PCI DSS 3.0 Overview and Key Updates

•

2 gefällt mir•1,566 views

The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its revisions over time. PCI DSS 3.0 introduced several updates that became effective on July 1, 2015, including additional documentation requirements, strengthened technical security controls, updated self-assessment questionnaires, and changes to service provider management. The overall goal of PCI DSS and its ongoing revisions is to help organizations maintain security and protect cardholder data.

Technologie

Overview……………………………….……3
Background & Drivers……………….……7
PCI DSS 3.0 Updates…………………...…22
3.0 Updates Effective July 1, 2015…......26
Summary………………………………...….30
CONTENTS

Payment Card Industry Data Security
Standards (PCI DSS)
A set of requirements designed to ensure that all
companies that store, process or transmit credit
card information maintain a secure environment
OVERVIEW

Payment Card Industry Security
Standards Council (PCI SSC)
An independent body created by the major
payment card brands in 2006 to administor and
manage the ongoing evolution of the PCI DSS
OVERVIEW

History of PCI DSS Revisions
OVERVIEW
2004
Version 1.0
2006
Version 1.1
2008
Version 1.2
2010
Version 2.0
2009
Version 1.2.1
2013
Version 3.0

Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)

Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)

Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– FedRAMP - NIST 800-53 Rev 4

Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– FedRAMP - NIST 800-53 Rev 4
– CSA STAR

Several standards introduced new
versions for 2014 including:
– SOC 2 (Trust Services Principles)
– ISO 27001 (2013)
– FedRAMP - NIST 800-53 Rev 4
– CSA STAR
– PCI DSS 3.0

WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule

WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments

WHY UPDATE TO 3.0?
The PCI Security Standards Council’s (“SSC”)
three year update schedule
Consistency in assessments
Streamline certain requirements

January 1, 2014
PCI DSS 3.0 is effective
(Merchant or service provider’s choice)
WHEN TO UPDATE?

January 1, 2015
(Required for all assessments)
WHEN TO UPDATE?

BrightLine recommends for any
merchant or service provider preparing
for the first time
WHEN TO UPDATE?

BrightLine recommends use of 3.0
for clients performing assessments
after August
WHEN TO UPDATE?

• Breadth and depth of requirements
• Systems inventory
• Dataflow diagrams
• Detailed access needs for each role
• Service provider due diligence
ADDITIONAL DOCUMENTATION
REQUIREMENTS

• Antivirus definition
• Additional application security vectors
– e.g. memory scraping
• Additional validation testing required for:
– Access control and authentication
– More flexibility for ‘daily’ log monitoring
TECHNICAL UPDATES

• SAQ A vs. SAQ A-EP
– SAQ A: 14 questions
– SAQ A-EP: ~ 150 questions
• Of note - a properly formed iFrame can use SAQ-A
• All e-commerce providers have to meet all
applicable requirements regardless of SAQ form
SELF ASSESSMENT QUESTIONNAIRE
& E-COMMERCE IMPLICATIONS

• In a shared hosting environment, unique
authentication credentials to each environment
• Physical protection of payment devices
• Web application vulnerability testing for broken
authentication and session management
ACCESS CONTROL
& TECHNICAL

Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014
PENETRATION
TESTING
• Implement a methodology
• Emphasis on external AND internal network
and application testing
• Validate segmentation and scope-reduction
controls

• Acknowledgement of responsibility from
service providers
• Define which requirements are managed by
service providers and which are managed by
the entity
SERVICE PROVIDER
MANAGEMENT

In summary,
the PCI DSS is:
FACILITATING
CONSISTENCY

In summary,
the PCI DSS is:
INSISTING
CONTINUOUS
COMPLIANCE

Weitere ähnliche Inhalte

Ähnlich wie PCI DSS 3.0 Overview and Key Updates

PCI Servces - PCI Compliance Questionnaire

Richard Common

Pci standards, from participation to implementation and review

isc2-hellenic

Pci Saq D

Jeffrey Katz

PCI DSS v4 - ControlCase Update Webinar Final.pdf

ControlCase

Complying with the PCI standard is a normal part of doing business in today’s credit-centric world. But, PCI applies to multiple platforms. The challenge becomes how to map the general PCI requirements to a specific platform, such as IBM i. And, more importantly, how can you maintain—and prove—compliance? This slideshow will help you understand: - How PCI requirements relate to IBM i systems - IBM i-specific barriers to compliance -How PowerTech security solutions help you fulfill PCI requirements, meet compliance guidelines, and satisfy auditors You’ll have the knowledge and confidence you need to evaluate PCI compliance requirements and prepare your IBM i system for today’s regulatory challenges.

An Introduction to PCI Compliance on IBM Power Systems

HelpSystems

SFISSA - PCI DSS 3.0 - A QSA Perspective

Mark Akins

Webinar - pci dss 4.0 updates

VISTA InfoSec

Hosted by ControlCase and the PCI Security Standards Council, this 45-minute webinar will cover: History of PCI DSS (including current version 3.2) PCI DSS v4.0 High-Level Changes PCI DSS v4.0 Timeline Deep Dive into notable changes: Promote Security as a Continuous Process Increased Flexibility and Customized Approach Increased Alignment between PCI ROC and PCI SAQ Keep up with the security needs of the Payment Industry and landscape (such as MFA/phishing, etc.) ControlCase Methodology for v4.0 Q&A

PCI DSS 4.0 Webinar Final.pptx

ControlCase

RDX teams up with MegaplanIT, a nationally known PCI Qualified Security Assessor, to provide strategies and best practices that can be used to adhere to all regulatory compliance frameworks. The presentation begins with a quick overview of the most popular industry standards and regulatory requirements. MegaplanIT continues with a deep dive into the 12 PCI DSS requirements and discusses risk assessment key considerations. RDX then follows with a discussion on AICPA's SOC 1, SOC 2 and SOC 3 compliance frameworks and 5 Trust Principles. RDX finishes the webinar by sharing numerous helpful hints, tips and best practices for implementation and ongoing adherence. A link to a video of the presentations is provided on the last slide.

Secrets for Successful Regulatory Compliance Projects

Christopher Foot

How to Report on your PCI DSS Compliance.docx

Christian James

Integrating Multiple IT Security Standards

Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master

What's New With WSO2 Open Banking

WSO2

PCI DSSand PA DSS

Kimberly Simon MBA

Payment Card Industry Data Security Standard (PCI DSS) 3.0

- Mark - Fullbright

Open Banking and PSD2: Are your APIs ready for external testing?

WSO2

PCI DSS: Update on the evolution of the standard. MasterCard WorldWide

Internet Security Auditors

Looking Forward to PCI DSS v4.0

Kriangkrai Chumsaktrakul

PCI DSS 3.2 - Business as Usual

Kimberly Simon MBA

Leveraging compliance to raise the bar on security

Mike Lemire

PCI DSS Scoping and Applicability

Manish Mahapatra

Ähnlich wie PCI DSS 3.0 Overview and Key Updates (20)

PCI Servces - PCI Compliance Questionnaire

Pci standards, from participation to implementation and review

Pci Saq D

PCI DSS v4 - ControlCase Update Webinar Final.pdf

An Introduction to PCI Compliance on IBM Power Systems

SFISSA - PCI DSS 3.0 - A QSA Perspective

Webinar - pci dss 4.0 updates

PCI DSS 4.0 Webinar Final.pptx

Secrets for Successful Regulatory Compliance Projects

How to Report on your PCI DSS Compliance.docx

Integrating Multiple IT Security Standards

What's New With WSO2 Open Banking

PCI DSSand PA DSS

Payment Card Industry Data Security Standard (PCI DSS) 3.0

Open Banking and PSD2: Are your APIs ready for external testing?

PCI DSS: Update on the evolution of the standard. MasterCard WorldWide

Looking Forward to PCI DSS v4.0

PCI DSS 3.2 - Business as Usual

Leveraging compliance to raise the bar on security

PCI DSS Scoping and Applicability

Mehr von Schellman & Company

Privacy is a growing concern in today’s compliance environment. Existing and new requirements continue to push for organizations to properly address their privacy risk. As a cloud provider, there is no better way to help ensure that an organization is serious about their customers and their customers’ data than to include the control requirements from ISO 27018 into their compliance stack.

Privacy in the Cloud- Introduction to ISO 27018

Schellman & Company

With all of the acronyms and numbers, it is challenging to determine what is what in the world of cyber security and compliance. In the government space, the National Institute of Standards (NIST) has been the key body for identifying and determining standards related to protecting critical infrastructure and government data. Participants will walk away more conversant in the alphabet soup of NIST requirements and how they apply to these various programs. This presentation: • Provides a deep dive in the the similarities and differences between standards such as NIST 800-53, 800-171, and frameworks such as the cybersecurity framework • How these standards and frameworks apply to FedRAMP, CJIS, and very specific programs covering data like the Death Master File (DMF)

Demystifying the Cyber NISTs

Schellman & Company

Determining Scope for PCI DSS Compliance

Schellman & Company

A new transatlantic data transfer framework is changing the way U.S. companies handle, transfer and store data from EU citizens. Now, American companies face stronger obligations to protect this data, and if your company handles or wants to handle personal data from the EU, it will have to prove it meets the requirements of Privacy Shield. If the idea of understanding and complying with Privacy Shield seems overwhelming, or you just want to learn more about it, we’re here to help. In this deck we cover: • How Privacy Shield differs from Safe Harbor • The 2 options you have to prove you’re compliant • The principles of Privacy Shield, and more

Privacy shield: What You Need To Know About Storing EU Data

Schellman & Company

Everything You Need To Know About SOC 1

Schellman & Company

FedRAMP is the federal government's risk and security assessment program for cloud-based services as part of the cloud-first initiative, and is designed to make the assessment process more efficient by providing a "do once, use many times" framework. If you work with or want to work with federal agencies, your organization will need to be FedRAMP compliant. On this webinar, you will: • Learn the background and overview of the FedRAMP program • Take a deep dive of the assessment process • Discover the benefits and challenges companies experience during the assessment process

Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...

Schellman & Company

Security risks associated with payment applications have never been greater or more publicized. The Payment Application Data Security Standard (PA-DSS) and application penetration testing under the broader PCI DSS requirement 11.3 both aim to address application threat vectors, albeit through different tools and mechanisms. In this presentation, we will cover: • An overview of PA-DSS and application penetration testing • The shared elements and compare and contrast some of the more detailed differences • The requirements, where they apply, and how they play a role in securing payment applications

PA-DSS and Application Penetration Testing

Schellman & Company

The CSA STAR Programs will provide your organization an additional assessment to showcase your overall compliance program. Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance. Now organizations have the opportunity to undergo third party assessments, through the STAR Programs to validate maturity level or control activities. This slideshow will cover: • A background and overview of the programs. • A deep-dive of the CSA Attestation/Certification methodology and testing. • A side by side comparison. • The benefits and challenges.

The CSA STAR Program: Certification & Attestation

Schellman & Company

Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity, increase efficiency and better manage medical expenses. The HITRUST Common Security Framework: A way to protect electronic health information. The HITRUST Common Security Framework (CSF) was developed to address the myriad of security, privacy and regulatory challenges facing healthcare organizations and their sub-service providers. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF assists organizations address these challenges through a comprehensive framework of prescriptive and scalable security control. Topics covered in clude: • A background and overview of the CSF program • Understanding and leveraging the CSF • Standards and regulations mapping • Implementing the CSF • Third party certification • The benefits and challenges

Get Ready Now for HITRUST 2017

Schellman & Company

ISO/IEC 27001:2013 (ISO 27001) is the internationally recognized standard that outlines the requirements for constructing a risk-based framework to initiate, implement, maintain, and manage information security within an organization. This slidehow will cover: • Background and Overview • Provide an overview of the ISMS • Review the ISMS implementation considerations • Provide the ISMS transition considerations • Discuss the Annex A Mapping • Provide timing and expectations

STAND OUT: Why You Should Become ISO 27001 Certified

Schellman & Company

ISO 27017 /27018 is the first international code of practice that focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). Discover: • Background of ISO 27017 and 27018 • Scope and Purpose • Comparison with ISO 27001 and 27002 • Future of ISO 27017 with ISO 27018 • Challenges and Benefits • Certification Process and Next Steps

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

Schellman & Company

SOC 2 and You

Schellman & Company

Organizations in the healthcare industry are under immense pressure to improve quality, reduce complexity, increase efficiency and better manage medical expenses. The HITRUST Common Security Framework (CSF) was developed to address the myriad of security, privacy and regulatory challenges facing healthcare organizations and their sub-service providers. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the CSF assists organizations address these challenges through a comprehensive framework of prescriptive and scalable security control.

Hitrust: Navigating to 2017, Your Map to HITRUST Certification

Schellman & Company

Cloud security providers are in an ever changing world. Traditionally the CCM was pointed to as an authoritative guidance. Now organizations have the opportunity to undergo third party assessments, through the STAR Programs, to validate maturity level or control activities. This deck will provide: • A background and overview of the programs • The CSA Attestation/Certification methodology and testing • A side by side comparison • The benefits and challenges

CSA STAR Program

Schellman & Company

The SOC 2 examination's popularity has dramatically increased since its inception. This is due to growing concerns regarding information security have heightened scrutiny of organization’s control infrastructure and driven the demand for attestation reports. Join BrightLine Principal, Debbie Zaller and Senior Manager, Doug Kanney during this free webinar - and learn how a SOC 2 examination can help your organization. Become familiar with the SOC 2's report objectives, learn about its structure and areas to focus, and benefit from some valuable lessons we've learned from extensive experience. This session will provide you with a: • Overview of the SOC 2 background • Definition of the AICPA Framework • Overview of the purpose and scope • Discussion of the common challenges and benefits • Requirements of the examination process • Discussion of the alignment with other standards

SOC 2: Build Trust and Confidence

Schellman & Company

To compete in today's marketplace, your customers must have trust and confidence in your environment. The popularity of the SOC 1 report has been amplified with an increase in outsourcing relationships and customer mandates for a stronger control environment. * Review of the background and history * Definition of the AICPA Framework * Overview of the purpose and scope * Discussion of boundaries and benefits * Requirements of the examination process * Outline the anatomy of the report

SOC 1 Overview

Schellman & Company

12 Steps to Preparing for a QAR

Schellman & Company

EPCS Overview

Schellman & Company

10 Steps Toward FedRAMP Compliance

Schellman & Company

Your've Been Hacked in Florida! Now What?

Schellman & Company

Mehr von Schellman & Company (20)

Privacy in the Cloud- Introduction to ISO 27018

Demystifying the Cyber NISTs

Determining Scope for PCI DSS Compliance

Privacy shield: What You Need To Know About Storing EU Data

Everything You Need To Know About SOC 1

Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...

PA-DSS and Application Penetration Testing

The CSA STAR Program: Certification & Attestation

Get Ready Now for HITRUST 2017

STAND OUT: Why You Should Become ISO 27001 Certified

Locking Up Your Cloud Environment: An Introduction to ISO/IEC 27017 and 27018

SOC 2 and You

Hitrust: Navigating to 2017, Your Map to HITRUST Certification

CSA STAR Program

SOC 2: Build Trust and Confidence

SOC 1 Overview

12 Steps to Preparing for a QAR

EPCS Overview

10 Steps Toward FedRAMP Compliance

Your've Been Hacked in Florida! Now What?

