Is this presentation,we discuss common misconceptions and myths that many retailers have about their PCI-DSS Compliance Obligations as well as share available solutions how to achieve and maintain PCI Compliance. Also, we outline many cyber security solutions that address certain objectives within the PCI Compliance requirements.
For additional info, visit https://indefensesecurity.com
15. www.indefensesecurity.com 15
Common Myths & Misconceptions
“I don’t process credit cards through my
POS system, so I don’t have to follow
PCI Compliance requirements.”
Misconception
28. www.indefensesecurity.com 28
The following is an example of
a common path of an attack.
Phishing
Email Link
Email
Attachment
Alter
behavior
Person User
Desktop
Malware
Installation
Steal
Credentials
Use of Stolen
Credentials
Direct Install
of Malware
Backdoor, C2,
Ram Scraper,
Export data
PaymentPOS terminal
Controller
Common Attack Vector
33. www.indefensesecurity.com 33
What Exactly Is PCI Compliance?
A set of requirements the merchant must follow to protect cardholder data
An organization created by the major credit card companies in an effort to
better protect cardholder data.
WHO IS THE PCI COUNCIL?
Payment Card Industry Security Standards Council (PCI-SSC).
WHO MAKES THESE REQUIREMENTS?
The PCI-SSC was formed in response to an increase in data security breaches,
which not only put customers at risk, but also increase the credit card companies’
costs.
WHY DID THEY MAKE THESE REQUIREMENTS?
Anyone who excepts credit cards for payments.
WHO HAS TO BE PCI COMPLIANT?
Download PCI-DSS v3.2 Quick Reference Guide.
www.indefensesecurity.com/pci
34. www.indefensesecurity.com 34
PCI Compliance: A 50,000 Ft View
Monitor and Test
Networks
Information
Security Policy
Strong Access
Control
Protect
Cardholder Data
Vulnerability
Management
Build and Maintain a
Secure Network
35. www.indefensesecurity.com 35
Goals PCI-DSS Requirements
Build and Maintain a Secure
Network and Systems
1. Install and maintain a firewall configuration
2. Do not use vendor supplied passwords
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability
Management Program
5. Protect all systems against malware and regularly update anti-virus software programs
6. Develop and maintain secure systems and applications
Implement Strong Access
Control Measures
7. Restrict access to cardholder data by business ‘need to know’
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly Monitor and Test
Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information
Security Policy
12. Maintain a policy that addresses information security of all personnel
PCI Compliance: On The Ground
39. www.indefensesecurity.com 39
A penetration test is an
attack on the network to
exploit weaknesses.
PENETRATION TESTS
Very clear, distinct differences. . .
Vulnerability Scans vs. Penetration Tests
A vulnerability scan looks
for weaknesses in the
network.
VULNERABILITY SCANS
40. www.indefensesecurity.com 40
WRITTEN SECURITY POLICIES AND PROCEDURES
for your organization?
Do You Have. . .
PROVIDE SECURITY TRAINING FOR EMPLOYEES
on security best practices, procedures and awareness?
Do You . . .
PROVIDE AWARENESS TRAINING FOR EMPLOYEES
on how to recognize phishing attempts and social engineering?
Do You . . .
42. www.indefensesecurity.com 42
Month(s) Level 1 Level 2
1 to 3 $10,000/mo. $5,000/mo.
4 to 6 $50,000/mo. $25,000/mo.
7 and on $100,000/mo. $50,000/mo.
Wake-Up Call: Non-Compliance Fines
Banks:
from $5,000 to $500,000, based
on forensic research to remediate
non-compliance.
Example:
Time-Cost Schedule - VISA:
Credit Card Institutions:
May levy fines and propose a
timeline of “increasing fines”
44. www.indefensesecurity.com 44
Our Services
Our comprehensive,
centrally managed
security solutions help
organizations simplify
their security operations
with a complete suite of
security safeguards,
products and services.
DATA LOSS
PREVENTION
PCI COMPLIANCE
CONSULTING
PCI-QIR
POS VALIDATION
MANAGED
SECURITY
PENETRATION
TESTING
VULNERABILITY
ASSESSMENTS
POLICY &
PROCEDURE
MANAGEMENT
SECURITY
AWARENESS
TRAINING
CYBER RISK
ASSESSMENTS
PCI-DSS Req. 11.2 PCI-DSS Req. 11.3 PCI-DSS Req. 12.6
VISA Merchant Req. PCI-DSS Req. 12
45. www.indefensesecurity.com 45
Identify critical assets that need protected.
Protect those assets to limit impact.
Be able to accurately detect security problems.
Preparedness to recover from an incident.
Be ready to respond if you have an incident.
PROTECT
DETECT
RESPOND
IDENTIFY
RECOVERY
NIST Cyber Security Framework Is Our Philosophy
46. www.indefensesecurity.com 46
Annual Security Model
Action PlanEducation &
Awareness
Discovery
A well established security
model works with each stage
of the NIST Cyber Security
Framework.
48. www.indefensesecurity.com 48
Action Plan For Network Security
• Firewall Management
• Network Traffic Monitoring
• Network Protocol Security Review
• Server Security Review
• DNS Filtering / Monitoring
• Security Log Monitoring
• Mobile Infrastructure Management
• Data Loss Prevention (DLP)
• Data In Transit Monitoring
• Data At Rest Monitoring
• Backup / Disaster Recovery
NETWORK MANAGEMENT & SECURITY
49. www.indefensesecurity.com 49
SECURITY AWARENESS TRAINING
Action Plan For Security Training
• Mobile Device Security
• Password Management
• Executive Security Awareness
• Breach Planning
• Email Phishing Security Tests
• Ransomware / Malware
• Credit Card Security Awareness
• Social Engineering Dangers
• Safe Web Browsing
50. www.indefensesecurity.com
We provide assistance in developing the
necessary security policies and education
programs needed to meet HR, insurance,
legal and regulatory requirements.
50
Action Plan For Security Policy Development
52. www.indefensesecurity.com 52
CYBER RISK ASSESSMENTS
an executive summary of your overall security posture.
DISCOVERY
TASKS
RISK
SCORE
ISSUE
SUMMARY
INTERNET
SPEED TEST
ASSET
SUMMARY
SERVER
AGING
WORKSTATION
AGING