Your SlideShare is downloading. ×
PCI Compliance -  Delving Deeper In The Standard
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

PCI Compliance - Delving Deeper In The Standard

465
views

Published on

Presentation on the PCI DSS in greater depth.

Presentation on the PCI DSS in greater depth.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
465
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • For most small to medium sized businesses
  • Firewallscontrol electronic traffic as it moves within the internal network and between internal and external networks
  • Assess and Analyze (This critical step will help you understand how much becoming PCI compliant will cost you!)Assess the current environmentAnalyze any gaps that may existClose the GapsRemediate gaps & problem areasGet the environment compliantStay CompliantPerform regular testing & scanningRemediate to stay compliant
  • Transcript

    • 1. PCI Compliance: Delving Deeper in the Standard
      John Bedrick, AccuCode
      Topic Here
    • 2. Agenda
      About AccuCode
      Payment Card Industry Data Security Standard (PCI DSS) Schedules
      Merchant Levels and Validation Requirements
      PCI DSS Requirements
      Where To Start
      PCI DSS Self-Assessment Questionnaires (SAQ)
      Continuous Compliance
      PCI DSS: Validation Actions
      Overcoming the Top PCI DSS Challenges
      PCI DSS: The Top Violations and Basic Remediation Strategies
      AO:Compliance™ and Next steps on the road to becoming PCI Compliant
      Questions and Answers
    • 3. AccuCode the Company
      • Founded 1995
      • 4. VAR, Professional & Managed Services, Commercial Software Products
      • 5. National leader in application of retail systems, security & compliance, wireless networking, mobile computing, bar code & RFID technologies
      • 6. Fastest Growing Privately Held Company in the U.S.
      • 7. Trusted Advisor Delivering Guaranteed Outcomes
    • AccuCode Customers & Partners
      Partners
      Manufacturing
      Retail
      Transportation
      AccuCode has hundreds of customers & thousands of end-users!
    • 8. PCI DSS Schedules
    • 9. Schedule - Version 2.0 PCI DSS & PA-DSS
      October 28, 2010 – 2.0 Released
      January 1, 2011 – 2.0 Effective
      December 31, 2011 – 1.2.1 Retired
      July 1, 2012 – Risk Ranking (6.2) sunrise
    • 10. Merchant Levels and Validation Requirements
    • 11. The Mandate: Merchant Levels DefinedVisa, MasterCard, Discover, & JCB
      *Any merchant can be assigned to a specific level by their acquirer, bank, or by a card brand.
    • 12. The Mandate: Merchant Levels DefinedAmerican Express (AMEX)
      *Any merchant can be assigned to a specific level by their acquirer, bank, or AMEX.
      **Compliance at this level is strongly suggested, but not mandated.
    • 13. PCI DSSRequirements
    • 14. Six Goals, Twelve Requirements
      Install and maintain a firewall configuration to protect cardholder data
      Do not use vendor-supplied defaults for system passwords and other security parameters
      Maintain a vulnerability management program
      Build and Maintain a Secure Network
      Protect cardholder data
    • 15. Six Goals, Twelve Requirements
      Install and maintain a firewall configuration to protect cardholder data
      Do not use vendor-supplied defaults for system passwords and other security parameters
      Maintain a vulnerability management program
      Build and Maintain a Secure Network
      Protect cardholder data
      Encrypt transmission of cardholder data across open, public networks
      Protect stored cardholder data
    • 16. Six Goals, Twelve Requirements
      Install and maintain a firewall configuration to protect cardholder data
      Use and regularly update anti-virus software or programs
      Do not use vendor-supplied defaults for system passwords and other security parameters
      Develop and maintain secure systems and applications
      Maintain a vulnerability management program
      Build and Maintain a Secure Network
      Protect cardholder data
      Encrypt transmission of cardholder data across open, public networks
      Protect stored cardholder data
    • 17. Six Goals, Twelve Requirements
      Install and maintain a firewall configuration to protect cardholder data
      Use and update anti-virus software or programs regularly
      Do not use vendor-supplied defaults for system passwords and other security parameters
      Develop and maintain secure systems and applications
      Maintain a vulnerability management program
      Implement strong access control measures
      Build and Maintain a Secure Network
      Protect cardholder data
      Restrict access to cardholder data by business need-to-know
      Encrypt transmission of cardholder data across open, public networks
      Assign a unique ID to each person with computer access
      Protect stored cardholder data
      Restrict physical access to cardholder data
    • 18. Six Goals, Twelve Requirements
      Track and monitor all access to network resources and cardholder data
      Install and maintain a firewall configuration to protect cardholder data
      Use and regularly update anti-virus software or programs
      Regularly test security systems and processes
      Do not use vendor-supplied defaults for system passwords and other security parameters
      Develop and maintain secure systems and applications
      Maintain a vulnerability management program
      Implement strong access control measures
      Build and Maintain a Secure Network
      Regularly monitor and test networks
      Protect cardholder data
      Restrict access to cardholder data by business need-to-know
      Encrypt transmission of cardholder data across open, public networks
      Assign a unique ID to each person with computer access
      Protect stored cardholder data
      Restrict physical access to cardholder data
    • 19. Six Goals, Twelve Requirements
      Track and monitor all access to network resources and cardholder data
      Install and maintain a firewall configuration to protect cardholder data
      Use and regularly update anti-virus software or programs
      Regularly test security systems and processes
      Do not use vendor-supplied defaults for system passwords and other security parameters
      Develop and maintain secure systems and applications
      Maintain a vulnerability management program
      Implement strong access control measures
      Build and Maintain a Secure Network
      Regularly monitor and test networks
      Maintain an information security policy
      Protect cardholder data
      Restrict access to cardholder data by business need-to-know
      Encrypt transmission of cardholder data across open, public networks
      Maintain a policy that addresses information security for employees and contractors
      Assign a unique ID to each person with computer access
      Protect stored cardholder data
      Restrict physical access to cardholder data
    • 20. PCI DSS Requirements - Summary
    • 21. Where to Start
    • 22. Steps to Validate PCI Compliance
      Identify your validation type
      • This determines which Self-assessment Questionnaire (SAQ) you complete
      Complete the appropriate SAQ
    • 23. Steps to Validate PCI Compliance
      Complete and provide evidence of a passing vulnerability scan
      • This scan must be completed by a PCI SSC Approved Scanning Vendor (ASV)
      • 24. Scanning applies to any merchant electronically storing cardholder data or with processing systems with Internet connectivity
      Complete the relevant Attestation of Compliance (AOC)
      • Located in the SAQ
      Submit the SAQ, AOC and any other requested documents to your Bank/Acquirer
    • 25. PCI DSS Self-Assessment Questionnaires (SAQ)
    • 26. SAQ 1.2
    • 27. Continuous Compliance
    • 28. Challenges
      • The PCI DSS is NOT a checklist and being compliant does not necessarily equate with being secure
      • 29. Achieving PCI DSS compliance is based on a snapshot of the level of security at the time of an audit
      • 30. PCI DSS is a baseline for security, not the pinnacle
      • 31. Many merchants make a last-minute “rush to compliance” in order to satisfy audit criteria
      • 32. This last minute rush may produce a perfect compliance snapshot—but not produce ongoing security
    • Continuous Compliance
      The PCI DSS helps businesses address security and risk.
      Merchants should:
      • Know their risk profile and level of compliance daily
      • 33. Be ready to adapt to any requirement changes
      • 34. Ensure employees are following security policies at all times
    • Creating Continuous Compliance
      The process of compliance is ongoing:
      Assess
      • Identify gaps
      • 35. Inventory IT assets and business processes for payment cards
      Remediate
      • Fix vulnerabilities
      Report
      • Submission of paperwork/records to proper groups, such as acquiring banks
      • 36. Paperwork includes audit results, such as Report on Compliance (ROC) or SAQ
      • 37. Submit appropriate AOC Form
    • How to Assess
      Study the PCI DSS standards
      Inventory IT Assets and processes
      • Identify all systems, personnel and processes involved with the transmission, processing or store of cardholder data
      Identify Vulnerabilities
      • Your SAQ guides the assessment
      Validate with Third-party Experts
      • Depending on the complexity of the network environment, a Qualified Security Assessor (QSA) may be required to conduct a proper assessment
    • How to Remediate
      Remediation is the process of fixing vulnerabilities and may include:
      • Network scans to analyze infrastructure and identify known vulnerabilities
      • 38. Review and remediate vulnerabilities uncovered by an on-site assessment or SAQ process
      • 39. Prioritizing remediation to address most to least serious
      • 40. Patches, fixes and any changes to processes and workflow
      • 41. Re-scanning to confirm remediation
    • How to Report
      • Conduct regular vulnerability scanning
      • 42. All merchants need to submit quarterly scan reports, completed by an approved ASV
      • 43. Some businesses may need to enlist a QSA to conduct an annual on-site assessment
      • 44. Each payment brand has its own reporting guidelines
    • PCI DSS:Validation Actions
    • 45. Merchant & Service Provider Levels & Validation Actions
      MERCHANT
      SERVICE
      PROVIDER
      * = Any Merchant or Service Provider using 3rd party payment applications are required to validate compliance or use an approved PCI DSS payment application.
    • 46. Checklist for Continuous Compliance
      Don’t just “get” compliant, stay compliant:
      • Use the technologies and procedures implemented for compliance to reduce risk, making PCI DSS the basis for your policies
      • 47. Establish a cycle of risk management analysis and response
      • 48. Continue to reduce scope where possible
      • 49. Work towards making the process of staying compliant easier
      • 50. Compliance is the baseline for your information security program
    • Overcoming the Top PCI DSS Challenges
    • 51. Overcoming the Top PCI DSS Challenges
      Requirement 1: Install and maintain a firewall to protect cardholder data
      • Firewalls are the locks on doors
      • 52. Firewall configurations must prohibit unauthorized access to system components in the cardholder data environment
      • 53. Deny all connections in and out not specifically required for business functionality
      • 54. Install firewall software on each mobile and/or employee-owned computer that connects to the cardholder data environment or to the public Internet
      34
    • 55. Overcoming the Top PCI DSS Challenges
      Requirement 2: Do not use vendor-supplied defaults
      • In 2010, 88% of our cases found third-party vendors introduced security vulnerabilities, likely due to vendor supplied passwords
      • 56. Choose a vendor with a solid security history
      • 57. Monitor all vendors to ensure they follow best security practices
      • 58. Make sure contracts with vendors also include security control requirements and acceptance of responsibility for loss of CHD in their custody
    • Overcoming the Top PCI DSS Challenges
      Requirement 3: Protect stored data
      • PAN (primary account number) must be unreadable, including:
      Backup media
      In logs
      On portable digital devices
      Via wireless and public networks
      • To render PAN unreadable, use:
      Truncation (to first 6 and last 4 characters at a minimum)
      Strong one-way hash functions
      Strong cryptography
      Better yet, get rid of it, you probably don’t need it!
    • 59. Overcoming the Top PCI DSS Challenges
      Requirement 6: Develop and maintain secure systems and applications
      • New vulnerabilities pop up every day, along with new ways for hackers to compromise your systems
      • 60. Merchants should:
      Use payment applications and devices approved by the PCI Security Standards Council
      Identify and install security patches in a timely manner
      Follow industry best practices if developing own payment apps
      Regularly test the application’s security
    • 61. Overcoming the Top PCI DSS Challenges
      Requirement 8: Assign a unique ID to each person with computer access
      • Following this requirement allows actions to be traced to a specific person—vital when a forensic analysis needs to take place
      • 62. Each user needs their own password
      • 63. For remote access, two-factor authentication is required
      • 64. Passwords must be unreadable, in storage and during transmission
      • 65. Enforce Role Based Access Control (RBAC).
      You should only have access to the systems and information necessary to perform your function
    • 66. Overcoming the Top PCI DSS Challenges
      Requirement 10: Track and monitor access to network and card data
      • System logs are the audit trail when something goes wrong
      • 67. Logs must be captured
      • 68. Logs must be reviewed at least once daily (automate the exception events as compared to a ‘known good’ baseline)
      • 69. Logs must be stored securely for a year (preferably centrally)
      • 70. Good log management can be the difference between an annoying event, and a business crippling disaster
    • Overcoming the Top PCI DSS Challenges
      Requirement 11: Regularly test security systems and processes
      • If you don’t test it, how will you know if it’s broken?
      • 71. Testing should be frequent to identify any vulnerabilities
      PCI DSS requires quarterly scans
      • Vulnerability scanning products/services from an Approved Scanning Vendor (ASV) fulfill this PCI requirement
      • 72. What to test:
      External network (conducted by an ASV)
      Internal network (may be conducted in-house)
      Wireless network, identifying all wireless devices for purposes of access control
      Any other traffic in the cardholder data environment
    • 73. Overcoming the Top PCI DSS Challenges
      Requirement 12: Maintain a policy that addresses information security
      • The written policy determines the controls used to ensure security and compliance with the PCI DSS
      • 74. Must address all PCI DSS requirements, as well as:
      Daily procedures
      Usage policies for each technology, such as laptops and e-mail
      Info. security responsibilities for employees and contractors
      Security awareness program for employees
      Employee screening
      Third-party vendor responsibility and accountability
      Incident response plan
    • 75. PCI DSS:The Top Violations and Basic Remediation Strategies
    • 76. Top PCI DSS Violations
      98.4%
      97.5%
      99.2%
      95.1%
      92.6%
      90.9%
      83.6%
      74.6%
      68.9%
      48.4%
      8.1%
      7.4%
      Source: Trustwave - 2011 Global Security Report
    • 77. Remediation Strategies
      Segmentation:
      • Isolate Point-of-Sale (POS) systems / PCI workstations from rest of the network environment
      Default Device Configurations:
      • Change or Remove them (if they exist)
      Firewall / IPS:
      • Build a secure configuration
      • 78. Self-managed / Outsourced
      Log Monitoring:
      • Applies to both POS systems and networking
      Policies and Procedures:
      • Templates available
    • Summary
      • Make sure your firewall is configured correctly and working properly.
      • 79. No vendor-supplied default configurations and/or passwords
      • 80. Make PCI data (specifically PAN) inaccessible and/or unreadable
      • 81. Use secure applications and check for updates and patches often
      • 82. Everyone gets their own UNIQUE User ID and password
      • 83. Collect and store the necessary system logs, reviewing daily
      • 84. Test at least quarterly to find vulnerabilities (e.g., network scans)
      • 85. Write a security policy (update as needed) and educate/train ALL your employees.
    • AO:Compliance™ and Next Steps
    • 86. AO:Compliance Makes PCI Compliance as Easy as:
    • 87. Next Steps, If You Need Help
      AccuCode and our partners are ready to assist you with getting and staying PCI Compliant.
      • Go to the AO:Compliance website to find out more information about our compliance and security offerings www.aocompliance.com
      • 88. Contact Us: compliance-info@accucode.com
      If you need help with other technology issues, AccuCode can also assist you with that as well.
      • Visit the AccuCode website for more information about our other products and services www.accucode.com
    • Questions and Answers