Segmentation, Compensating Controls and P2PE Summary

Similar documents
Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Point-to-Point Encryption

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Implementation Guide paypoint version 5.08.xx, 5.11.xx, 5.13.xx, 5.14.xx, 5.15.xx

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Payment Application Data Security Standard. Requirements and Security Assessment Procedures. Version 2.0.

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Implementation Guide paypoint v5.08.x, 5.11.x, 5.12.x, 5.13.x and 5.14.x

PCI DSS V3.2. Larry Newell MasterCard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Payment Card Industry (PCI) Data Security Standard

PCI DSS COMPLIANCE 101

University of Sunderland Business Assurance PCI Security Policy

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

Payment Card Industry (PCI) Data Security Standard

First Data TransArmor VeriFone Edition Abbreviated Technical Assessment White Paper

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Navigating the PCI DSS Challenge. 29 April 2011

Webinar: How to keep your hotel guest data secure

Qualified Integrators and Resellers (QIR) TM. QIR Implementation Statement, v2.0

6 Vulnerabilities of the Retail Payment Ecosystem

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Summary of Changes from PA-DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Site Data Protection (SDP) Program Update

Payment Card Industry (PCI) Data Security Standard

Section 1: Assessment Information

Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Data Security Standard PCI DSS v3.2.1 Before and After Redline View Change Analysis Between PCI DSS v3.2 and PCI DSS v3.2.

Donor Credit Card Security Policy

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Payment Card Industry (PCI) Data Security Standard

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Attestation of Compliance for Onsite Assessments Service Providers

Validated P2PE for Reduced Compliance Scope, More Peace-of-Mind

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI PA DSS. MultiPOINT Implementation Guide

Verifone Finland PA-DSS

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI PA DSS. PBMUECR Implementation Guide

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Evolution of Cyber Attacks

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

PCI & You: more than you wanted to know.

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

Voltage SecureData Mobile PCI DSS Technical Assessment

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Instructions: SAQ-D for Merchants Using Shift4 s True P2PE

Payment Card Industry (PCI) Data Security Standard

PCI PA DSS Implementation Guide

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry - Data Security Standard (PCI-DSS)

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

The Future of PCI: Securing payments in a changing world

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

Self-Assessment Questionnaire A

PCI Guidance Check-In Where are We Now? Diana

Payment Card Industry (PCI) Data Security Standard

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Payment Card Industry (PCI) Data Security Standard

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Payment Card Industry (PCI) Data Security Standard

PCI DSS v3. Justin

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance

David Jenkins (QSA CISA) Director of PCI and Payment Services

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance for Merchants

Opting Out. Avoid Becoming the Next Breach Statistic. Copyright 2014 MAC. All Rights Reserved.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) B GUIDE

Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

Software-Based PIN Entry on COTS. Jeremy King International Director PCI Security Standards Council

Transcription:

Segmentation, Compensating Controls and P2PE Summary ControlCase Annual Conference New Orleans, Louisiana USA 2016

Segmentation Reducing PCI Scope ControlCase Annual Conference New Orleans, Louisiana USA 2016

PCI Scoping Network segments fall into 3 classifications within PCI DSS: Networks that store, process and/or transmit CHD Networks that do not store, process and/or transmit CHD, but are still in scope (e.g., connected to the CDE or provide management functions to the CDE) Networks confirmed to be out of scope ControlCase Annual Conference New Orleans, Louisiana USA 2016 1

No Segmentation ControlCase Annual Conference New Orleans, Louisiana USA 2016 2

Proper Segmentation ControlCase Annual Conference New Orleans, Louisiana USA 2016 3

Segmentation Testing PCI DSS requires that segmentation methods are operational and effective, and isolate all out-of-scope systems from in-scope systems Certification must include review of all segmentation technologies Must include penetration testing: against CDE systems from outside CDE against out-of-scope systems within the CDE ControlCase Annual Conference New Orleans, Louisiana USA 2016 4

Compensating Controls Above and Beyond ControlCase Annual Conference New Orleans, Louisiana USA 2016

Definition Compensating Controls may be considered for most PCI DSS requirements when you cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but you have sufficiently mitigated the risk associated with the requirement through implementation of compensating controls. All compensating controls cannot already be required by PCI DSS and must be reviewed by your QSA. The effectiveness of a compensating control is dependent on the specifics of the environment in which the control is implemented, the surrounding security controls, and the con figuration of the control. A particular compensating control will not be effective in all environments. ControlCase Annual Conference New Orleans, Louisiana USA 2016 5

Misconceptions A compensating control accepted for another organization is acceptable in my organization. Once validated by a QSA, a compensating control does not need to be reassessed. A compensating control can only be used once. Compensating controls only cover technical PCI DSS requirements. ControlCase Annual Conference New Orleans, Louisiana USA 2016 6

Compensating Control Example Constraint - Organization uses a legacy payment transaction switch which does not support encryption for storage of cardholder data stored in the backend database. Requirement 3.4 - Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) Identified Risk Cardholder data can be compromised since it is stored in clear text format. ControlCase Annual Conference New Orleans, Louisiana USA 2016 7

Valid Compensating Control Ensure the transaction switch database is segmented in a separate segment from other in-scope systems with access control filtering. Ensure two factor authentication for access to the database. Ensure monthly vulnerability assessment for the database servers. Ensure administrative access to the server from limited network segments/systems. ControlCase Annual Conference New Orleans, Louisiana USA 2016 8

P2PE Basic Understanding ControlCase Annual Conference New Orleans, Louisiana USA 2016

Definition of Account Data Account Data consists of cardholder data and/or sensitive authentication data, all information printed on the physical card and data on the magnetic strip and chip. Account Data Cardholder Data includes: Primary Account Number (PAN) Cardholder Name Expiration Date Service Code Sensitive Authentication Data includes: Full Magnetic Stripe Data or Equivalent on a Chip CAV2/CVC2/CVV2/CID PINs/PIN block ControlCase Annual Conference New Orleans, Louisiana USA 2016 9

What is P2PE? A point-to-point encryption (P2PE) solution cryptographically protects account data from the point where a merchant accepts the payment card to the secure point of decryption. ControlCase Annual Conference New Orleans, Louisiana USA 2016 10

Payment Method in P2PE Encrypted by POI Encrypted by POI POI Encrypts data immediately after reading using SRED function Encrypted Account Data Encrypted Account Data Encrypted by POI Encrypted Account Data PCI Scope HSM/Host Decrypted by HSM or Hybrid at P2PE Solution Provider Decryption Environment POS Merchant Authorization Authorization ControlCase Annual Conference New Orleans, Louisiana USA 2016 11

P2PE Solution overview Typical data-flow: Merchant Environment P2PE Solution Provider Encrypted account data Authorization PTS approved POS with SRED Decryption Environment ControlCase Annual Conference New Orleans, Louisiana USA 2016 12

Benefits of P2PE Offers a powerful, flexible solution for all stakeholders Makes account data unreadable by unauthorized parties Reduces fraud and theft Protects customer data and client reputation Simplifies compliance with PCI DSS Recognized by all Participating Payment Brands ControlCase Annual Conference New Orleans, Louisiana USA 2016 13

Thank You! ControlCase Annual Conference New Orleans, Louisiana USA 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback