David Jenkins (QSA CISA) Director of PCI and Payment Services

Similar documents
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Section 1: Assessment Information

SAQ A AOC v3.2 Faria Systems LLC

Section 1: Assessment Information

PCI DSS COMPLIANCE 101

PCI DSS 3.2 AWARENESS NOVEMBER 2017

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Point-to-Point Encryption

Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance

ISACA Kansas City Chapter PCI Data Security Standard v2.0 Overview

Navigating the PCI DSS Challenge. 29 April 2011

PCI DSS. Compliance and Validation Guide VERSION PCI DSS. Compliance and Validation Guide

Welcome ControlCase Conference. Kishor Vaswani, CEO

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

The PCI Security Standards Council

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Understanding PCI DSS Compliance from an Acquirer s Perspective

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Compliance

PCI DSS v3. Justin

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Payment Card Industry (PCI) Data Security Standard

PCI DSS Compliance and the Cloud

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Merchant Guide to PCI DSS

Evolution of Cyber Attacks

Payment Card Industry (PCI) Data Security Standard

GUIDE TO STAYING OUT OF PCI SCOPE

PCI Implementation Workshop [CPISI] PCI Version 3.2

Payment Card Industry (PCI) Point-to-Point Encryption. Template for Report on Validation for use with P2PE v2.0 (Revision 1.1) for P2PE Solution

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

Daxko s PCI DSS Responsibilities

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Payment Card Industry (PCI) Data Security Standard

The PCI Security Standards Council PCI DSS Virtualization Webinar

Payment Card Industry (PCI) Data Security Standard

Your guide to the Payment Card Industry Data Security Standard (PCI DSS) banksa.com.au

University of Sunderland Business Assurance PCI Security Policy

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Payment Card Industry (PCI) Data Security Standard

PCI Compliance Updates

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B-IP and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

All the Latest Data Security News. Best Practices and Compliance Information From the PCI Council

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

How to become PCI DSS Compliant: The complete roadmap

Will you be PCI DSS Compliant by September 2010?

Payment Card Industry (PCI) Data Security Standard

Self-Assessment Questionnaire A

t a Foresight Consulting, GPO Box 116, Canberra ACT 2601, AUSTRALIA e foresightconsulting.com.

Payment Card Industry (PCI) Data Security Standard

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Payment Card Industry Data Security Standard (PCI DSS) Payment Application Data Security Standard (PA-DSS) Summary of 2012 Feedback

Donor Credit Card Security Policy

SYNACK PCI DSS PENETRATION TESTING TECHNICAL WHITE PAPER

COMPLIANCE IN THE CLOUD

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

First Data TransArmor VeriFone Edition Abbreviated Technical Assessment White Paper

Payment Card Industry (PCI) Data Security Standard Attestation of Compliance for Onsite Assessments Service Providers Version 3.0

Payment Card Industry (PCI) Data Security Standard Report on Compliance. PCI DSS v3.2.1 Template for Report on Compliance. Revision 1.

The Future of PCI: Securing payments in a changing world

AuthAnvil for Retail IT. Exploring how AuthAnvil helps to reach compliance objectives

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version May 2018

Data Sheet The PCI DSS

in PCI Regulated Environments

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

Payment Card Industry - Data Security Standard (PCI-DSS)

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance

Self-Assessment Questionnaire A

Site Data Protection (SDP) Program Update

PCI COMPLIANCE IS NO LONGER OPTIONAL

Table of Contents. PCI Information Security Policy

Payment Card Industry (PCI) Data Security Standard

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard

IBM Managed Security Services - Vulnerability Scanning

Managing Risk in the Digital World. Jose A. Rodriguez, Director Visa Consulting and Analytics

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Payment Card Industry (PCI) Data Security Standard Payment Application Data Security. Template for Report on Validation for use with PA-DSS v3.

Tokenisation for PCI-DSS Compliance

Transcription:

David Jenkins (QSA CISA) Director of PCI and Payment Services PCI and the Cloud, where is my Atlas

Agenda About Cognosec PCI DSS 3.0 and CSPs SLA Considerations Technical considerations Auditing

About Cognosec GmbH IT and security and compliance specialist based in Vienna Services in information security, governance, enterprise risk management, compliance, audit and assurance Clients throughout Europe, Middle East, Africa and the United States Qualified Security Assessor (QSA) Company for Europe and CEMEA Approved Scanning Vendor (ASV) Company for Europe and CEMEA

PCI Security Standard Manufacturers & Service Providers PCI P2PE and PTS Pin and PAN Software Developers PCI PA-DSS Payment Application Vendors Merchants and Processors PCI DSS Data Security Standard PCI Security Standards and Compliance Ecosystem of payment devices, applications, infrastructure and users Pen Testing* QIR Qualified Incident Response PFI PCI Forensic Investigator ASV Approved Scanning Vendor

PCI and the Cloud More flexibility at the front end of the payment chain Multi Channel, Twitter etc More complexity on the back end P2PE standard a good example

PCI and the Cloud 52 Page White Paper referring to the 70 page NIST Guidelines on Security and Privacy in Public Cloud Computing (SP SP800-144) Leads on from the PCI DSS Virtulisation guidance Note the fine print

Service Level Agreements Technical considerations

PCI DSS 3.0 Service Level Agreements 12.8 Maintain and implement policies and procedures to manage service providers with whom cardholder data is shared, or that could affect the security of cardholder data, as follows: 12.8.1 Maintain a list of service providers.

Considerations for you: Nested Service-Provider Relationships? These relationships will add complexity to both the CSP s and the client s PCI DSS assessment process. Look to the P2PE Standard for good examples of Behind the scenes complexity.

PCI DSS 3.0 Service Level Agreements 12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer.

PCI DSS 3.0 Service Level Agreements 12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

Considerations for you: Your due-diligence process prior to engaging the CSP. The providers history in performing the services your require Identifying potential risks or circumstances associated with the CSP Deep dive of the service elements that need to be included in contracts SLAs

PCI DSS 3.0 Service Level Agreements 12.8.4 Maintain a program to monitor service providers PCI DSS compliance status at least annually.

Considerations for you: How long has the CSP been PCI DSS compliant? What specific services and PCI DSS requirements were included in the validation? Are there any system components that the CSP relies on for delivery of the service that were not included in the PCI DSS validation? How does the CSP ensure that clients using the PCI DSS compliant service cannot introduce noncompliant components to the environment or bypass any PCI DSS controls?

PCI DSS 3.0 Service Level Agreements 12.8.5 Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by the entity.

Considerations for you: SLAs and other written agreements between the CSP and client should clearly identify the delineation of responsibilities between parties. Provisioning Written agreements should also cover activities and assurances to be provided by both parties upon termination of the service provision. Decommissioning and Disposal Clear requirements for data retention, storage and secure disposal

PCI DSS 3.0 Service Level Agreements 12.9 Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to, or otherwise stores, processes, or transmits the customer s cardholder data or sensitive authentication data, or manages the customer's cardholder data environment on behalf of a customer Note: This requirement is a best practice until June 30, 2015, after which it becomes a requirement.

Responsibilities Client Generally each client will retain responsibility for maintaining and verifying the requirement. CSP Generally the CSP will maintain and verify the requirement for their clients. Both Generally responsibility is shared between the client and the CSP. This may be due to the requirement applying to elements present in both the client environment and the CSP-managed environment, or because both parties need to be involved in the management of a particular control.

Service Level Agreements Technical considerations

Technical Conciderations Protection methods such as hashing and encryption Encrypting transmission over networks Securing systems and applications, Coding Restricting access to data Assigning unique accountability Tracking and monitoring access

Technical Conciderations Encrypted data is still in scope for PCI DSS Plan to keep all encryption/decryption and keymanagement operations isolated from the cloud..if decryption keys and encrypted data are present all applicable PCI DSS requirements would apply to that environment..

Technical Conciderations isolation may be required at the network, operating system, and application layers; and most importantly, there should be guaranteed isolation of data that is stored Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.

Auditing a PCI DSS Compliant CSP Proof of compliance documentation (AOC /ROC), including the date of compliance Documented evidence of system components and services that were included in the PCI DSS assessment Documented evidence of system components and services that were excluded from the PCI DSS assessment, as applicable to the service Appropriate contract language

Non PCI Compliant CSP Access to systems, facilities, and appropriate personnel for on-site reviews, interviews, physical walk- throughs, etc. Policies and procedures, process documentation, configuration standards, training records, incident response plans, etc. Evidence (such as configurations, screen shots, process reviews, etc.) to show that all applicable PCI DSS requirements are being met for the inscope system components Appropriate contract language

Summary Policies, SLAs Roadmap to provisioning Technical considerations Meeting the intent of the Standard

David Jenkins (QSA CISA) Director of PCI and Payment Services +43 664 8836 4846 david.jenkins@cognosec.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback