2. What is PCI
compliance?
Critical
requirements
of PCI
compliance
Problems
that
companies
experience
in PCI
compliance
Introduction
to Google
Apps
Requirements
that
organizations
fail to meet
and how
Google Apps
can help
3. What is PCI
compliance?
Terms
Payment Card Industry = PCI
(Visa, Mastercard, Discover, etc.)
Data security standard = DSS
Compliance
adherence to the PCI DSS, which is
created and revised by the PCI Data
Security Council.
The Data Security Council was created
by the PCI but acts independently of the
member companies.
Adherence is monitored by Qualified
Security Assessors for larger payment card
processing companies.
4. SIX control objectives 12 requirements
that fulfill
control objectives1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management program
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
Restrict access to cardholder
data on a business need to
know basis.
Critical requirements
of PCI compliance
EXAMPLE:
5. Introduction
to Google Apps
CLOUD COMPUTING
TOOL SUITE
Increases productivity
Aids document creation and
management
More collaboration
Improved communication and
conferencing
Apps include
GMAIL
GOOGLE DRIVE
GOOGLE DOCS
GOOGLE CALENDAR
GOOGLE HANGOUTS
6. Requirements that
organizations fail to meet and
how Google Apps can help
Google Apps was not specifically designed
to handle credit card transactions, but built-in
features of Google Apps can be used to make
compliance easier for sensitive data stored or
transmitted by a company.
HERE ARE THREE IMPORTANT AREAS . . .
7. STORAGE
Google Drive data needs careful management
Data is not automatically purged
Third party software can enable automated management
Google Vault enables controls over access and retention of
emails and stored chats.
TRANSMISSION
Google Admin allows control over sending of credit card data
and can prevent sending of sensitive data and attachments
Protect cardholder data
Data need protection during both
storage and transmission.
#1
8. Implement strong access
control measures
Admin can define access to specific users
and groups on an app or file basis.
STANDARD PRACTICE REQUIRES
Limiting access to business need only
Cutting off access immediately for terminated employees
Ensuring sufficient complexity of passwords
Ensuring employee awareness of requirements
#2
9. Track and Monitor Access
to Cardholder Data
Admin audit console log allows monitoring of all
admin actions by company.
Regular scans of all data within Google Apps for
sensitive data (e.g., credit card numbers).
Review of transmission of sensitive data within the
network to identify security lapses or risks.
#3