PCI DSS COMPLIANCE 101

Similar documents
PCI DSS 3.2 AWARENESS NOVEMBER 2017

Navigating the PCI DSS Challenge. 29 April 2011

PCI COMPLIANCE IS NO LONGER OPTIONAL

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

Comodo HackerGuardian. PCI Security Compliance The Facts. What PCI security means for your business

Merchant Guide to PCI DSS

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Compliance

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

Payment Card Industry Data Security Standards Version 1.1, September 2006

Payment Card Industry (PCI) Data Security Standard

A Perfect Fit: Understanding the Interrelationship of the PCI Standards

Understanding PCI DSS Compliance from an Acquirer s Perspective

The PCI Security Standards Council

Payment Card Industry (PCI) Data Security Standard

Evolution of Cyber Attacks

Commerce PCI: A Four-Letter Word of E-Commerce

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

FAQs. The Worldpay PCI Program. Help protect your business and your customers from data theft

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

Will you be PCI DSS Compliant by September 2010?

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

PCI Compliance: It's Required, and It's Good for Your Business

Webinar: How to keep your hotel guest data secure

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

David Jenkins (QSA CISA) Director of PCI and Payment Services

PCI compliance the what and the why Executing through excellence

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

The Future of PCI: Securing payments in a changing world

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

PCI DSS v3. Justin

in PCI Regulated Environments

Site Data Protection (SDP) Program Update

How PayPal can help colleges and universities reduce PCI DSS compliance scope. Prepared by PayPal and Sikich LLP.

Customer Compliance Portal. User Guide V2.0

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Daxko s PCI DSS Responsibilities

Data Sheet The PCI DSS

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

PCI DSS Illuminating the Grey 25 August Roger Greyling

Payment Card Industry (PCI) Data Security Standard

Data Security Standard

A QUICK PRIMER ON PCI DSS VERSION 3.0

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Protect Comply Thrive. The PCI DSS: Challenge or opportunity?

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

Payment Card Industry (PCI) Data Security Standard

Blueprint for PCI Compliance with Network Detective

Payment Card Industry (PCI) Data Security Standard

SAQ A AOC v3.2 Faria Systems LLC

City of Portland Audit: Follow-Up on Compliance with Payment Card Industry Data Security Standard BY ALEXANDRA FERCAK SENIOR MANAGEMENT AUDITOR

Payment Card Industry (PCI) Data Security Standard

UCSB Audit and Advisory Services Internal Audit Report. Credit Cards PCI Compliance. July 1, 2016

Credit Union Service Organization Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Merchant Certificate of Compliance

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

The IT Search Company

PCI DSS. A Pocket Guide EXTRACT. Fourth edition ALAN CALDER GERAINT WILLIAMS

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.

PCI & You: more than you wanted to know.

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry (PCI) Data Security Standard

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

SIP Trunks. PCI compliance paired with agile and cost-effective telephony

Payment Card Industry (PCI) Data Security Standard

PCI Compliance. Network Scanning. Getting Started Guide

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Section 1: Assessment Information

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Segmentation, Compensating Controls and P2PE Summary

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

Payment Card Industry - Data Security Standard (PCI-DSS)

Using GRC for PCI DSS Compliance

Achieving PCI Compliance: Long and Short Term Strategies

Welcome ControlCase Conference. Kishor Vaswani, CEO

PCI DSS Compliance for Healthcare

PCI Compliance. What is it? Who uses it? Why is it important?

Transcription:

PCI DSS COMPLIANCE 101 Pavel Kaminsky PCI QSA, CISSP, CISA, CEH, Head of Operations at Seven Security Group Information Security Professional, Auditor, Pentester

SEVEN SECURITY GROUP PCI QSA Сompany Own Implementation Team Own Penetration Testing Team

PCI DSS?

PCI DSS 101 PCI Security Standards Council VISA, MC, AMEX, JCB, DISCOVERY Comprehensive, in-depth, detailed Valid for 1 year, recertification

PCI SSC RESOURCES PCI DSS, PA-DSS, P2PE, PTS (POI, HSM & PIN), Card Production and supporting documents Registry of QSAs, PA-QSAs, PCIPs, ASVs, Validated Payment Applications, PTS Devices, P2PE Solutions PCI FAQ Education & Outreach Programs Participating Organization Membership, Community Meetings, Feedback https://www.pcisecuritystandards.org