Kürzlich hochgeladen

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Automating Google Workspace (GWS) & more with Apps Script

wesley chun

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Imagine a world where information flows as swiftly as thought itself, making decision-making as fluid as the data driving it. Every moment is critical, and the right tools can significantly boost your organization’s performance. The power of real-time data automation through FME can turn this vision into reality. Aimed at professionals eager to leverage real-time data for enhanced decision-making and efficiency, this webinar will cover the essentials of real-time data and its significance. We’ll explore: FME’s role in real-time event processing, from data intake and analysis to transformation and reporting An overview of leveraging streams vs. automations FME’s impact across various industries highlighted by real-life case studies Live demonstrations on setting up FME workflows for real-time data Practical advice on getting started, best practices, and tips for effective implementation Join us to enhance your skills in real-time data automation with FME, and take your operational capabilities to the next level.

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Safe Software

Webinar Recording: https://www.panagenda.com/webinars/why-teams-call-analytics-is-critical-to-your-entire-business Nothing is as frustrating and noticeable as being in an important call and being unable to see or hear the other person. Not surprising then, that issues with Teams calls are among the most common problems users call their helpdesk for. Having in depth insight into everything relevant going on at the user’s device, local network, ISP and Microsoft itself during the call is crucial for good Microsoft Teams Call quality support. To ensure a quick and adequate solution and to ensure your users get the most out of their Microsoft 365. But did you know that ‘bad calls’ are also an excellent indicator of other problems arising? Precisely because it is so noticeable!? Like the canary in the mine, bad calls can be early indicators of problems. Problems that might otherwise not have been noticed for a while but can have a big impact on productivity and satisfaction. Join this session by Christoph Adler to learn how true Microsoft Teams call quality analytics helped other organizations troubleshoot bad calls and identify and fix problems that impacted Teams calls or the use of Microsoft365 in general. See what it can do to keep your users happy and productive! In this session we will cover - Why CQD data alone is not enough to troubleshoot call problems - The importance of attributing call problems to the right call participant - What call quality analytics can do to help you quickly find, fix-, and prevent problems - Why having retrospective detailed insights matters - Real life examples of how others have used Microsoft Teams call quality monitoring to problem shoot problems with their ISP, network, device health and more.

Why Teams call analytics are critical to your entire business

panagenda

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

In this session, we will delve into strategic approaches for optimizing knowledge management within Microsoft 365, amidst the evolving landscape of Copilot. From leveraging automatic metadata classification and permission governance with SharePoint Premium, to unlocking Viva Engage for the cultivation of knowledge and communities, you will gain actionable insights to bolster your organization's knowledge-sharing initiatives. In this session, we will also explore how to facilitate solutions to enable your employees to find answers and expertise within Microsoft 365. You will leave equipped with practical techniques and a deeper understanding of how there is more to effective knowledge management than just enabling Copilot, but building actual solutions to prepare the knowledge that Copilot and your employees can use.

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Drew Madelung

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Kürzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

GenAI Risks & Security Meetup 01052024.pdf

Apidays New York 2024 - The value of a flexible API Management solution for O...

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Automating Google Workspace (GWS) & more with Apps Script

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

🐬 The future of MySQL is Postgres 🐘

How to Troubleshoot Apps for the Modern Connected Worker

Exploring the Future Potential of AI-Enabled Smartphone Processors

From Event to Action: Accelerate Your Decision Making with Real-Time Automation

Why Teams call analytics are critical to your entire business

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...

Data Cloud, More than a CDP by Matt Robison

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

HTML Injection Attacks: Impact and Mitigation Strategies

Strategies for Landing an Oracle DBA Job as a Fresher

PCI DSS 3.0 Overview and Key Updates

2. Overview……………………………….……3 Background & Drivers……………….……7 PCI DSS 3.0 Updates…………………...…22 3.0 Updates Effective July 1, 2015…......26 Summary………………………………...….30 CONTENTS

3. OVERVIEW

4. Payment Card Industry Data Security Standards (PCI DSS) A set of requirements designed to ensure that all companies that store, process or transmit credit card information maintain a secure environment OVERVIEW

5. Payment Card Industry Security Standards Council (PCI SSC) An independent body created by the major payment card brands in 2006 to administor and manage the ongoing evolution of the PCI DSS OVERVIEW

6. History of PCI DSS Revisions OVERVIEW 2004 Version 1.0 2006 Version 1.1 2008 Version 1.2 2010 Version 2.0 2009 Version 1.2.1 2013 Version 3.0

7. BACKGROUND & DRIVERS

8. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles)

9. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013)

10. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4

11. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR

12. Several standards introduced new versions for 2014 including: – SOC 2 (Trust Services Principles) – ISO 27001 (2013) – FedRAMP - NIST 800-53 Rev 4 – CSA STAR – PCI DSS 3.0

13. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule

14. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments

15. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements

16. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements Align with technology trends

17. WHY UPDATE TO 3.0? The PCI Security Standards Council’s (“SSC”) three year update schedule Consistency in assessments Streamline certain requirements Align with technology trends Cooperate with “business as usual”

18. January 1, 2014 PCI DSS 3.0 is effective (Merchant or service provider’s choice) WHEN TO UPDATE?

19. January 1, 2015 (Required for all assessments) WHEN TO UPDATE?

20. BrightLine recommends for any merchant or service provider preparing for the first time WHEN TO UPDATE?

21. BrightLine recommends use of 3.0 for clients performing assessments after August WHEN TO UPDATE?

22. PCI DSS 3.0 UPDATES

23. • Breadth and depth of requirements • Systems inventory • Dataflow diagrams • Detailed access needs for each role • Service provider due diligence ADDITIONAL DOCUMENTATION REQUIREMENTS

24. • Antivirus definition • Additional application security vectors – e.g. memory scraping • Additional validation testing required for: – Access control and authentication – More flexibility for ‘daily’ log monitoring TECHNICAL UPDATES

25. • SAQ A vs. SAQ A-EP – SAQ A: 14 questions – SAQ A-EP: ~ 150 questions • Of note - a properly formed iFrame can use SAQ-A • All e-commerce providers have to meet all applicable requirements regardless of SAQ form SELF ASSESSMENT QUESTIONNAIRE & E-COMMERCE IMPLICATIONS

26. 3.0 UPDATES EFFECTIVE JULY 1, 2015

27. • In a shared hosting environment, unique authentication credentials to each environment • Physical protection of payment devices • Web application vulnerability testing for broken authentication and session management ACCESS CONTROL & TECHNICAL

28. Pen Testing Special Interest Group (SIG) to release an Information Supplement by the end of 2014 PENETRATION TESTING • Implement a methodology • Emphasis on external AND internal network and application testing • Validate segmentation and scope-reduction controls

29. • Acknowledgement of responsibility from service providers • Define which requirements are managed by service providers and which are managed by the entity SERVICE PROVIDER MANAGEMENT

30. SUMMARY

31. In summary, the PCI DSS is: MATURING

32. In summary, the PCI DSS is: FACILITATING CONSISTENCY

33. In summary, the PCI DSS is: INSISTING CONTINUOUS COMPLIANCE

34. THANK YOU! www.brightline.com/PCI

PCI DSS 3.0 Overview and Key Updates

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie PCI DSS 3.0 Overview and Key Updates

Ähnlich wie PCI DSS 3.0 Overview and Key Updates (20)

Mehr von Schellman & Company

Mehr von Schellman & Company (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

PCI DSS 3.0 Overview and Key Updates