SlideShare ist ein Scribd-Unternehmen logo

PCI DSS Scoping and Applicability

Als PPTX, PDF herunterladen
Manish Mahapatra
Manish Mahapatra

The document discusses scoping and controls for PCI DSS compliance. It describes how applications, servers, networks, and desktops can fall within or outside the PCI DSS scope depending on whether they process, store, or transmit full payment card details. It provides examples of controls that should be implemented for in-scope systems, including password policies, encryption, logging, patching, and vulnerability scanning. Finally, it outlines steps an organization can take to accurately map their PCI DSS scope, such as using a card finder tool and analyzing where full card numbers are received and stored.

Technologie
1 von 15
Scoping and Controls for PCI DSS By Manish Mahapatra
By Manish Mahapatra PCI DSS and it’s applicability • Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system. • PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they drive the implementation of the standard across the globe. • Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
By Manish Mahapatra PCI DSS Scoping – Applications • This slide describes on how an Application come under the purview of PCI DSS • In-scope – If the application process, store or transmit the full card number at any point of time, then the application fall under the PCI DSS scope. ◦ Application can receive the card number as part of transaction processing, settlement process or as part of querying a transaction. • Out of scope – An application is out of scope, if it only receives the truncated card number. ◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked with ‘X’ or replaced with any character. ◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed, while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but the middle six needs to be truncated always. ◦ If the application receives the full 16-digit card number and then truncates it during storage, then the application comes under the PCI DSS scope.
By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes how Servers and Network falls under PCI DSS scope – • In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls under the PCI DSS scope. ◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN, comes under the purview of PCI DSS scope. ◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope. • In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes the measures for reducing the PCI DSS scope - • Scoping out – Using the following measures one can reduce the PCI DSS scope – ◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number) ◦ Deploy all the PCI scoped servers within the PCI V-LAN ◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and out-going traffic ◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI scoped servers from the jump server only ◦ Create dedicated V-LAN for the following segment – ◦ Support V-LAN for support serves like AV, Domain, NTP, etc.. ◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound and out-bound traffic.
By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4 previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and session time out of 15 minutes. ◦ User access control – ◦ Zero privilege or permission while creating a new user or role ◦ Option for giving permission for viewing full card number and permission for viewing full card number can be granted to a user and not to a role ◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm ◦ Audit trails – ◦ All successful and unsuccessful login attempts to the application ◦ All actions taken by the application administrator ◦ Any system object level changes made by the application
By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Encryption and Key Management – ◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128 bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number ◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the encryption keys ◦ Secure Code Review – ◦ For every major change to the application, Client needs to conduct a secure code review following the OWASP secure code review guide as reference. ◦ In-case of minor changes, then conduct the secure code review on an annual basis ◦ Application penetration testing following OWASP Testing Guide – ◦ If the application has a web interface or have web-service call, then web application penetration testing for the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
By Manish Mahapatra PCI DSS Controls – Servers • This slide describes the list of controls to be deployed on the Servers – ◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out for database and web servers as well. ◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for running a full system scan on a weekly basis. ◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes made to system configuration file and application configuration file ◦ Configure NTP – Server should be configured for time synchronization from a central NTP server ◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and pushing the same to a central log server ◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should not be restricted to just OS patches, but should cover application and application library patches as well ◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability assessment scan using either Nessus or Qualys Guard on a quarterly basis
By Manish Mahapatra PCI DSS Controls – Infrastructure • This slide describes the list of controls to be deployed at the infrastructure – ◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers ◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing traffic from the PCI scoped server segment ◦ Deploying a Centralized log server and log monitoring process – ◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a central log server ◦ A log monitoring solutions needs to be deployed for generating security alerts ◦ Deploying Centralized AV console and patch management system – The AV solution and patch management system needs to be a centralized solution
By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Change Management Process for making any changes at – ◦ For any Firewall rule change ◦ For any changes to the network component configuration ◦ For any changes to the server ◦ For any application level changes ◦ Hardening guidelines for hardening system and network components like – ◦ Hardening the server OS ◦ Hardening other application deployed in the server like data base, web server, etc. ◦ Hardening the network components
By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal application ◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis ◦ Process of conducting risk assessment on an annual basis for all process and environment handling card number ◦ Process for conducting internal information security awareness and training program on an annual basis ◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where the card number are getting captured ◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis ◦ An internal pen-test should be conducted on a bi-annual basis
By Manish Mahapatra PCI DSS Controls – Desktops • This slide describes the list of controls to be deployed for User Desktops which process card number ◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the finance or collection department) ◦ The desktops should have a DLP solution deployed ◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not ◦ Internet access should be restricted to a few white listed URL’s ◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log server ◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed ◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network segment.
By Manish Mahapatra Steps for confirming the PCI Scope • This slide details the next set of steps to be taken by client for determining the PCI DSS Scope – ◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet, log files, database, etc..) where the full card number are getting stored. ◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored and confirm on the following – ◦ Source from where the location is receiving the full card number ◦ Whether the full card number is required or whether only truncated card number will suffice ◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or business function requires the full card number, then confirm the following from them – ◦ When have they last used the full card number ◦ And whether they can use any other data apart from the full card number for the business function
By Manish Mahapatra Steps for confirming the Scope • This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope – ◦ Finalize the locations – Finalize all the locations where the full card number is required to processed, stored or transmitted. Please note that if the full card number is received and application only stores the truncated card number, then that system will be in PCI DSS scope. ◦ Based on the above step, identify and finalize all the servers and user desktops within Client network which process, store or transmit full card number. ◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s / network segment.
By Manish Mahapatra Thank You! Manish M Cyber Security Training Provider Manish.cor@gmail.com Contact: +91-9036350000 Linked-in: https://www.linkedin.com/in/manishmahapatra Join my group on https://www.linkedin.com/groups/6517220 for more updates.

Empfohlen

Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Aruba, a Hewlett Packard Enterprise company
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC Services
Flightcase1
 
03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigital03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigital
Malcolm-John Bell
 
ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016
Fanky Christian
 
Intacct Security and Operations
Intacct Security and OperationsIntacct Security and Operations
Intacct Security and Operations
Dean Dorton Software Team
 
PRTG NETWORK MONITORING
PRTG NETWORK MONITORINGPRTG NETWORK MONITORING
PRTG NETWORK MONITORING
Fanky Christian
 
TRT Presentation SG 2016
TRT Presentation SG 2016TRT Presentation SG 2016
TRT Presentation SG 2016
TRT Solutions Ltd Singapore
 
TRT GLOBAL - Company Overview
TRT GLOBAL - Company OverviewTRT GLOBAL - Company Overview
TRT GLOBAL - Company Overview
Mina Sarah Marabe
 

Empfohlen

Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Aruba, a Hewlett Packard Enterprise company
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC Services
Flightcase1
 
03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigital03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigital
Malcolm-John Bell
 
ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016
Fanky Christian
 
Intacct Security and Operations
Intacct Security and OperationsIntacct Security and Operations
Intacct Security and Operations
Dean Dorton Software Team
 
PRTG NETWORK MONITORING
PRTG NETWORK MONITORINGPRTG NETWORK MONITORING
PRTG NETWORK MONITORING
Fanky Christian
 
TRT Presentation SG 2016
TRT Presentation SG 2016TRT Presentation SG 2016
TRT Presentation SG 2016
TRT Solutions Ltd Singapore
 
TRT GLOBAL - Company Overview
TRT GLOBAL - Company OverviewTRT GLOBAL - Company Overview
TRT GLOBAL - Company Overview
Mina Sarah Marabe
 
PCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from NettitudePCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from Nettitude
spillans
 
TRT - Plate Spin Presentation
TRT - Plate Spin PresentationTRT - Plate Spin Presentation
TRT - Plate Spin Presentation
TRT Solutions Ltd Singapore
 
24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs
concordantone
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product Presentation
Fanky Christian
 
Monitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerMonitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManager
ManageEngine
 
Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-service
Christian Torres
 
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Precisely
 
Data center
Data centerData center
Data center
gssmedia
 
NOC Service desk
NOC Service deskNOC Service desk
NOC Service desk
america.gss
 
Tatanet Corporate Presentation
Tatanet Corporate PresentationTatanet Corporate Presentation
Tatanet Corporate Presentation
Rohit Kumar
 
Cybernetyx introduction
Cybernetyx introductionCybernetyx introduction
Cybernetyx introduction
Fanky Christian
 
How to create effective NOC in Poland
How to create effective NOC in PolandHow to create effective NOC in Poland
How to create effective NOC in Poland
Kamil Grabowski
 
Monitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureMonitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM Infrastructure
Stéphane Dorrekens
 
IT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisIT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysis
ManageEngine, Zoho Corporation
 
Overview OpManager
Overview OpManagerOverview OpManager
Overview OpManager
Fanky Christian
 
Network Operations Center
Network Operations CenterNetwork Operations Center
Network Operations Center
Lorenta Erhabor
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc services
Elena Benson
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration Manager
ManageEngine, Zoho Corporation
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
ManageEngine, Zoho Corporation
 
Proof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerProof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManager
ManageEngine, Zoho Corporation
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 

Weitere ähnliche Inhalte

Was ist angesagt?

Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Precisely
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
ManageEngine, Zoho Corporation
 

Was ist angesagt? (20)

PCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from NettitudePCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from Nettitude
 
TRT - Plate Spin Presentation
TRT - Plate Spin PresentationTRT - Plate Spin Presentation
TRT - Plate Spin Presentation
 
24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product Presentation
 
Monitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerMonitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManager
 
Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-service
 
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
 
Data center
Data centerData center
Data center
 
NOC Service desk
NOC Service deskNOC Service desk
NOC Service desk
 
Tatanet Corporate Presentation
Tatanet Corporate PresentationTatanet Corporate Presentation
Tatanet Corporate Presentation
 
Cybernetyx introduction
Cybernetyx introductionCybernetyx introduction
Cybernetyx introduction
 
How to create effective NOC in Poland
How to create effective NOC in PolandHow to create effective NOC in Poland
How to create effective NOC in Poland
 
Monitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureMonitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM Infrastructure
 
IT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisIT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysis
 
Overview OpManager
Overview OpManagerOverview OpManager
Overview OpManager
 
Network Operations Center
Network Operations CenterNetwork Operations Center
Network Operations Center
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc services
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration Manager
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
 
Proof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerProof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManager
 

Ähnlich wie PCI DSS Scoping and Applicability

Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
HelpSystems
 

Ähnlich wie PCI DSS Scoping and Applicability (20)

PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS v3.2 Implementation - Bliss or Nightmare
PCI DSS v3.2 Implementation - Bliss or NightmarePCI DSS v3.2 Implementation - Bliss or Nightmare
PCI DSS v3.2 Implementation - Bliss or Nightmare
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
 

Kürzlich hochgeladen

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

PCI DSS Scoping and Applicability

  • 1. Scoping and Controls for PCI DSS By Manish Mahapatra
  • 2. By Manish Mahapatra PCI DSS and it’s applicability • Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system. • PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they drive the implementation of the standard across the globe. • Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
  • 3. By Manish Mahapatra PCI DSS Scoping – Applications • This slide describes on how an Application come under the purview of PCI DSS • In-scope – If the application process, store or transmit the full card number at any point of time, then the application fall under the PCI DSS scope. ◦ Application can receive the card number as part of transaction processing, settlement process or as part of querying a transaction. • Out of scope – An application is out of scope, if it only receives the truncated card number. ◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked with ‘X’ or replaced with any character. ◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed, while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but the middle six needs to be truncated always. ◦ If the application receives the full 16-digit card number and then truncates it during storage, then the application comes under the PCI DSS scope.
  • 4. By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes how Servers and Network falls under PCI DSS scope – • In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls under the PCI DSS scope. ◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN, comes under the purview of PCI DSS scope. ◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope. • In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
  • 5. By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes the measures for reducing the PCI DSS scope - • Scoping out – Using the following measures one can reduce the PCI DSS scope – ◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number) ◦ Deploy all the PCI scoped servers within the PCI V-LAN ◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and out-going traffic ◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI scoped servers from the jump server only ◦ Create dedicated V-LAN for the following segment – ◦ Support V-LAN for support serves like AV, Domain, NTP, etc.. ◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound and out-bound traffic.
  • 6. By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4 previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and session time out of 15 minutes. ◦ User access control – ◦ Zero privilege or permission while creating a new user or role ◦ Option for giving permission for viewing full card number and permission for viewing full card number can be granted to a user and not to a role ◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm ◦ Audit trails – ◦ All successful and unsuccessful login attempts to the application ◦ All actions taken by the application administrator ◦ Any system object level changes made by the application
  • 7. By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Encryption and Key Management – ◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128 bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number ◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the encryption keys ◦ Secure Code Review – ◦ For every major change to the application, Client needs to conduct a secure code review following the OWASP secure code review guide as reference. ◦ In-case of minor changes, then conduct the secure code review on an annual basis ◦ Application penetration testing following OWASP Testing Guide – ◦ If the application has a web interface or have web-service call, then web application penetration testing for the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
  • 8. By Manish Mahapatra PCI DSS Controls – Servers • This slide describes the list of controls to be deployed on the Servers – ◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out for database and web servers as well. ◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for running a full system scan on a weekly basis. ◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes made to system configuration file and application configuration file ◦ Configure NTP – Server should be configured for time synchronization from a central NTP server ◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and pushing the same to a central log server ◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should not be restricted to just OS patches, but should cover application and application library patches as well ◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability assessment scan using either Nessus or Qualys Guard on a quarterly basis
  • 9. By Manish Mahapatra PCI DSS Controls – Infrastructure • This slide describes the list of controls to be deployed at the infrastructure – ◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers ◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing traffic from the PCI scoped server segment ◦ Deploying a Centralized log server and log monitoring process – ◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a central log server ◦ A log monitoring solutions needs to be deployed for generating security alerts ◦ Deploying Centralized AV console and patch management system – The AV solution and patch management system needs to be a centralized solution
  • 10. By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Change Management Process for making any changes at – ◦ For any Firewall rule change ◦ For any changes to the network component configuration ◦ For any changes to the server ◦ For any application level changes ◦ Hardening guidelines for hardening system and network components like – ◦ Hardening the server OS ◦ Hardening other application deployed in the server like data base, web server, etc. ◦ Hardening the network components
  • 11. By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal application ◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis ◦ Process of conducting risk assessment on an annual basis for all process and environment handling card number ◦ Process for conducting internal information security awareness and training program on an annual basis ◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where the card number are getting captured ◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis ◦ An internal pen-test should be conducted on a bi-annual basis
  • 12. By Manish Mahapatra PCI DSS Controls – Desktops • This slide describes the list of controls to be deployed for User Desktops which process card number ◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the finance or collection department) ◦ The desktops should have a DLP solution deployed ◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not ◦ Internet access should be restricted to a few white listed URL’s ◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log server ◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed ◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network segment.
  • 13. By Manish Mahapatra Steps for confirming the PCI Scope • This slide details the next set of steps to be taken by client for determining the PCI DSS Scope – ◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet, log files, database, etc..) where the full card number are getting stored. ◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored and confirm on the following – ◦ Source from where the location is receiving the full card number ◦ Whether the full card number is required or whether only truncated card number will suffice ◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or business function requires the full card number, then confirm the following from them – ◦ When have they last used the full card number ◦ And whether they can use any other data apart from the full card number for the business function
  • 14. By Manish Mahapatra Steps for confirming the Scope • This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope – ◦ Finalize the locations – Finalize all the locations where the full card number is required to processed, stored or transmitted. Please note that if the full card number is received and application only stores the truncated card number, then that system will be in PCI DSS scope. ◦ Based on the above step, identify and finalize all the servers and user desktops within Client network which process, store or transmit full card number. ◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s / network segment.
  • 15. By Manish Mahapatra Thank You! Manish M Cyber Security Training Provider Manish.cor@gmail.com Contact: +91-9036350000 Linked-in: https://www.linkedin.com/in/manishmahapatra Join my group on https://www.linkedin.com/groups/6517220 for more updates.