PAYMENT BRANDS COMPLIANCE PROGRAMS Payment Brands: Have their own Compliance Program Are responsible for CP enforcement Define forensic investigations Respond to account data compromises Compliance Programs include: Tracking and enforcement Penalties, fees, compliance deadlines Validation process and who needs to validate Approval and posting of compliant entities Definition of merchant and service provider levels

PCI DSS - WHY IT S IMPORTANT? SEVERE PENALTIES: Security breaches cost a lot You can be suspended from processing credit card transactions You can face higher processing fees IN CASE OF A COMPROMISE, NON-COMPLIANT MEMBERS OR THEIR NON-COMPLIANT MERCHANTS OR AGENTS ARE LIABLE TO PAY: Non-compliance fine Forensic investigation costs Dispute resolution costs Card re-issuance penalties Breach notification costs

VERIZON PAYMENT SECURITY REPORT Of all the payment card data breaches the Verizon Threat Research Advisory Center team investigated over the past 12 years, not a single organization was fully PCI DSS compliant at the time of the breach.

THE REQUIREMENTS 6 CATEGORIES Build and maintain a secure network and systems Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks Maintain an information security policy

PCI DSS COMPLIANCE PCI DSS Compliance is determined based on how your organization stores, processes, and/or transmits cardholder data across your infrastructure Compliance is based on Level and Type Level is based on the number of transactions performed in a 12-month period Type is defined by how your organization takes credit cards Depending on what Type of organization you are, you will have to address anywhere from 20 to 360 controls Depending on what Level of compliance you are, you will have to report your compliance with Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) by QSA

LEVELS OF COMPLIANCE SERVICE PROVIDERS MERCHANTS ROC by QSA SAQ ROC by QSA SAQ SAQ SAQ

REPORTING ROC, SAQ

REPORTING ROC (Report on Compliance) SAQ (Self-Assessment Questionnaire) AOC (Attestation of Compliance) PENTESTING VULNERABILITY SCANNING (by ASV)

THE 12 REQUIREMENTS 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update antivirus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel

PCI DSS RECOMMENDED UNDERSTANDING PCI DSS TELLS YOU WHAT YOU NEED TO DO, WHAT CONTROLS YOU NEED TO MEET TO BE COMPLIANT PCI DSS does not tell you how to become compliant, that is individual to your situation and your environment: Your systems Your processes Your vendors Your customers BEING COMPLIANT DOES NOT NECESSARY MAKE YOU SECURE. BEING SECURE LEADS TO COMPLIANCE NOT THE OTHER WAY AROUND.

PCI DSS - COMMON PCI MYTHS We don t have enough card transactions to require compliance We outsource card processing so we are compliant PCI is an IT issue PCI is unreasonable / difficult PCI compliance makes us secure We are not a target

THIRD PARTY PROVIDERS/VENDORS MERCHANT SHARED SERVICE PROVIDER Third Party Vendor affecting security of CHD is always in scope EACH client can request SEPARATE auditing 3 RD PARTY PROVIDER Third party vendor own certification covers the applicable part REMEMBER: choose PCI-DSS certified counteragents for all solutions in scope, for example your datacenter, MSSP's, etc.

THE APPROACH (ON-SITE)

SCOPING SCOPING: Together with you, we analyze your cardholder data environment, which forms the scope of certification in order to minimize it as well as the necessary implementation work.

PRELIMINARY ASSESSMENT PRELIMINARY ASSESSMENT: Provides a check of the current state of the cardholder data environment for conformity with the PCI DSS requirements. The results reveal any necessary adjustments and additions that provide our customers with detailed and meaningful information that defines remedial actions for compliance.

FORMAL ASSESSMENT FORMAL ASSESSMENT: Mandatory on-site assessment, performed by Qualified Security Assessor (QSA) and resulting in the issuance of final PCI DSS compliance report (ROC) and Attestation of Compliance (AOC).

ONGOING SUPPORT ONGOING SUPPORT: We advise and support our customers in all matters relating to PCI DSS compliance and during the entire process of analysis, remediation and implementation of corrective measures and controls.

THE ASSESSMENT A TWO-HORSE SLED DESIGN AND IMPLEMENTATION: Documented policies and processes OPERATING EFFECTIVENESS: Evidence gathering and interviews with responsible personnel

YOU WOULD NEED TO PROVIDE... Network diagram(s) Cardholder data flow diagram(s) Physical locations Network and server equipment People involved Technologies used and your guys would need to participate too

KEEP CALM AND AND GET CERTIFIED Thank you! Pavel Kaminsky, PCI QSA, CISSP, CISA, CEH Head of Operations at Seven Security Group p.kaminsky@7sec.com www.7sec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback