SlideShare ist ein Scribd-Unternehmen logo

You Know You Need PCI Compliance Help When…

Rochester Security Summit
Rochester Security Summit

Payment Card Industry (PCI) Data Security Standard (DSS) compliance is frequently misunderstood. Determining an effective strategy for the demonstration of compliance and its ongoing governance is critical to mitigate emerging payment security risks. Knowing when you need help, understanding which requirements are applicable, and determining the proper course of actions to adhere to the standard is often more complex than it may at first seem. Join Fortrex Technologies QSA Peter Spier and Senior Director of Information Security, Compliance and Fraud for PAETEC Holding Corporation, Jim Raub, for this discussion of common challenges and practical solutions. Peter Spier, Senior Risk Management Consultant,Fortrex Technologies Peter is President of the ISACA Western New York Chapter and is a Senior Risk Management Consultant at Fortrex Technologies based in Frederick, Maryland. Peter attained his graduate degree from Syracuse University's School of Information Studies and over the course of 12 years of experience has earned Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), Project Management Professional (PMP), Qualified Security Assessor (QSA), Information Technology Infrastructure Library (ITIL) Foundation version 3, and HITRUST CSF Assessor certifications. Jim Raub Senior Director of Information Security, Compliance and Fraud, PAETEC Holding Corporation Jim has held a wide range of IT positions over the past 30 years, with a concentration on security for the past decade. He has presented at numerous conferences and taught many business and college courses as an adjunct faculty member. Jim’s certifications include Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP). When he’s not working, he is an avid musician and volunteer at several non-profit organizations.

Technologie
1 von 36
Downloaden Sie, um offline zu lesen
You Know You Need PCI Compliance Help When… Presented By: Peter Spier Manager Professional Services Fortrex Technologies Jim Raub Senior Director of Information Security and Compliance PAETEC Holding Corporation © 2010. All rights reserved.
• Instructor Biographies • Background On Fortrex • Background on PAETEC • Overview of the PCI DSS • 3 Challenges • Common Scenarios • Time to Seek Help • Compliance Roles • Assessment Preparation • PCI DSS 2.0 Agenda © 2010. All rights reserved.
Instructor Biography • Peter Spier is President of the ISACA Western New York Chapter and Manager Professional Services at Fortrex Technologies (www.fortrex.com) based in Frederick, Maryland. • Certifications include: CISSP, CISM, PMP, QSA, PA-QSA, ITILFv3, and CSF Assessor • Masters degree from Syracuse University School of Information Studies • 15 years of experience © 2010. All rights reserved.
Instructor Biography © 2010. All rights reserved. • Jim Raub is Sr. Director, Information Security and Compliance at PAETEC (www.paetec.com) based in Fairport, NY. • Current Certifications include: CISSP, CISA, & CTM. Past certifications from Cisco, Microsoft, Informix, CompTIA and others. • Bachelors degree, Summa cum Laude, from Syracuse University, with coursework towards Masters at University of Rochester • 35 years of experience in management, consulting, security, software development, IT infrastructure, networks, and database administration
Background on Fortrex General Facts • IT Security, Operational Risk and Governance Consulting • Founded in 1997 • Headquarters in Frederick, Maryland • Privately Held • Approaching 1,000 Customers  Baltimore to Alaska to Guam • Broad Industry Coverage • QSA, PA-QSA & ASV • Abundance of References Integrity, Excellence, Empowerment, Teamwork and Thankfulness © 2010. All rights reserved.
Background on PAETEC © 2010. All rights reserved. Caring Culture, Open Communication, Unmatched Service, Personalized Solution General Facts • Founded in 1998 • Headquarters in Fairport, New York • Publicly Traded (Nasdaq: PAET) • Serving over 84 of the top 100 Metropolitan Statistical Areas (MSAs) in the U.S. with personalized communications solutions • Core offerings include data, voice, and Internet communications services • Value-added solutions encompass data center colocation, communications management software, equipment, security and financing programs
Overview of the PCI DSS Reviewing PCI DSS Compliance Requirements For The First Time Can Be A Daunting Task The “Dirty Dozen” Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security © 2010. All rights reserved.
Challenge #1 Are you a Merchant or a Service Provider? © 2010. All rights reserved.
Merchants Defined • Merchant - Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. © 2010. All rights reserved.
Service Providers Defined • Service Provider - Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. o This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data.  Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.  Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded © 2010. All rights reserved.
When Merchants Are Also Service Providers • A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.  For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers © 2010. All rights reserved.
Challenge #2 What compliance level are you? © 2010. All rights reserved.
Merchant Compliance Levels Level Visa MasterCard Discover American Express JCB 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region •Any merchant that has suffered a hack or an attack that resulted in an account data compromise •Any merchant having greater than six million total combined MasterCard and Maestro transactions annually •Any merchant meeting the Level 1 criteria of Visa •Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system •All merchants processing a total of more than 6 million card transactions annually on the Discover network. •Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements •All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant 2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American Express otherwise deems a Level 1 One million JCB transactions or more per year 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) •Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually •Any merchant meeting the Level 2 criteria of Visa •All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network. •All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant 50,000 to 2.5 million American Express Card transactions per year Less than one million JCB transactions per year © 2010. All rights reserved.
Merchant Compliance Levels Level Visa MasterCard Discover American Express JCB 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually •Any merchant with greater than 20,000 combined MasterCard and Maestro e- commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually •Any merchant meeting the Level 3 criteria of Visa •All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network •All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant Less than 50,000 American Express Card transactions per year N/A 4 Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually All other merchants All other merchants N/A N/A © 2010. All rights reserved.
Service Provider Compliance Levels Level Visa MasterCard Discover American Express JCB 1 VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually •All TPPs •All DSE’s that store, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually All TPPs All TPPs All TPPs 2 Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually Includes all DSE’s that store, transmit, or process less than 300,000 total combined MasterCard and Maestro transactions annually N/A N/A N/A © 2010. All rights reserved.
Challenge #3 What requirements apply? © 2010. All rights reserved.
Merchant Reporting Requirements Level Visa MasterCard Discover American Express JCB 1 •Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) •Quarterly network scan by Approved Scan Vendor (“ASV”) •Attestation of Compliance Form •Annual On-site Assessment1 •Quarterly network scan by Approved Scan Vendor (“ASV”) •All merchants processing a total of more than 6 million card transactions annually on the Discover network. •Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements •All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant 2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American Express otherwise deems a Level 1 One million JCB transaction s or more per year 2 •Annual Self-Assessment Questionnaire (“SAQ”) •Quarterly network scan by ASV •Attestation of Compliance Form •On-site Assessment (At Merchant Discretion) •Annual Self-Assessment Questionnaire (“SAQ”)2 •Quarterly network scan by Approved Scan Vendor (“ASV”) •All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network. •All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant 50,000 to 2.5 million American Express Card transactions per year Less than one million JCB transaction s per year 1 Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors. 2 Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire. © 2010. All rights reserved.
Merchant Reporting Requirements Level Visa MasterCard Discover American Express JCB 3 •Annual SAQ •Quarterly network scan by ASV •Attestation of Compliance Form •Annual SAQ •Quarterly network scan by ASV •All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network •All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant Less than 50,000 American Express Card transactions per year N/A 4 •Annual SAQ recommended •Quarterly network scan by ASV if applicable •Compliance validation requirements set by acquirer •Annual SAQ •Quarterly network scan by ASV All other merchants N/A N/A © 2010. All rights reserved.
Service Provider Reporting Requirements Level Visa MasterCard Discover American Express JCB 1 •Annual On-site security assessment by QSA •Quarterly network scans by ASV. •Annual On-site security assessment by QSA •Quarterly network scans by ASV. •Annual On-site security assessment by QSA (or internal auditor if signed by officer of Service provider). OR Annual Self-Assessment Questionnaire D •Quarterly network scans by ASV •Annual On-site security assessment by QSA (or internal auditor if signed by officer of Service provider). •Quarterly network scans by ASV. •Annual On- site security assessment by QSA •Quarterly network scans by ASV. 2 •Annual SAQ •Quarterly network scan by ASV •Annual SAQ •Quarterly network scan by ASV N/A N/A N/A © 2010. All rights reserved.
Realization • Each card brand’s transaction-driven tiering and corresponding requirements differs from one brand to the other • For Self Assessment Questionnaire (SAQ) merchants, if you employ more than one transaction type, you’re obligated to use SAQ D • For Level 2 Service Providers, you’re obligated to use SAQ D • SAQ D is the long one… © 2010. All rights reserved.
Suppose • You have bandwidth to spare • Your internal audit personnel possess broad and deep compliance framework experience • A team member has successfully completed a PCI DSS compliance assessment in the past When should you consider bringing in expert assistance from the outside? © 2010. All rights reserved.
When Compliance Looks Easy • Familiar with ISO:27001? • Spoken with a colleague who indicated that their SAQ was a simple matter of checking all the ‘Yes’ boxes and signing it? • PCI DSS can be mapped to other frameworks, but its focus is explicitly cardholder data security • Compliance is never as easy as just checking all the ‘Yes’ boxes © 2010. All rights reserved.
When You Receive An E-mail Identifying Still Another Data Repository • Unidentified data repositories can: o Threaten momentum o Lower morale o Derail compliance efforts. • Late-in-the-game discoveries might cause you to: o Miss your target dates o Incur unforeseen penalties o Require re-work to remediate issues • Recommendation: Identify all payment flows through a combination of both human and automated means o Surveys o Interviews o Data analytics © 2010. All rights reserved.
When You Are Not Certain Where Your Cardholder Data Environment Begins Or Ends • Does an unsolicited customer email automatically bring a system into the Cardholder Data Environment (CDE)? • If an end-user chooses to record a call and save it to local or LAN file, is the PC or fileserver in scope? • If the CDE firewall allows insecure protocols, is the scope reduced? • Is a workstation part of the CDE if it is used only to key in the Payment Account Number (PAN) to a hosted application through an encrypted channel?
When You Re-Read The Same Requirement And Interpret It In Yet Another Way • Read the PCI DSS? • Attended seminars? • Poured over various forum threads and blog postings? • Was that requirement really non-applicable? • Does your planned compensating control truly go above and beyond the rigor and intent of the original requirement? • Is your “business justification” for leaving open a particular port or protocol sufficient? © 2010. All rights reserved.
Time To Seek Help • Good counsel may at first seem to be in abundance, but identifying the appropriate resource to provide accurate direction is critical • A different business’s compliance approach probably does not apply to your own environment • You can not simply repeat last year’s response • It probably does take an expert to address the “low hanging fruit” • Consulting a QSA prior to an assessment may prove to be the shortest path to achieving compliance © 2010. All rights reserved.
Suggested Compliance Roles •Audit •Complete Self Assessment Questionnaire or Level 1 or 2 assessment •Periodic review of controls •Governance •Compliance oversight •Policy development and distribution •Coordination of organizational business units •Security Operations •Management and monitoring of controls •Internal vulnerability scanning and/or penetration testing •Log Review •Incident Response •System Administration •Account and authentication management •Access control management •Configuration management •Application Developers •Development and Testing •Code review •Revision control •Database Administrators •Record management •Access control management •Project Managers •Assessment and validation planning •Stakeholder coordination and reporting •Resource scheduling •Reporting •Senior Management •Report On Compliance review •Sign Attestation Of Compliance •Qualified Security Assessors •On-site assessment •Validation •Report On Compliance creation •Submission to the payment brands •Countersign Attestation Of Compliance •Approved Scanning Vendors •External quarterly vulnerability scans © 2010. All rights reserved.
Assessment Preparation Scope •Scope of the cardholder data environment is defined as all system components which transmit, process, or store cardholder data. •Limiting the scope of the cardholder data environment may reduce the scope of assessment and ongoing compliance efforts. •Scope reduction strategies may include: •Network Segmentation •Tokenization •All systems receiving cardholder data directly and performing tokenization are in scope •End-to-End Encryption •All systems receiving cardholder data directly and performing encryption are in scope © 2010. All rights reserved.
Network Segmentation Unsegmented Segmented © 2010. All rights reserved.
Tokenization © 2010. All rights reserved.
End-to-End Encryption © 2010. All rights reserved.
Assessment Preparation Prioritized Approach Methodology •Roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. •Assists in prioritization of efforts to achieve compliance •Establishes milestones •Lowers the risk of cardholder data breaches sooner in the compliance process •Helps acquirers to objectively measure compliance activities and risk reduction by merchants, service providers, and others •Pragmatic approach that allows for “quick wins” •Supports financial and operational planning •Promotes objective and measurable progress indicators •Suitable for merchants who choose an on-site assessment or use SAQ D. © 2010. All rights reserved.
Assessment Preparation Milestone Goals 1 Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it. 2 Protect the perimeter, internal, and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point. 3 Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. 4 Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. 5 Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data. 6 Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. © 2010. All rights reserved.
PCI DSS 2.0 Requirement Reason for Change Change Category Introduction Clarify Applicability of PCI DSS and cardholder data. Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. Clarification Scope Ensure all locations of cardholder data are included in scope of PCI DSS assessments Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Guidance Introduction and Various Provide guidance on virtualization. Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization. Guidance 1 Further clarification of the DMZ. Provide clarification on secure boundaries between internet and card holder data environment. Clarification 3.2 Clarify applicability of PCI DSS to Issuers or Issuer Processors. Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data. Clarification © 2010. All rights reserved.
PCI DSS 2.0 (Continued) Requirement Reason for Change Change Category 3.6 Clarify key management processes. Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. Clarification 6.2 Apply a risk based approach for addressing vulnerabilities. Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. Evolving Requirement 6.5 Merge requirements to eliminate redundancy and Expand examples of secure coding standards to include more than OWASP. Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT. Clarification 12.3.10 Clarify remote copy, move, and storage of CHD. Update requirement to allow business justification for copy, move, and storage of CHD during remote access. Clarification © 2010. All rights reserved.
Thank You. © 2010. All rights reserved.

Empfohlen

PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 

Empfohlen

PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloudSaumya Vishnoi
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentestingn|u - The Open Security Community
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance ReadinessAl Abbas, PMP, CISSP, MBA, MSc
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 

Weitere ähnliche Inhalte

Was ist angesagt?

Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI complianceJisc
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloudSaumya Vishnoi
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 

Was ist angesagt? (20)

Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloud
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 

Ähnlich wie You Know You Need PCI Compliance Help When…

PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASISDermot Clarke
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Donald E. Hester
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview- Mark - Fullbright
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101pgalletta
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Merchants
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsNetSquared Vancouver
 
Evolve Pci Compliance
Evolve Pci ComplianceEvolve Pci Compliance
Evolve Pci Compliancehypknight
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI WonderlandMichele Chubirka
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminardlinehan2
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Donald E. Hester
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010Donald E. Hester
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National CertificationMark Pollard
 

Ähnlich wie You Know You Need PCI Compliance Help When… (20)

PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
PCI_Presentation_OASIS
PCI_Presentation_OASISPCI_Presentation_OASIS
PCI_Presentation_OASIS
 
Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010Payment Card Industry CMTA NOV 2010
Payment Card Industry CMTA NOV 2010
 
PCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program OverviewPCI DSS Data Security Compliance Program Overview
PCI DSS Data Security Compliance Program Overview
 
PCI Compliance 101
PCI Compliance 101PCI Compliance 101
PCI Compliance 101
 
PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011PCI Compliance for Community Colleges @One CISOA 2011
PCI Compliance for Community Colleges @One CISOA 2011
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009Payment Card Industry Compliance for Local Governments CSMFO 2009
Payment Card Industry Compliance for Local Governments CSMFO 2009
 
PCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profitsPCI compliance and fraud prevention for non profits
PCI compliance and fraud prevention for non profits
 
Evolve Pci Compliance
Evolve Pci ComplianceEvolve Pci Compliance
Evolve Pci Compliance
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Adventures in PCI Wonderland
Adventures in PCI WonderlandAdventures in PCI Wonderland
Adventures in PCI Wonderland
 
PCI Compliance Seminar
PCI Compliance SeminarPCI Compliance Seminar
PCI Compliance Seminar
 
Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010Payment Card Industry Introduction 2010
Payment Card Industry Introduction 2010
 
Introduction to PCI APR 2010
Introduction to PCI APR 2010Introduction to PCI APR 2010
Introduction to PCI APR 2010
 
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)
 
Visa Compliance Mark National Certification
Visa Compliance Mark National CertificationVisa Compliance Mark National Certification
Visa Compliance Mark National Certification
 

Mehr von Rochester Security Summit

Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Rochester Security Summit
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudRochester Security Summit
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltRochester Security Summit
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetRochester Security Summit
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Rochester Security Summit
 

Mehr von Rochester Security Summit (16)

IPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be IgnoredIPv6 Can No Longer Be Ignored
IPv6 Can No Longer Be Ignored
 
Radio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration TestingRadio Reconnaissance in Penetration Testing
Radio Reconnaissance in Penetration Testing
 
Real Business Threats!
Real Business Threats!Real Business Threats!
Real Business Threats!
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
 
Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101 Dissecting the Hack: Malware Analysis 101
Dissecting the Hack: Malware Analysis 101
 
GRC– The Way Forward
GRC– The Way ForwardGRC– The Way Forward
GRC– The Way Forward
 
A Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public CloudA Plan to Control and Protect Data in the Private and Public Cloud
A Plan to Control and Protect Data in the Private and Public Cloud
 
Finding Patterns in Data Breaches
Finding Patterns in Data BreachesFinding Patterns in Data Breaches
Finding Patterns in Data Breaches
 
State Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork QuiltState Data Breach Laws - A National Patchwork Quilt
State Data Breach Laws - A National Patchwork Quilt
 
It's All About the Data!
It's All About the Data!It's All About the Data!
It's All About the Data!
 
A Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT BudgetA Security Testing Methodology that Fits Every IT Budget
A Security Testing Methodology that Fits Every IT Budget
 
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
Business Impact and Risk Assessments in Business Continuity and Disaster Reco...
 
Losing Control to the Cloud
Losing Control to the CloudLosing Control to the Cloud
Losing Control to the Cloud
 
Firewall Defense against Covert Channels
Firewall Defense against Covert Channels Firewall Defense against Covert Channels
Firewall Defense against Covert Channels
 

Kürzlich hochgeladen

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Kürzlich hochgeladen (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

You Know You Need PCI Compliance Help When…

  • 1. You Know You Need PCI Compliance Help When… Presented By: Peter Spier Manager Professional Services Fortrex Technologies Jim Raub Senior Director of Information Security and Compliance PAETEC Holding Corporation © 2010. All rights reserved.
  • 2. • Instructor Biographies • Background On Fortrex • Background on PAETEC • Overview of the PCI DSS • 3 Challenges • Common Scenarios • Time to Seek Help • Compliance Roles • Assessment Preparation • PCI DSS 2.0 Agenda © 2010. All rights reserved.
  • 3. Instructor Biography • Peter Spier is President of the ISACA Western New York Chapter and Manager Professional Services at Fortrex Technologies (www.fortrex.com) based in Frederick, Maryland. • Certifications include: CISSP, CISM, PMP, QSA, PA-QSA, ITILFv3, and CSF Assessor • Masters degree from Syracuse University School of Information Studies • 15 years of experience © 2010. All rights reserved.
  • 4. Instructor Biography © 2010. All rights reserved. • Jim Raub is Sr. Director, Information Security and Compliance at PAETEC (www.paetec.com) based in Fairport, NY. • Current Certifications include: CISSP, CISA, & CTM. Past certifications from Cisco, Microsoft, Informix, CompTIA and others. • Bachelors degree, Summa cum Laude, from Syracuse University, with coursework towards Masters at University of Rochester • 35 years of experience in management, consulting, security, software development, IT infrastructure, networks, and database administration
  • 5. Background on Fortrex General Facts • IT Security, Operational Risk and Governance Consulting • Founded in 1997 • Headquarters in Frederick, Maryland • Privately Held • Approaching 1,000 Customers  Baltimore to Alaska to Guam • Broad Industry Coverage • QSA, PA-QSA & ASV • Abundance of References Integrity, Excellence, Empowerment, Teamwork and Thankfulness © 2010. All rights reserved.
  • 6. Background on PAETEC © 2010. All rights reserved. Caring Culture, Open Communication, Unmatched Service, Personalized Solution General Facts • Founded in 1998 • Headquarters in Fairport, New York • Publicly Traded (Nasdaq: PAET) • Serving over 84 of the top 100 Metropolitan Statistical Areas (MSAs) in the U.S. with personalized communications solutions • Core offerings include data, voice, and Internet communications services • Value-added solutions encompass data center colocation, communications management software, equipment, security and financing programs
  • 7. Overview of the PCI DSS Reviewing PCI DSS Compliance Requirements For The First Time Can Be A Daunting Task The “Dirty Dozen” Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security © 2010. All rights reserved.
  • 8. Challenge #1 Are you a Merchant or a Service Provider? © 2010. All rights reserved.
  • 9. Merchants Defined • Merchant - Any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. © 2010. All rights reserved.
  • 10. Service Providers Defined • Service Provider - Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. o This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data.  Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities.  Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded © 2010. All rights reserved.
  • 11. When Merchants Are Also Service Providers • A merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.  For example, an ISP is a merchant that accepts payment cards for monthly billing, but also is a service provider if it hosts merchants as customers © 2010. All rights reserved.
  • 12. Challenge #2 What compliance level are you? © 2010. All rights reserved.
  • 13. Merchant Compliance Levels Level Visa MasterCard Discover American Express JCB 1 Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region •Any merchant that has suffered a hack or an attack that resulted in an account data compromise •Any merchant having greater than six million total combined MasterCard and Maestro transactions annually •Any merchant meeting the Level 1 criteria of Visa •Any merchant that MasterCard, in its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the system •All merchants processing a total of more than 6 million card transactions annually on the Discover network. •Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements •All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant 2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American Express otherwise deems a Level 1 One million JCB transactions or more per year 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) •Any merchant with greater than one million but less than or equal to six million total combined MasterCard and Maestro transactions annually •Any merchant meeting the Level 2 criteria of Visa •All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network. •All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant 50,000 to 2.5 million American Express Card transactions per year Less than one million JCB transactions per year © 2010. All rights reserved.
  • 14. Merchant Compliance Levels Level Visa MasterCard Discover American Express JCB 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually •Any merchant with greater than 20,000 combined MasterCard and Maestro e- commerce transactions annually but less than or equal to one million total combined MasterCard and Maestro ecommerce transactions annually •Any merchant meeting the Level 3 criteria of Visa •All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network •All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant Less than 50,000 American Express Card transactions per year N/A 4 Merchants processing less than 20,000 Visa e- commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually All other merchants All other merchants N/A N/A © 2010. All rights reserved.
  • 15. Service Provider Compliance Levels Level Visa MasterCard Discover American Express JCB 1 VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually •All TPPs •All DSE’s that store, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually All TPPs All TPPs All TPPs 2 Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually Includes all DSE’s that store, transmit, or process less than 300,000 total combined MasterCard and Maestro transactions annually N/A N/A N/A © 2010. All rights reserved.
  • 16. Challenge #3 What requirements apply? © 2010. All rights reserved.
  • 17. Merchant Reporting Requirements Level Visa MasterCard Discover American Express JCB 1 •Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) •Quarterly network scan by Approved Scan Vendor (“ASV”) •Attestation of Compliance Form •Annual On-site Assessment1 •Quarterly network scan by Approved Scan Vendor (“ASV”) •All merchants processing a total of more than 6 million card transactions annually on the Discover network. •Any merchant Discover, in its sole discretion determines should meet the Level 1 compliance validation and reporting requirements •All merchants required by another payment brand to validate and report their compliance as a Level 1 merchant 2.5 million American Express Card transactions or more per year; or any Merchant that has had a data incident; or any Merchant that American Express otherwise deems a Level 1 One million JCB transaction s or more per year 2 •Annual Self-Assessment Questionnaire (“SAQ”) •Quarterly network scan by ASV •Attestation of Compliance Form •On-site Assessment (At Merchant Discretion) •Annual Self-Assessment Questionnaire (“SAQ”)2 •Quarterly network scan by Approved Scan Vendor (“ASV”) •All merchants processing a total of 1 million to 6 million card transactions annually on the Discover network. •All merchants required by another payment brand to validate and report their compliance as a Level 2 merchant 50,000 to 2.5 million American Express Card transactions per year Less than one million JCB transaction s per year 1 Effective 30 June 2011, Level 1 merchants that choose to conduct an annual onsite assessment using an internal auditor must ensure that primary internal auditor staff engaged in validating PCI DSS compliance attend PCI SSC-offered merchant training programs and pass any PCI SSC associated accreditation program annually in order to continue to use internal auditors. 2 Effective 30 June 2011, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire. © 2010. All rights reserved.
  • 18. Merchant Reporting Requirements Level Visa MasterCard Discover American Express JCB 3 •Annual SAQ •Quarterly network scan by ASV •Attestation of Compliance Form •Annual SAQ •Quarterly network scan by ASV •All merchants processing a total of 20,000 to 1 million card-not-present only transactions annually on the Discover network •All merchants required by another payment brand to validate and report their compliance as a Level 3 merchant Less than 50,000 American Express Card transactions per year N/A 4 •Annual SAQ recommended •Quarterly network scan by ASV if applicable •Compliance validation requirements set by acquirer •Annual SAQ •Quarterly network scan by ASV All other merchants N/A N/A © 2010. All rights reserved.
  • 19. Service Provider Reporting Requirements Level Visa MasterCard Discover American Express JCB 1 •Annual On-site security assessment by QSA •Quarterly network scans by ASV. •Annual On-site security assessment by QSA •Quarterly network scans by ASV. •Annual On-site security assessment by QSA (or internal auditor if signed by officer of Service provider). OR Annual Self-Assessment Questionnaire D •Quarterly network scans by ASV •Annual On-site security assessment by QSA (or internal auditor if signed by officer of Service provider). •Quarterly network scans by ASV. •Annual On- site security assessment by QSA •Quarterly network scans by ASV. 2 •Annual SAQ •Quarterly network scan by ASV •Annual SAQ •Quarterly network scan by ASV N/A N/A N/A © 2010. All rights reserved.
  • 20. Realization • Each card brand’s transaction-driven tiering and corresponding requirements differs from one brand to the other • For Self Assessment Questionnaire (SAQ) merchants, if you employ more than one transaction type, you’re obligated to use SAQ D • For Level 2 Service Providers, you’re obligated to use SAQ D • SAQ D is the long one… © 2010. All rights reserved.
  • 21. Suppose • You have bandwidth to spare • Your internal audit personnel possess broad and deep compliance framework experience • A team member has successfully completed a PCI DSS compliance assessment in the past When should you consider bringing in expert assistance from the outside? © 2010. All rights reserved.
  • 22. When Compliance Looks Easy • Familiar with ISO:27001? • Spoken with a colleague who indicated that their SAQ was a simple matter of checking all the ‘Yes’ boxes and signing it? • PCI DSS can be mapped to other frameworks, but its focus is explicitly cardholder data security • Compliance is never as easy as just checking all the ‘Yes’ boxes © 2010. All rights reserved.
  • 23. When You Receive An E-mail Identifying Still Another Data Repository • Unidentified data repositories can: o Threaten momentum o Lower morale o Derail compliance efforts. • Late-in-the-game discoveries might cause you to: o Miss your target dates o Incur unforeseen penalties o Require re-work to remediate issues • Recommendation: Identify all payment flows through a combination of both human and automated means o Surveys o Interviews o Data analytics © 2010. All rights reserved.
  • 24. When You Are Not Certain Where Your Cardholder Data Environment Begins Or Ends • Does an unsolicited customer email automatically bring a system into the Cardholder Data Environment (CDE)? • If an end-user chooses to record a call and save it to local or LAN file, is the PC or fileserver in scope? • If the CDE firewall allows insecure protocols, is the scope reduced? • Is a workstation part of the CDE if it is used only to key in the Payment Account Number (PAN) to a hosted application through an encrypted channel?
  • 25. When You Re-Read The Same Requirement And Interpret It In Yet Another Way • Read the PCI DSS? • Attended seminars? • Poured over various forum threads and blog postings? • Was that requirement really non-applicable? • Does your planned compensating control truly go above and beyond the rigor and intent of the original requirement? • Is your “business justification” for leaving open a particular port or protocol sufficient? © 2010. All rights reserved.
  • 26. Time To Seek Help • Good counsel may at first seem to be in abundance, but identifying the appropriate resource to provide accurate direction is critical • A different business’s compliance approach probably does not apply to your own environment • You can not simply repeat last year’s response • It probably does take an expert to address the “low hanging fruit” • Consulting a QSA prior to an assessment may prove to be the shortest path to achieving compliance © 2010. All rights reserved.
  • 27. Suggested Compliance Roles •Audit •Complete Self Assessment Questionnaire or Level 1 or 2 assessment •Periodic review of controls •Governance •Compliance oversight •Policy development and distribution •Coordination of organizational business units •Security Operations •Management and monitoring of controls •Internal vulnerability scanning and/or penetration testing •Log Review •Incident Response •System Administration •Account and authentication management •Access control management •Configuration management •Application Developers •Development and Testing •Code review •Revision control •Database Administrators •Record management •Access control management •Project Managers •Assessment and validation planning •Stakeholder coordination and reporting •Resource scheduling •Reporting •Senior Management •Report On Compliance review •Sign Attestation Of Compliance •Qualified Security Assessors •On-site assessment •Validation •Report On Compliance creation •Submission to the payment brands •Countersign Attestation Of Compliance •Approved Scanning Vendors •External quarterly vulnerability scans © 2010. All rights reserved.
  • 28. Assessment Preparation Scope •Scope of the cardholder data environment is defined as all system components which transmit, process, or store cardholder data. •Limiting the scope of the cardholder data environment may reduce the scope of assessment and ongoing compliance efforts. •Scope reduction strategies may include: •Network Segmentation •Tokenization •All systems receiving cardholder data directly and performing tokenization are in scope •End-to-End Encryption •All systems receiving cardholder data directly and performing encryption are in scope © 2010. All rights reserved.
  • 29. Network Segmentation Unsegmented Segmented © 2010. All rights reserved.
  • 30. Tokenization © 2010. All rights reserved.
  • 31. End-to-End Encryption © 2010. All rights reserved.
  • 32. Assessment Preparation Prioritized Approach Methodology •Roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. •Assists in prioritization of efforts to achieve compliance •Establishes milestones •Lowers the risk of cardholder data breaches sooner in the compliance process •Helps acquirers to objectively measure compliance activities and risk reduction by merchants, service providers, and others •Pragmatic approach that allows for “quick wins” •Supports financial and operational planning •Promotes objective and measurable progress indicators •Suitable for merchants who choose an on-site assessment or use SAQ D. © 2010. All rights reserved.
  • 33. Assessment Preparation Milestone Goals 1 Remove sensitive authentication data and limit data retention. This milestone targets a key area of risk for entities that have been compromised. Remember – if sensitive authentication data and other cardholder data are not stored, the effects of a compromise will be greatly reduced. If you don’t need it, don’t store it. 2 Protect the perimeter, internal, and wireless networks. This milestone targets controls for points of access to most compromises – the network or a wireless access point. 3 Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. 4 Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. 5 Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone Five targets key protections mechanisms for that stored data. 6 Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone Six is to complete PCI DSS requirements and finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. © 2010. All rights reserved.
  • 34. PCI DSS 2.0 Requirement Reason for Change Change Category Introduction Clarify Applicability of PCI DSS and cardholder data. Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. Clarification Scope Ensure all locations of cardholder data are included in scope of PCI DSS assessments Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Guidance Introduction and Various Provide guidance on virtualization. Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization. Guidance 1 Further clarification of the DMZ. Provide clarification on secure boundaries between internet and card holder data environment. Clarification 3.2 Clarify applicability of PCI DSS to Issuers or Issuer Processors. Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data. Clarification © 2010. All rights reserved.
  • 35. PCI DSS 2.0 (Continued) Requirement Reason for Change Change Category 3.6 Clarify key management processes. Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. Clarification 6.2 Apply a risk based approach for addressing vulnerabilities. Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. Evolving Requirement 6.5 Merge requirements to eliminate redundancy and Expand examples of secure coding standards to include more than OWASP. Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT. Clarification 12.3.10 Clarify remote copy, move, and storage of CHD. Update requirement to allow business justification for copy, move, and storage of CHD during remote access. Clarification © 2010. All rights reserved.
  • 36. Thank You. © 2010. All rights reserved.