SlideShare une entreprise Scribd logo

PCI DSS in Pictures and What to Expect in PCI 3.0

Praveen Vackayil
Praveen Vackayil

Presentation summarizing PCI requirements. Also includes a sneak preview of what to expect in PCI DSS 3.0.

Technologie
1  sur  27
Télécharger pour lire hors ligne
www.sisainfosec.com Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
Introductions
SISA Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions Products •SISA Security Assistant Compliance Management Tool for •PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
•SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA Consulting– Training –Products Customers in 25 Countries About SISA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
PCI DSS
1. Network Diagram •Formal •Comprehensive 2. Network Device Administration •Change Management •Console Connections •Remote Connections 3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months 4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network 5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234 2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points 3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened 4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
1. Storage •Protect Stored Card Number •Do not store CVV or Track Data 2. Retention Period • Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data 3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM • SSH, SSL/TLS, IPSec are acceptable 2. Never send unprotected card numbers over E-mail or chat
1. Scope • All Windows systems must have AV 2. AV should be •On •Updated •Running periodic scans • Getting automatic updates 3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities 2. Application Development •Code Review •Change Management 3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc 4. Public Facing Applications •WAF or •Application VA annually
1. Assigning Access to CHD •Job related need •Approval mechanism for access 2. Implementing Access to CHD • Automated access control system •Default deny-all setting
1. Password Requirements •History, Lifetime, Length, Complexity, 2. Account Lockout, Forgot Password • Password Reset Process
1. CCTV Recordings 2. Access Card Logs 3. Visitor Management 3. Media Management
1. Every system and network component has to have logs 2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects 3. Log Retention •3 months – 1 year rule 4. NTP 5. FIM on logs
1. VA •Internal VA •External VA by an ASV •Every quarter 2. PT •Internal PT •External PT •Annually 3. Wireless Scans 4. IDS/IPS 5. FIM High Med Low
1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP 800-30, OCTAVE, etc. 2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination 3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy 6. Service Providers 7. Incident Management
PCI DSS 3.0
Dates •PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
1. Updated Network Diagram 2. Updated Hardware Inventory
1. AV is required on Non-Windows based systems also
1. Update list of application vulnerabilities as per OWASP, NIST, SANS, etc.
1. Security Requirements for Authentication Mechanisms Other than Passwords • Tokens • Smart Cards
1. More Stringent Requirements for Penetration Testing
1. Maintain a list of service providers and what services they offer 2. Service providers should maintain their applicable PCI Requirements 3. Risks pertaining to service providers
Thank You

Recommandé

Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2Ragavan Seetharaman
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overviewManageEngine EventLog Analyzer
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 

Recommandé

Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2Ragavan Seetharaman
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overviewManageEngine EventLog Analyzer
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKitSysKit Ltd
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time AlgoSec
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Ace
AceAce
AceWill Storey
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesThoughtworks
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWSCloudHesive
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 

Contenu connexe

Tendances

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKitSysKit Ltd
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time AlgoSec
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesThoughtworks
 

Tendances (20)

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKit
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWS
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertification
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management Software
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert Hoitingh
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring
 
Ace
AceAce
Ace
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. Control
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-Services
 

Similaire à PCI DSS in Pictures and What to Expect in PCI 3.0

Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Computer system validations
Computer system validations Computer system validations
Computer system validations Saikiran Koyalkar
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
Cloud computing and innovations
Cloud computing and innovationsCloud computing and innovations
Cloud computing and innovationsSPIN Chennai
 
Jsm computer solutions
Jsm computer solutionsJsm computer solutions
Jsm computer solutionsJason Mast
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testingMarcus Dempsey
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 

Similaire à PCI DSS in Pictures and What to Expect in PCI 3.0 (20)

Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Computer system validations
Computer system validations Computer system validations
Computer system validations
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
Cloud computing and innovations
Cloud computing and innovationsCloud computing and innovations
Cloud computing and innovations
 
Jsm computer solutions
Jsm computer solutionsJsm computer solutions
Jsm computer solutions
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testing
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply Chains
 

Dernier

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

PCI DSS in Pictures and What to Expect in PCI 3.0

  • 1. www.sisainfosec.com Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
  • 3. SISA Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions Products •SISA Security Assistant Compliance Management Tool for •PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
  • 4. •SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA Consulting– Training –Products Customers in 25 Countries About SISA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
  • 6.
  • 7. 1. Network Diagram •Formal •Comprehensive 2. Network Device Administration •Change Management •Console Connections •Remote Connections 3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months 4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network 5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
  • 8. 1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234 2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points 3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened 4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
  • 9. 1. Storage •Protect Stored Card Number •Do not store CVV or Track Data 2. Retention Period • Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data 3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
  • 10. 1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM • SSH, SSL/TLS, IPSec are acceptable 2. Never send unprotected card numbers over E-mail or chat
  • 11. 1. Scope • All Windows systems must have AV 2. AV should be •On •Updated •Running periodic scans • Getting automatic updates 3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
  • 12. 1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities 2. Application Development •Code Review •Change Management 3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc 4. Public Facing Applications •WAF or •Application VA annually
  • 13. 1. Assigning Access to CHD •Job related need •Approval mechanism for access 2. Implementing Access to CHD • Automated access control system •Default deny-all setting
  • 14. 1. Password Requirements •History, Lifetime, Length, Complexity, 2. Account Lockout, Forgot Password • Password Reset Process
  • 15. 1. CCTV Recordings 2. Access Card Logs 3. Visitor Management 3. Media Management
  • 16. 1. Every system and network component has to have logs 2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects 3. Log Retention •3 months – 1 year rule 4. NTP 5. FIM on logs
  • 17. 1. VA •Internal VA •External VA by an ASV •Every quarter 2. PT •Internal PT •External PT •Annually 3. Wireless Scans 4. IDS/IPS 5. FIM High Med Low
  • 18. 1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP 800-30, OCTAVE, etc. 2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination 3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy 6. Service Providers 7. Incident Management
  • 20. Dates •PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
  • 21. 1. Updated Network Diagram 2. Updated Hardware Inventory
  • 22. 1. AV is required on Non-Windows based systems also
  • 23. 1. Update list of application vulnerabilities as per OWASP, NIST, SANS, etc.
  • 24. 1. Security Requirements for Authentication Mechanisms Other than Passwords • Tokens • Smart Cards
  • 25. 1. More Stringent Requirements for Penetration Testing
  • 26. 1. Maintain a list of service providers and what services they offer 2. Service providers should maintain their applicable PCI Requirements 3. Risks pertaining to service providers