2. Introduction
Currently the South Texas Engineering Manager responsible for all IT
network and engineering infrastructure in the South Texas segment.
Responsibilities include all networking hardware at 100 sites and managing
five network engineers
Spent the last 17 years of my career implementing technologies ranging
from satellite, microwave, Wi-Fi, telephony and large IP networks
Held a wide range of certifications from CCENT, CCNA, CCNP, CCDA,
CWNA, Six Sigma, FCC License, CEH, CHFI and MBA-Technology
Management
Constantly increasing my knowledge of security in my spare time by
researching the latest information along with preparation for CISSP and
other future certifications
2
Capstone Project: PCI-DSS Compliance
3. Why Choose PCI Integration?
Been working with PCI compliance for a few years and always wanted to
deeper understanding of the requirements
Since nearly all organizations process credit cards as part of their business
operations I determined it was best to fully understand the requirements for
future career use
Interest in PCI-DSS not only covers the requirements for compliance but
also the standard best practices of standards such as NIST
With a significant increase in credit card compromises I wanted to study
how past incidents occurred and prepare better defensive models
3
Capstone Project: PCI-DSS Compliance
4. Overview of Problem
Many companies are required to become PCI compliant due to credit card
processing but do not have the experience or knowledge
Failure to become PCI compliant affects not only operations but also legal
and financials by risk of legal litigation and fines
Typical technology staff doesn’t posses the experience or knowledge to
implement PCI requirements
Business priorities are placed ahead of implementing information security
Average business doesn’t understand the importance of Information
Security
4
Capstone Project: PCI-DSS Compliance
5. Overview of Problem (cont.)
PCI-DSS covers a wide range of topics which the average technical staff
may not be able to fully cover:
1) Building and Maintaining Secure Networks and Systems (Section 1-2)
2) Protecting Cardholder Data (Section 3-4)
3) Maintaining a Vulnerability Management Program( Section 5-6)
4) Implementing Strong Access Control Measures(Section 7-9)
5) Regular Monitoring and Testing of Networks (Section 10-11)
6) Maintaining Information Security Policies (Section 12)
5
Capstone Project: PCI-DSS Compliance
6. Project Consistency
Broad explanation of the twelve requirements
Preventative measures against the common challenges organizations are
against when trying to become compliant
Once compliance is acquired delivering the processes and procedures to
maintain approval status
Understanding the legal implications and affects on operations regarding
PCI compliance
6
Capstone Project: PCI-DSS Compliance
7. Strategies Used
Analyzed the twelve requirements to determine how to segment similar
functions
Wanted to create a phased approach to anyone not familiar with auditing
creating a sequential process to follow
Aimed at removing of the complexity with common industry lingo to
verbiage that is easier to understand by less technical personnel
Created a system that can be repeated along with being adjusted to meet
the needs of the organization
7
Capstone Project: PCI-DSS Compliance
8. Success in Achieving Project Milestones
Designed a strategy for simple integration by less technical personnel
along with those with no prior experience with PCI compliance
Able to create a process that groups similar functions and provides to
consist flow of progress
Created a process that integrated a verification phase which integrates a
systems of checks to ensure all requirements for auditing are complete
Produced additional information for technology implementation which will
give an organization a simple explanation for technical setting and
configurations
8
Capstone Project: PCI-DSS Compliance
9. PCI Compliance Phase Approach:
The five phases of the project consist of the following:
Phase-1 (4-6 weeks)Initiation
Phase-2 (8-12 weeks)Implementation
Phase-3 (2-3 weeks) Verification
Phase-4 (4-6 weeks)Auditing
Phase-5 (Remaining Calendar Year) Monitoring and Maintenance
9
Capstone Project: PCI-DSS Compliance
10. Obstacles Encountered
Minor challenges encountered with ensuring the separate modules can be
understood by less technical personnel
Additional time used to ensure the material presented has a consistence
flow and not create confusion during implementation
Conducting additional research on a few items to ensure my interpretation
of compliance requirements were accurate
Deciphering information presented on the Internet. Some items had
personal preference or variance in regards to the actual requirements
which could mislead the average person
10
Capstone Project: PCI-DSS Compliance
11. Topic Learned During Research
A better understanding of the twelve requirements of PCI DSS
Increased knowledge of computer and auditing requirement portions of
compliance
Different perspectives from novices to subject matter experts on PCI
compliance
Application of laws and legal repercussions in regards to compliance
11
Capstone Project: PCI-DSS Compliance
12. Topic Learned During Research (cont.)
Public reaction to credit card breaches
New technologies and processes used to counter current threats
Penetration testing procedures for auditing due to changes in version 3.0
requirements
Increased security awareness prior to implementation new networks and
systems
Better understanding of PCI compliance as a whole
12
Capstone Project: PCI-DSS Compliance
13. Application To Professional Use
Able to better maintain PCI compliance with a deeper understanding of the
requirements
Help create a market wide program to manage requirements
Increased knowledge of best practices in regards to general infrastructure
security
The ability to take large amounts of information (such as PCI or other
regulatory requirements) and create a more modular and manageable
system of implementation
13
Capstone Project: PCI-DSS Compliance
14. Thank You for your time
14
Capstone Project: PCI-DSS Compliance
Hinweis der Redaktion
Provide brief description of past experiences especially in security (maintain credit union network, securing TWC infrastructure)
Explain the reason for selecting PCI Compliance as topic of research:
Interest in the type of compliance standard
Common efforts due to most companies process credit cards for business operations
PCI covers a wide range of security topics from controls to technical security enhancements
Due to a significant increase in credit card theft and other related security issues
Explain overview of current problem:
Problems with organization new to compliance standards
Risk of legal liability due to not being compliant
Certain types of organizations unable to become compliant due to knowledge or experience
Business priorities sometime cause security efforts to be overlooked
Businesses fail to see the need to increase security posture based on cost and resources
Brief explanation of PCI requirements
Discuss project consistency:
Broader explanation of compliance requirements
Prevention measure based on personal experiences
Efforts to continue maintenance and monitoring task once compliance audit is complete
Understanding of legal liabilities and affects on organization for not being able to process credit cards
Strategies Utilized:
1) Analyze the twelve requirements to formulate a strategy
2) Wanted to create a systematic flow of tasks to lead up to the audit completion
3) Goal was to reduce the complexity of compliance requirements to be understood by less technical or non-technical personnel
4) Create a system that can be used for other similar compliance standards with modifications
Project Milestones:
Strategy designed for simple integration
Created modular approach to completing a mass amount of task
Implemented a verification phase which is used to check all work performed prior to auditing
Creation of a document listing the technical settings and configuration
Provide brief explanation of all phases of implementation
Discussed obstacles encountered:
Minor challenge with breaking down requirements into different phases
Additional time to ensure organization had consistent flow of information
Further research to ensure correct interpretation of information
Deciphering Internet information to ensure correct information is being used for research
Discussion on topics learned:
A better understanding of certain requirements which I had no prior experience
Increased knowledge about auditing process
Noticed a wide range of perspectives regarding PCI compliance
Clearer understanding of legal liability due to being non-compliant
Additional topics learned:
Public reaction to credit card breaches
New methods of threat prevention
Understanding of new penetration testing processes
Increases security awareness
Better understanding of PCI compliance as a whole
Professional applications:
Better understanding of PCI requirements
Assist with market wide initiatives regarding compliance
Increased knowledge of best practices
Able to create a simple strategy from large amounts of information