $3.43
million -- or $142 per 1 Ponemon Institute and PGP study
customer record. In the U.S.,
the cost is $6.65 million or
Insider threats matter!
$208 per customer record.
02/28/2012 7

8. PCI compliance is required,
however meeting compliance has
Scope Specific
traditionally placed a high cost in
time and money on organizations.
– Only 21% of companies Fail One Low
achieve PCI compliance their Control, Regard
Fail for Risk
first time through the process. Audit Process
– PCI is not something that can
be “crossed off the list” once
your organization attains an Vendors Costly
initial certification.
Regular
Manage
Point in time audit, but not Audit
point in time governance!
02/28/2012 8

9. 02/28/2012 9

10. Document • Determine the payment
Card card data entry,
processing, storage and
Locations exit points
• Map the logical flow of
Map Data
data throughout the
Flow environment
• Includes all
Identify systems, apps,
Infrastructure DBs, and network
devices supporting
the data flows
02/28/2012 10

11. 02/28/2012 11

12. http://www.engineyard.com/partner/braintree
02/28/2012 12

13. 02/28/2012 13

14. • Process Evaluation: Do we need
Requirements to retain the full PAN?
• Outsourcing: Can someone else
Reduction handle the transactions and
compliance burden?
• Environment Redesign: Can we
consolidate our payment
Scope environment?
• Tokenization
Reduction • Network Segmentation
• Point-to-Point Encryption
02/28/2012 14

15. 02/28/2012 15

16. The Platform
Can I meet my
I expect a certain level customer’s
of security in my security
environment. requirements in
the Cloud?
Your Customers
Regulators
IaaS Provider
02/28/2012 16

17. Your Data
Risk Evaluation,
Roles &
Roadmap, &
Responsibilities
Improvement
PaaS
Provider
Logging & Security
Monitoring Capabilities
Access Controls
02/28/2012 17

18. 02/28/2012 18

19. More Information:
• PCI Council
http://ey.io/PCI-council
• Cloud Security Alliance
http://ey.io/cs-alliance
• Engine Yard PCI whitepaper
http://ey.io/paaspci
Feedback / Questions:
• Ryan Gurney - rgurney@engineyard.com
02/28/2012 19