TISA Pro-Talk_1-2554-K.Sommai_pci-dss
Upcoming SlideShare
Loading in...5
×
 

TISA Pro-Talk_1-2554-K.Sommai_pci-dss

on

  • 303 views

 

Statistics

Views

Total Views
303
Views on SlideShare
303
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

TISA Pro-Talk_1-2554-K.Sommai_pci-dss TISA Pro-Talk_1-2554-K.Sommai_pci-dss Presentation Transcript

  • TISA Pro-Talk ครงที่ 1/2554 ั้ห ัวข้อ “Update latest PCI/DSS (v 2.0)" โดย สมหมาย ฟองนาทิพย์ ้ CISSP, CISA, CISM, CEH, ITIL-F © 2011 TISA All Rights Reserved
  • Transaction process for approval model © 2011 TISA All Rights Reserved
  • Getting Start • Create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. • founded on December 2004 • version 1.1 – September 2006 • version 1.2 – October 2008https://www.pcisecuritystandards.org/ • version 1.2.1 – July 2009 • version 2.0 – October 2010 © 2011 TISA All Rights Reserved
  • Comply VS Not Comply © 2011 TISA All Rights Reserved
  • PCI Grief © 2011 TISA All Rights Reserved
  • MYTH about PCI 1. One Vendor or one product can make us compliant 2. Outsourcing card make us compliant 3. PCI DSS is an IT Project 4. PCI DSS will make us SECURE 5. It unreasonable and too hard because require to much © 2011 TISA All Rights Reserved
  • Important mandate (deadline)• Merchant must not use vulnerable payment application (have list in web site) and VNP (January 2008)• Merchant must not store sensitive information in their system (September 2009)• VNP and agents must certify all vulnerable Payment Application (October 2009)• Acquirer (bank) must ensure Merchant and VNP use certify Payment Application (July 2010)• Large Merchant (L1) must be PCI compliant (September 2010)• Acquirer (bank) must not store sensitive information (September 2010)• Acquirer (bank) must submit level of PCI compliant (September 2011)• PCI DSS v 1.2.1 will sunset on December 2011• Acquirers must ensure all their merchants (new and existing) utilize PA-DSS compliant payment applications (July 2012) © 2011 TISA All Rights Reserved
  • Fraud Reduction initiatives • Card Present – EMV – 3DES encryption – PAN truncation Biggest Fraud is Counterfeit card fraud • Card Not Present – 3D Secure Biggest Fraud is eCommerce purchases using stolen / counterfeit card details We need to address the data leakage at the source.October 14, 2011 © 2011 TISA All Rights Reserved 8
  • Roadmap for the implementation of PCIDSS – the changing landscape of fraud Shopping cart PC/Server Hacking exploitation Theft Hijack Database Acquirers & Data Storage Merchants TPPs Issuers Entities Cardholders Shoulder Skimming Phishing Mail PC Attacks Surfing TheftOctober 14, 2011 © 2011 TISA All Rights Reserved 9
  • PCI Compliant is not a product… Card Holder Information  Store | Transmit | Process  © 2011 TISA All Rights Reserved
  • Purpose of PCI requirementThe twentieth century U.S. criminal Willie Sutton was said to rob banks because“that’s where the money is.” The same motivation in our digital age makesmerchants the new target for financial fraud. Occasionally lax security by somemerchants enables criminals to easily steal and use personalconsumer financial information from payment card transactions and processingsystems. © 2011 TISA All Rights Reserved
  • Cardholder Data store criteria © 2011 TISA All Rights Reserved
  • PCI Security standard series © 2011 TISA All Rights Reserved
  • © 2011 TISA All Rights Reserved
  • Building blocks of the PCIDSS standard (contd) Information Security Policy (Requirement 12) Protect Card Data Protect data in Protect data in storage transit (Requirement 3) (Requirement 4) Strong Access controls •Restrict Access (Requirement 7) •Unique IDs and passwords (Requirement 8) •Restrict physical access (Requirement 9) © 2011 TISA All Rights Reserved
  • Building blocks of the PCIDSS standard (contd) Build & Maintain a Secure network Change Vendor Firewalls Default passwords (Requirement 1) (Requirement 2) Use Anti Virus Software & Scan your network regularly (Requirement 5) Develop & Maintain secure systems & Applications (Requirement 6)Regularly Test Security Systems Track & Monitor all access to data (Requirement 11) (Requirement 10) © 2011 TISA All Rights Reserved 16
  • © 2011 TISA All Rights Reserved
  • Pin Entry Device Requirements © 2011 TISA All Rights Reserved
  • © 2011 TISA All Rights Reserved
  • Relations between series © 2011 TISA All Rights Reserved
  • Prioritize by Risk Base Approach © 2011 TISA All Rights Reserved
  • Samples of priority with PCI/DSS © 2011 TISA All Rights Reserved
  • CARDHOLDER DATA ENVIRONMENT(CDE) © 2011 TISA All Rights Reserved
  • Definition Cardholder data environment (CDE): • Area of computer system network that possesses cardholder data or sensitive authentication data and those systems and segments that directly attach or support cardholder processing, storage, or transmission. • Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment and thus the scope of the PCI assessment Source: https://www.pcisecuritystandards.org/security_standards/glossary.shtml © 2011 TISA All Rights Reserved
  • Sample general CDE Cardholder path © 2011 TISA All Rights Reserved
  • WLAN Access Point x No WLAN activities = Rouge AP © 2011 TISA All Rights Reserved
  • Network segmentation Firewall is part of back office x © 2011 TISA All Rights Reserved
  • © 2011 TISA All Rights Reserved
  • ISA compare QSA © 2011 TISA All Rights Reserved
  • http://www. TISA.or.th Copyright © 2011 TISA and its respective author (Thailand Information Security Association) Please contact : info@tisa.or.th © 2011 TISA All Rights Reserved
  • PCI DSS Validation Enforcement Table © 2011 TISA All Rights Reserved