Payment Card Industry (PCI) Data Security Standard (DSS) compliance is frequently misunderstood. Determining an effective strategy for the demonstration of compliance and its ongoing governance is critical to mitigate emerging payment security risks. Knowing when you need help, understanding which requirements are applicable, and determining the proper course of actions to adhere to the standard is often more complex than it may at first seem. Join Fortrex Technologies QSA Peter Spier and Senior Director of Information Security, Compliance and Fraud for PAETEC Holding Corporation, Jim Raub, for this discussion of common challenges and practical solutions.
Peter Spier, Senior Risk Management Consultant,Fortrex Technologies
Peter is President of the ISACA Western New York Chapter and is a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications.
Jim Raub
Senior Director of Information Security, Compliance and Fraud, PAETEC Holding Corporation
Jim has held a wide range of IT positions over the past 30 years, with a concentration on security for the past decade. He has presented at numerous conferences and taught many business and college courses as an adjunct faculty member. Jim’s certifications include Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). When he’s not working, he is an avid musician and volunteer at several non-profit organizations.
24. When You Are Not Certain Where
Your Cardholder Data Environment Begins Or Ends
• Does an unsolicited customer email automatically
bring a system into the Cardholder Data
Environment (CDE)?
• If an end-user chooses to record a call and save it
to local or LAN file, is the PC or fileserver in
scope?
• If the CDE firewall allows insecure protocols, is the
scope reduced?
• Is a workstation part of the CDE if it is used only
to key in the Payment Account Number (PAN) to a
hosted application through an encrypted channel?