How Vanguard Solves. Your PCI DSS Challenges. Title. Sub-title. Peter Roberts Sr. Consultant 5/27/2016 1
|
|
- Beatrice Lindsey
- 6 years ago
- Views:
Transcription
1 How Vanguard Solves Title Your PCI DSS Challenges Sub-title Peter Roberts Sr. Consultant 5/27/2016 1
2 AGENDA 1. About Vanguard/Introductions 2. What is PCI DSS 3. PCI DSS 3.1/3.2 Important Dates 4. PCI DSS Change Cycle 5. Top PCI challenges for z/os 6. How Vanguard Addresses PCI DSS Requirements 7. Q/A 5/27/2016 2
3 What is PCI DSS? What is PCI DSS - Payment Card Industry Data Security Standard? Set of standards created by the PCI Security Standards Council Enforced by contract with banks that provide payment card processing Applicable to everyone who stores, processes or transmits payment card data 5/27/2016 3
4 PCI DSS Requirements High-level overview of the 12 PCI DSS Requirements Build and Maintain a Secure Network and Systems 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 5/27/2016 4
5 PCI DSS Requirements Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 5/27/2016 5
6 PCI DSS Requirements Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 5/27/2016 6
7 PCI DSS Requirements Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel 5/27/2016 7
8 PCI DSS 3.1 / 3.2 Important Dates Feb 13, 2015: PCI Announced April 15, 2015: PCI Published April 28, 2016 : PCI Announced/Published Oct 31, 2016 : PCI Retired Jan 31, 2018: PCI becomes mandatory Jan 31, 2018 : PCI s new additions go from being a best practice to a requirement June 30, 2018 : PCI Non early TLS (v1.1 or later) becomes mandatory 5/27/2016 8
9 PCI DSS 3.2 Highlights All PCI - Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication (8.3) - Removed all note and testing procedures regarding removal of SSL/early TLS to a new Appendix A2 - Version 3.1 expires on 31 October 2016 (3.2 s new additions are a best practice until 31 January 2018) Service Providers only: - There are several new requirements that relate to Service Providers only including: Maintain a documented description of the cryptographic architecture (3.5.1) Implement a process for the timely detection and reporting of failures of critical security control systems (10.8) If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods ( ) And several more Designated Entities Supplemental Validation (DESV) - Applies only to entities designated by a payment brand(s) or acquirer as requiring additional validation of existing PCI DSS requirements (Appendix A.3) 5/27/2016 9
10 PCI DSS Change Cycle 5/27/
11 Common PCI Terms 1. CHD - Card Holder Data 2. SAD - Sensitive Authentication Data 3. PAN Primary Account Number 5/27/
12 Interpretation of PCI requirements and applicability to z/os TOP PCI CHALLENGES FOR z/os 5/27/
13 Interpreting PCI DSS for z/os What is a z/os System Component? 1st Systems Programmer 2nd Systems Programmer RACF Engineer RACF Administrator Master Catalog SDSF The RACF Database Dataset Profiles APF Authorized Copies of the RACF General Resource Session Managers Datasets database Profiles LINKLIB Datasets SYS1.UADS Dataset SETROPTS Settings User ID Attributes User Catalogs WebSphere RACF CDT Group Connect Authorities RACF Database JES2 / JES3 RACF Classes Role Based Access Parmlib Datasets OMEGAMON General Resource Database Profiles Administrator Multi-User Access Systems WebSphere MQ Encryption Keys IMS Databases z/os Security Patches DFSMS Group Membership DB2 Databases System Proclibs SVC s Privileged Userids DB2 Table Trace Started Tasks CICS System Datasets RACF Exits Oracle Databases SYS1.Parmlib DB2 System RACF Classes for RACF Tables Datasets DB2 SMF Log Files IBM Comm Server IRR Prefixed Utilities IDMS System Exits Vendor Security QSA & Compliance Logging Parameters Products Officers ICSF Encryption Keys Magnetic Tape? 5/27/
14 Interpreting PCI DSS for z/os - Example PCI Deny-all Settings - Example Requirement 7: Restrict access to cardholder data by business need to know 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user s need to know and is set to deny all unless specifically allowed. This access control system must include the following: PCI Testing Procedure Default deny-all settings The challenge for complying with PCI is to determine the meaning of a default deny-all setting Confirm that the access control systems have a default deny-all setting. For a RACF system, the PROTECTALL feature would be the obvious default deny-all setting However, if you stop there, you would be mis-interpreting the requirement 5/27/
15 Interpreting PCI DSS for z/os Deny-all Setting Deny-All Settings Some examples of RACF deny-all settings: Profiles - Universal Access ID(*) on an access list with READ or higher Profiles - Warning Global Access Table Inactive RACF Classes 5/27/
16 How does Vanguard Help Address PCI DSS? Vanguard Product Suite 5/27/
17 Vanguard Configuration Manager What is Vanguard Configuration Manager? Vanguard Configuration Manager Automates the Process of Testing Mainframe Security Configuration Controls to Assess their Compliance with the IBM z/os and RACF Configuration Checklist from the National Checklist Program (NCP) of the National Institute of Standards and Technology (NIST) and the Department of Homeland Security (DHS) Enhances z Systems Security by Providing Built-In Configuration Control Details Automates Testing on more than 350 z Systems Configuration Control Checks Produces Accurate Compliance Reports in Minutes 5/27/
18 How Does Vanguard Configuration Manager Address PCI DSS? Requirement 2 - Do not use vendor-supplied defaults for system passwords and other security parameters - Requirement 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards Sources of industry-accepted system hardening standards may include but are not limited to: Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST). Requirement 3 - Protect stored cardholder data - See ZICS Integrated Cryptographic Service Facility section 5/27/
19 How Does Vanguard Configuration Manager Address PCI DSS? Requirement 5 - Protect all systems against malware and regularly update anti-virus software or programs - Since Malware on z/os is concerned with mainly gain access to APF libraries, check ACP00060 validates only appropriate Users have access Requirement 7 - Restrict access to cardholder data by business need to know - As well as specifying how Datasets and General Resources are to be protected, Vanguard Configuration Manager also controls what Roles are allowed to have access and what level of access Requirement 8 - Identify and authenticate access to system components - Reporting See RACF - Security Server (RACF) Settings section» Password Format» Password Attempts» Password Expiration See ZUSS UNIX System Services See AAMV - Inactivity Timers 5/27/
20 How Does Vanguard Configuration Manager Address PCI DSS? Requirement 10 Track and monitor all access to network resources and cardholder data - Use Vanguard Configuration Manager to report on SMF Includes checks in the AAMV, ACOM, ACP and RACF categories 5/27/
21 Common PCI Requirements NIST RACF Checklist 5/27/
22 Vanguard Configuration Manager Choose Which STIG level 5/27/
23 Vanguard Configuration Manager Specify or create Baseline datasets 5/27/
24 Vanguard Configuration Manager Select a Category 5/27/
25 Vanguard Configuration Manager Category Report Summary 5/27/
26 Vanguard Configuration Manager 5/27/
27 Vanguard Policy Manager What is Vanguard Policy Manager? Prevents execution of z/os Security Server commands that do not comply with organizational-defined policies Enables enterprises to precisely control which users can execute specific commands, parameters and sub-parameters. Noncompliant commands are modified to comply with policy or prevented from executing. Enhanced logging features are provided to log command events regardless of resource-level or system-level audit settings 5/27/
28 Staying Compliant Continuous Monitoring Tools-Intrusion Prevention 1. User issues a supported RACF command Vanguard Policy Manager TM Continuous Monitoring and Policy Enforcement of RACF Commands: a) Validates that the command issuer is authorized to issue the command b) Validates that the command is compliant with user-defined policies c) Modifies commands to comply with written policies prior to execution d) Fails non-compliant commands (e.g. unauthorized changes to the PCI.CREDIT.DATA profile) e) Log all command activity to System Management Facility (SMF) 5/27/ PCI PCI PCI
29 How Does Vanguard Policy Manager Address PCI DSS? Requirement 7 - Restrict access to cardholder data by business need to know - Can Lock Down PCI related RACF profiles once set up correctly SETROPTS PROTECTALL settings PCI related Dataset and General Resource profiles Requirement 8 - Identify and authenticate access to system components - Lock down SETROPTS for password» Password Format» Password Attempts» Password Expiration Requirement 9 - Restrict physical access to cardholder data - Lock down SETROPTS ERASE-ON-SCRATCH - Lock down PCI related Dataset Profiles for ERASE-ON-SCRATCH Requirement 10 - Track and monitor all access to network resources and cardholder data - Lock down Audit Parms on PCI Dataset & General Resource Profiles 5/27/
30 Vanguard Policy Manager 5/27/
31 SETROPTS Policy 5/27/
32 Not Authorized to change SETROPTS 5/27/
33 Vanguard Policy Manager Dataset Policies 5/27/
34 Not Authorized to Alter PCI DS Profile User had SYSTEM SPECIAL but was not authorized to the $VPM PCI profiles. Command NOT executed Gets logged as a violation. Can be reported on using Vanguard Advisor (usually the next day) or can use Vanguard Active Alerts to send an immediate notification 5/27/
35 Vanguard Policy Manager Enhanced Command Logging 5/27/
36 Vanguard Enforcer What is Vanguard Enforcer - Ability to notify and optionally Correct - Manage the Security Implementation Baseline that Enforces Your Security Policies - Continuous Scanning of RACF Security Profiles Looking for Deviations from the Baseline - Logs all Scan Operations and Deviations Found 5/27/
37 How Does Vanguard Enforcer Address PCI DSS? Requirement 7 - Restrict access to cardholder data by business need to know - Can ensure that if someone does get access that they are not supposed to have that you are either notified or it can changed the setting back Requirement 10 - Track and monitor all access to network resources and cardholder data Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts Make sure that SMF Parmlib not changed (could effect what is being collected) Make sure that SMF new exits are not implemented etc. Requirement 11 - Regularly test security systems and processes Deploy a change-detection mechanism (for example, file-integrity monitoring tools) to alert personnel to unauthorized modification of critical system files, configuration files or content files 5/27/
38 Vanguard Enforcer 5/27/
39 Vanguard Enforcer 5/27/
40 Vanguard Enforcer 5/27/
41 Vanguard Enforcer Vanguard Enforcer Sensor Notification Alert - Example 5/27/
42 Vanguard Advisor What is Vanguard Advisor? - Uses Live or Historical SMF Records and Log Stream Data - Conduct a Wide Variety of Analyses from an Array of Packaged and Customizable Reports - 100s of Pre-Built Commonly Used Reports - Customized Reports without the need to Learn Complex Reporting Languages - Deliver Violation Notices and Reports via 5/27/
43 How Does Vanguard Advisor Address PCI DSS? Requirement 4 - Encrypt transmission of cardholder data across open, public networks - Can help prove that you are using a secure version of FTP and a safe (secure) Cypher Requirement 10 - Track and monitor all access to network resources and cardholder data Review logs and security events for all system components to identify anomalies or suspicious activity 5/27/
44 Vanguard Advisor 5/27/
45 Vanguard Advisor 5/27/
46 Vanguard Advisor 5/27/
47 Vanguard Advisor 5/27/
48 PCI Requirement 4 FTP Advisor Report 5/27/
49 Vanguard Multi-Factor Solutions What are the Vanguard Multi-Factor Solutions? Two-Factor (Multi-Factor) Authentication» Vanguard ez/pivcard Authenticator» Vanguard ez/token» Vanguard Tokenless Authentication How Do Vanguard Multi-Factor Solutions Address PCI DSS? - Requirement 8: Identify and authenticate access to system components * New with PCI DSS Secure all individual non-console administrative access* and all remote access to the CDE using multi-factor authentication By employing at least two of the following methods to authenticate users» Something you know, such as a password or passphrase» Something you have, such as a token device or smart card» Something you are, such as a biometric 5/27/
50 Some Professional Services Solutions Vanguard Professional Services also has additional offerings to help you get PCI DSS Ready. Limit access to system components & CHD Role Based Access (PCI DSS 7.1) Annual Penetration Testing including z/os (PCI DSS 11.3) DB2 to RACF Security migration assistance 5/27/
51 The End Thank You Here are some helpful Websites: Requirements and Security Assessment Procedures PCI SSC Data Security Standards NIST Checklist /27/
52 Vanguard zsecurity University May 23 May 26 Basics of RACF Administration 24 CPE 4 days Online June 1 June 3 RACF Security for z/os Applications ALL MODULES 18 CPE 3 days Online June 1 RACF Security for z/os Applications MODULE 1 RACF for DB2 6 CPE 1 day Online June 2 June 3 RACF Security for z/os Applications MODULE 2 RACF for CICS 12 CPE 2 days Online June 6 June 9 Beyond RACF Basics 24 CPE 4 days Online June 13 June 15 Auditing z/os and RACF June 21 June 24 Beyond RACF Basics 18 CPE 3 days Online 24 CPE 4 days Jacksonville, FL June 27 June 30 Basics of RACF Administration 24 CPE 4 days Online Register to attend a course, or to get more information: Don t forget that all of the Vanguard zsecurity University courses are eligible for CPE Credits. 5/27/ Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
53 Vanguard zsecurity University Software Solutions Services Training International About Customer To register for a webinar or training course: go2vanguard.com Select - Training Register to attend a course, or to get more information: Don t forget that all of the Vanguard zsecurity University courses are eligible for CPE Credits. 5/27/ Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
54 5/27/
55 Questions? How to Contact Us Vanguard Integrity Professionals 6625 South Eastern Ave., Suite 100 Las Vegas, NV Direct/International: (702) Toll Free: (877) Fax: (702) /27/
56 Legal Notice Copyright 2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license to view these materials for your organization s internal purposes. Any unauthorized reproduction, distribution, exhibition or use of these copyrighted materials is expressly prohibited. Trademarks The following are trademarks of Vanguard Integrity Professionals Nevada: Vanguard Administrator Vanguard Advisor Vanguard Analyzer Vanguard SecurityCenter Vanguard SecurityCenter for DB2 Vanguard Offline Vanguard Cleanup Vanguard PasswordReset Vanguard Authenticator Vanguard incompliance Vanguard IAM Vanguard GRC Vanguard QuickGen Vanguard Active Alerts Vanguard Configuration Manager Vanguard Configuration Manager Enterprise Edition Vanguard Policy Manager Vanguard Enforcer Vanguard ez/token Vanguard Tokenless Authenticator Vanguard ez/piv Card Authenticator Vanguard ez/integrator Vanguard ez/signon Vanguard ez/password Synchronization Vanguard Security Solutions Vanguard Security & Compliance Vanguard zsecurity University 5/27/
57 Trademarks The following are trademarks or registered trademarks of the International Business Machines Corporation: CICS CICSPlex DB2 eserver IBM IBM z IBM z Systems IBM z13 IMS MQSeries MVS NetView OS/390 Parallel Sysplex RACF RMF S/390 System z System z9 System z10 System/390 VTAM WebSphere z Systems z9 z10 z13 z/architecture z/os z/vm zenterprise Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product and service names may be trademarks or service marks of others. 5/27/
What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services
What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services 4/28/2016 1 AGENDA 1.About Vanguard/Introductions 2.What is PCI DSS History 3.High Level Overview 4.PCI DSS 3.0/3.1/3.2
More informationVanguard Active Alerts. Jim McNeill Sr Consultant
Vanguard Active Alerts Jim McNeill Sr Consultant Legal Notice Copyright All Rights Reserved. You have a limited license to view these materials for your organization s internal purposes. Any unauthorized
More informationVanguard Configuration Manager Customization and Use
SECURITY & COMPLIANCE CONFERENCE 2016 Vanguard Configuration Manager Customization and Use Bruce Schaefer Manager, Mainframe Products (GRC) VSS-5 Legal Notice Copyright All Rights Reserved. You have a
More informationJim McNeill. Vanguard Professional Services VSS10 & VSS13
Jim McNeill Vanguard Professional Services VSS10 & VSS13 1 2 Legal Notice Copyright 2017 Copyright by Vanguard Integrity Professionals, Inc. All rights reserved. Unauthorized reproduction, modification,
More informationVANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER
VANGUARD INSURANCE INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationWHITE PAPERS. INSURANCE INDUSTRY (White Paper)
(White Paper) Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to ensure enterprise compliance
More informationPresented by Jim McNeill Vanguard Professional Services
Presented by Jim McNeill Vanguard Professional Services 2016 Vanguard Integrity Professionals, Inc. 1 Legal Notice Copyright 2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a
More informationInsurance Industry - PCI DSS
Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services. Vanguard is the industry leader in z/os Mainframe Software to ensure enterprise compliance with the
More informationVANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER
VANGUARD GOVERNMENT INDUSTRY WHITEPAPER Achieving PCI DSS Compliance with Vanguard Integrity Professionals Software & Professional Services Vanguard is the industry leader in z/os Mainframe Software to
More informationChallenges and Issues for RACF Systems
Payment Card Industry (PCI) Challenges and Issues for RACF Systems Jim Yurek Vanguard Integrity Professionals February 28, 2011 Session Number 8507 The Problem: Credit Card Breaches As long as we have
More informationJohn Hilman. Vanguard Professional Services BAS08
John Hilman Vanguard Professional Services BAS08 1 2 Legal Notice Copyright 2017 Copyright by Vanguard Integrity Professionals, Inc. All rights reserved. Unauthorized reproduction, modification, publication,
More informationRACF Groups. John Hilman BAS02. Vanguard Professional Services
RACF Groups John Hilman Vanguard Professional Services BAS02 1 2 Legal Notice Copyright 2017 Copyright by Vanguard Integrity Professionals, Inc. All rights reserved. Unauthorized reproduction, modification,
More informationVanguard Advisor TM Your Way: Enhanced Masking, Report Formatting and Exception Criteria. Presented by Vanguard Integrity Professionals
Vanguard Advisor TM Your Way: Enhanced Masking, Report Formatting and Exception Criteria Presented by Vanguard Integrity Professionals Legal Notice Copyright 2013 Vanguard Integrity Professionals, Inc.
More informationPerforming a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals
Performing a z/os Vulnerability Assessment Part 2 - Data Analysis Presented by Vanguard Integrity Professionals Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved.
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationPayment Card Industry (PCI) Compliance
Payment Card Industry (PCI) Compliance February 13, 2019 To Receive CPE Credit Individuals Participate in entire webinar Answer polls when they are provided Groups Group leader is the person who registered
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationPayment Card Industry Internal Security Assessor: Quick Reference V1.0
PCI SSC by formed by: 1. AMEX 2. Discover 3. JCB 4. MasterCard 5. Visa Inc. PCI SSC consists of: 1. PCI DSS Standards 2. PA DSS Standards 3. P2PE - Standards 4. PTS (P01,HSM and PIN) Standards 5. PCI Card
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More informationInformation Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)
Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage
More informationPerforming a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals
Performing a z/os Vulnerability Assessment Part 3 - Remediation Presented by Vanguard Integrity Professionals Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved.
More informationOracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016
Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E69079-01 June 2016 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationAll the Latest Data Security News. Best Practices and Compliance Information From the PCI Council
All the Latest Data Security News Best Practices and Compliance Information From the PCI Council 1 What is the PCI Security Standards Council? Collaboration Education Simplified solutions for merchants
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationPCI DSS 3.2 AWARENESS NOVEMBER 2017
PCI DSS 3.2 AWARENESS NOVEMBER 2017 1 AGENDA PCI STANDARD OVERVIEW PAYMENT ENVIRONMENT 2ACTORS PCI ROLES AND RESPONSIBILITIES MERCHANTS COMPLIANCE PROGRAM PCI DSS 3.2 REQUIREMENTS 2 PCI STANDARD OVERVIEW
More informationGoogle Cloud Platform: Customer Responsibility Matrix. December 2018
Google Cloud Platform: Customer Responsibility Matrix December 2018 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect
More informationGoogle Cloud Platform: Customer Responsibility Matrix. April 2017
Google Cloud Platform: Customer Responsibility Matrix April 2017 Introduction 3 Definitions 4 PCI DSS Responsibility Matrix 5 Requirement 1 : Install and Maintain a Firewall Configuration to Protect Cardholder
More informationDan Lobb CRISC Lisa Gable CISM Katie Friebus
Dan Lobb CRISC Lisa Gable CISM Katie Friebus AGENDA Meet the speakers Compliance between QSA visits - Dan Lobb Transitioning from PCI DSS 3.1-3.2 - Katie Friebus Tips for Managing a PCI Compliance Program
More informationPerforming a z/os Vulnerability Assessment. Part 1 - Data Collection. Presented by Vanguard Integrity Professionals
Performing a z/os Vulnerability Assessment Part 1 - Data Collection Presented by Vanguard Integrity Professionals Legal Notice Copyright 2014 Vanguard Integrity Professionals - Nevada. All Rights Reserved.
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationPCI DSS V3.2. Larry Newell MasterCard
PCI DSS V3.2 Larry Newell MasterCard ControlCase Annual Conference New Orleans, Louisiana USA 2016 PCI DSS then and now 2006 2016 PCI DSS v1.0 v1.1 12 high-level requirements Layered security Based on
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationLOGmanager and PCI Data Security Standard v3.2 compliance
LOGmanager and PCI Data Security Standard v3.2 compliance Whitepaper how deploying LOGmanager helps to maintain PCI DSS regulation requirements Many organizations struggle to understand what and where
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire A-EP For use with PCI DSS Version 3.2.1 July 2018 Section 1: Assessment Information Instructions
More informationSECURITY PRACTICES OVERVIEW
SECURITY PRACTICES OVERVIEW 2018 Helcim Inc. Copyright 2006-2018 Helcim Inc. All Rights Reserved. The Helcim name and logo are trademarks of Helcim Inc. P a g e 1 Our Security at a Glance About Helcim
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationSection 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016
Section 3.9 PCI DSS Information Security Policy Issued: vember 2017 Replaces: June 2016 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2.1 June 2018 Section 1: Assessment Information Instructions for Submission
More informationVANGUARD Compliance Manager VANGUARD Policy Manager VANGUARD Security Manager VANGUARD Enforcer
VANGUARD Compliance Manager VANGUARD Policy Manager VANGUARD Security Manager VANGUARD Enforcer VANGUARD Compliance Manager Customization Compliance Support Performs specific custom baseline checks Performs
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationSection 1: Assessment Information
Section 1: Assessment Information Instructions for Submission This document must be completed as a declaration of the results of the merchant s self-assessment with the Payment Card Industry Data Security
More informationMANEWS Issue Number 21 the Mainframe Audit News
This newsletter tells you stuff you need to know to audit IBM mainframe computers runinng with z/os and the MVS operating system. This issue we show you how to plan the data gathering for your audit. Table
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationPROFESSIONAL SERVICES (Solution Brief)
(Solution Brief) The most effective way for organizations to reduce the cost of maintaining enterprise security and improve security postures is to automate and optimize information security. Vanguard
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder
More informationPayment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard
Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard Systems Security Standard ( v3.2) Page 1 of 11 Version and Ownership Version Date Author(s) Comments 0.01 26/9/2016
More informationNavigating the PCI DSS Challenge. 29 April 2011
Navigating the PCI DSS Challenge 29 April 2011 Agenda 1. Overview of Threat and Compliance Landscape 2. Introduction to the PCI Security Standards 3. Payment Brand Compliance Programs 4. PCI DSS Scope
More informationA Perfect Fit: Understanding the Interrelationship of the PCI Standards
A Perfect Fit: Understanding the Interrelationship of the PCI Standards 9/5/2008 Agenda Who is the Council? Goals and target for today s Webinar Overview of the Standards and who s who PCI DSS PA-DSS PED
More informationDATA SHEET VANGUARD CONFIGURATION MANAGER TM KEY FEATURES: VANGUARD TAKES THE TARGET OFF YOUR
TM Vanguard automates review of current z/os Security Server configurations against prevailing standards to include DISA STIG, NIST, and DB2 hardening standards and Vanguard Best Practices dramatically
More informationPoint ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core
PCI PA - DSS Point ipos Implementation Guide Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core Version 1.02 POINT TRANSACTION SYSTEMS AB Box 92031,
More informationData Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 2006-2016 PCI Security Standards Council, LLC. All Rights Reserved.
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder
More informationIs Your z/os System Secure?
Ray Overby Key Resources, Inc. Info@kr-inc.com (312) KRI-0007 A complete z/os audit will: Evaluate your z/os system Identify vulnerabilities Generate exploits if necessary Require installation remediation
More informationA QUICK PRIMER ON PCI DSS VERSION 3.0
1 A QUICK PRIMER ON PCI DSS VERSION 3.0 This white paper shows you how to use the PCI 3 compliance process to help avoid costly data security breaches, using various service provider tools or on your own.
More informationPayment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.2.1 May 2018 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationEleven Steps to Make Mainframe Security Audits More Effective and Efficient
Eleven Steps to Make Mainframe Security Audits More Effective and Efficient These are some things I ve learned about auditing IBM mainframe computers by trying a lot of approaches, some of which worked
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.
Payment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.1 Assessor Company: Control Gap Inc. Contact Email: info@controlgap.com
More informationPDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)
PDQ has created an Answer Guide for the Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C to help wash operators complete questionnaires. Part of the Access Customer Management
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPOLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)
POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE) VANGUARD POLICY MANAGER dramatically reduces security risks and improves regulatory compliance, minimizing the need for expensive remediation,
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Document2 Section 1: Assessment Information Instructions for
More informationPCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security
White Paper 0x8c1a3291 0x56de5791 0x450a0ad2 axd8c447ae 8820572 0x5f8a153d 0x19df c2fe97 0xd61b5228 0xf32 4856 0x3fe63453 0xa3bdff82 0x30e571cf 0x36e0045b 0xad22db6a 0x100daa87 0x48df 0x5ef8189b 0x255ba12
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced For use with
More informationSHARE in Pittsburgh Session 15801
HMC/SE Publication and Online Help Strategy Changes with Overview of IBM Resource Link Tuesday, August 5th 2014 Jason Stapels HMC Development jstapels@us.ibm.com Agenda Publication Changes Online Strategy
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.2 April 2016 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Merchants Version 3.0 February 2014 Section 1: Assessment Information Instructions for Submission This
More informationPCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring
PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring By Chip Ross February 1, 2018 In the Verizon Payment Security Report published August 31, 2017, there was an alarming
More informationVANGUARD POLICY MANAGERTM
VANGUARD TM VANGUARD dramatically reduces security risks and improves regulatory compliance, minimizing the need for expensive remediation, while increasing staff productivity. Policy Manager provides
More informationVanguard ez/signon Client Installation and User Guide
Vanguard ez/signon Client Installation and User Guide Version 5.1 Vanguard ez/signon Version 5.1 Document Number VZSI-081503-511U September, 2003 Copyright 1997-2003 Vanguard Integrity Professionals-Nevada.
More informationINFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council
Use of SSL/Early TLS for POS POI Terminal Connections Date: Author: PCI Security Standards Council Table of Contents Introduction...1 Executive Summary...1 What is the risk?...1 What is meant by Early
More informationSQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD
SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD The Payment Card Industry Data Security Standard (PCI DSS), currently at version 3.2,
More informationOracle Hospitality OPERA Property Management Security Guide Versions: Part Number: E
Oracle Hospitality OPERA Property Management Security Guide Versions: 5.0.05.00 Part Number: E67891-01 May 2016 Copyright 2015, Oracle and/or its affiliates. All rights reserved. This software and related
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants Version 3.1 April 2015 Document Changes Date
More informationPayment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide
Payment Card Industry Data Security Standard Self-Assessment Questionnaire C Guide PCI DSS Version: V3.1, Rev 1.1 Prepared for: The University of Tennessee Merchants The University of Tennessee Foundation
More informationOld requirement New requirement Detail Effect Impact
RISK ADVISORY THE POWER OF BEING UNDERSTOOD PCI DSS VERSION 3.2 How will it affect your organization? The payment card industry (PCI) security standards council developed version 3.2 of the Data Security
More informationQualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0
Qualified Integrators and Resellers (QIR) TM Implementation Statement For each Qualified Installation performed, the QIR Employee must complete this document and confirm whether the Validated Payment Application
More informationPayment Card Industry (PCI) Qualified Integrator and Reseller (QIR)
Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR) Implementation Instructions Version 4.0 March 2018 Document Changes Date Version Description August 2012 1.0 Original Publication November
More informationVANGUARD INTEGRITY PROFESSIONALS Page 1
VANGUARD CONFIGURATION MANAGER (AUDIT/COMPLIANCE) Vanguard Configuration Manager automates review of current z/os Security Server configurations against prevailing standards to include DISA STIG, NIST,
More informationBest Practices (PDshop Security Tips)
Best Practices (PDshop Security Tips) For use with all versions of PDshop Revised: 12/29/17 PDshop.com / Copyright 2002-2018 All Rights Reserved. 1 Table of Contents Table of Contents... 2 Best Practices...
More informationPCI DSS v3. Justin
PCI DSS v3 Justin Leapline justin.leapline@giftcards.com @jmleapline My Experience With PCI Just to lay the groundwork Currently work at Largest ecommerce in Pittsburgh My experience includes: QSA Acquirer
More informationCarbon Black PCI Compliance Mapping Checklist
Carbon Black PCI Compliance Mapping Checklist The following table identifies selected PCI 3.0 requirements, the test definition per the PCI validation plan and how Carbon Black Enterprise Protection and
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire Version 1.0 Release: December 2004 How to Complete the Questionnaire The questionnaire is divided into six sections. Each
More informationPayment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.
Payment Card Industry (PCI) Data Security Standard Report on Compliance PCI DSS v3.2.1 Template for Report on Compliance Revision 1.0 June 2018 Document Changes Date Version Description February 2014 July
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.1 April 2015 Section 1: Assessment Information Instructions for Submission
More informationPayment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants All other SAQ-Eligible Merchants For use PCI DSS Version 3.1 Revision 1.1
More informationIBM. PDF file of IBM Knowledge Center topics. IBM Operations Analytics for z Systems. Version 2 Release 2
IBM Operations Analytics for z Systems IBM PDF file of IBM Knowledge Center topics Version 2 Release 2 IBM Operations Analytics for z Systems IBM PDF file of IBM Knowledge Center topics Version 2 Release
More informationPCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS
CONFIDENCE: SECURED WHITE PAPER PCI DSS 3.2 COMPLIANCE WITH TRIPWIRE SOLUTIONS TRIPWIRE ENTERPRISE TRIPWIRE LOG CENTER TRIPWIRE IP360 TRIPWIRE PURECLOUD A UL TRANSACTION SECURITY (QSA) AND TRIPWIRE WHITE
More informationVANGUARD Policy Manager TM
Compliance Endures that RACF commands comply with company policy Remediation Provides proactive enforcement, corrects commands in accordance with corporate policies Auditing Provides and audit trail within
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationEnabling compliance with the PCI Data Security Standards December 2007
December 2007 Employing IBM Database Encryption Expert to meet encryption and access control requirements for the Payment Card Industry Data Security Standards (PCI DSS) Page 2 Introduction In 2004, Visa
More informationPaymentVault TM Service PCI DSS Responsibility Matrix
PaymentVault TM Service PCI DSS 3.2.1 Responsibility Matrix 5 November 2018 Compliance confirmed and details available in the Systems International Attestation of Compliance (AoC). A copy of the AoC is
More informationPayment Card Industry (PCI) Data Security Standard
Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Self-Assessment Questionnaire D Service Providers For use with PCI DSS Version 3.2 Revision 1.1 January 2017 Section 1:
More information