A simple, easy to use, online, B2B procurement portal for purchasing products and services to  identify, minimise and mana...
Cheap FastGood
The Standard
Applies• Any systems that process, store or transmit  cardholder data (credit or debit)• Any systems that connect to them
#1 Discover &Document •   Conduct inventory: hard & softcopy card data •   Can’t shrink what you have not measured •   Wha...
Discover & Document
Leakage                                                                               Laptop / Desktop                    ...
#2 Destroy & De-Scope • Both hard & soft copies • If you don’t need it – delete it. • Take your time. Use your CDE map. • ...
#3 Outsource &Oversight •   What can you outsource? •   Risk transference vs. risk mitigation •   Compliance requirement i...
#4 Separate & Segment•   Led by “need to know”•   Always ask: Why?•   Should not be vendor led•   Firewall, VLAN, software...
Point to Point Encryption
Point to Point Encryption  •   Card brand specific technology requirements  •   PoS configuration requirements  •   Bank-o...
#5 Tokenise • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in cen...
Model
Tokenisation  •   Where tokens and card data meet = in scope  •   Tokenisation hosting solution critical  •   Be careful o...
5 Ways to Reduce PCI       Discover & Document        Destroy & De-scope       Outsource & Oversight        Separate & Seg...
Best Way  Understand that the PCI DSS is a   “risk management framework”           Not a checklist
26 Dover Street        London    United Kingdom        W1S 4LY  +44 (0)20 3586 1025+44 (0)20 7763 7101(fax)
Risk Factory: PCI Shrink to Fit
Upcoming SlideShare
Loading in...5
×

Risk Factory: PCI Shrink to Fit

269

Published on

5 ways to reduce the scope of your PCI compliance program.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
269
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX
  • Transcript of "Risk Factory: PCI Shrink to Fit"

    1. 1. PCI: Shrink to Fit
    2. 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
    3. 3. Cheap FastGood
    4. 4. The Standard
    5. 5. Applies• Any systems that process, store or transmit cardholder data (credit or debit)• Any systems that connect to them
    6. 6. #1 Discover &Document • Conduct inventory: hard & softcopy card data • Can’t shrink what you have not measured • What do you have & Where do you have it? • Run discovery software across internal network IPs • Create network diagram depicting card data flow • Heat map: processes, stores & transmits • Establish hardware asset register • Results = Card Data Environment (CDE)
    7. 7. Discover & Document
    8. 8. Leakage Laptop / Desktop Server CD / DVD Piggybacking USB iPodDumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
    9. 9. #2 Destroy & De-Scope • Both hard & soft copies • If you don’t need it – delete it. • Take your time. Use your CDE map. • Stakeholders sign off • Remember: VoIP & mail servers, MS Outlook archives, fax, scanner & copier memory cards • Include 3rd parties & back up systems • Be ruthless
    10. 10. #3 Outsource &Oversight • What can you outsource? • Risk transference vs. risk mitigation • Compliance requirement in SLA • Should not be cost plus • See proof (ask for copy of their RoC) • Conduct annual onsite audit • Still need program • The liability is still yours
    11. 11. #4 Separate & Segment• Led by “need to know”• Always ask: Why?• Should not be vendor led• Firewall, VLAN, software…• Subnets• Wireless networks• 3rd party suppliers!“Any systems connected” to the CDE
    12. 12. Point to Point Encryption
    13. 13. Point to Point Encryption • Card brand specific technology requirements • PoS configuration requirements • Bank-owned vs. Merchant-owned devices • Compliance requirement in contract & SLA • Who’s responsible for a breach? • Still have compliance validation requirement
    14. 14. #5 Tokenise • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in scope • Servers processing, storing or transmitting surrogate values not in scope
    15. 15. Model
    16. 16. Tokenisation • Where tokens and card data meet = in scope • Tokenisation hosting solution critical • Be careful of “hybrid” solutions • See PCI Standards Council site for guidance • Test the solution! • This is no silver bullet • Validation still required
    17. 17. 5 Ways to Reduce PCI Discover & Document Destroy & De-scope Outsource & Oversight Separate & Segment Tokenisation
    18. 18. Best Way Understand that the PCI DSS is a “risk management framework” Not a checklist
    19. 19. 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025+44 (0)20 7763 7101(fax)

    ×