• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin

PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin



PCI 2.0 What's Next for PCI DSS and Logging

PCI 2.0 What's Next for PCI DSS and Logging



Total Views
Views on SlideShare
Embed Views



1 Embed 1

http://www.linkedin.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Finally we are ready to talk about PCI 2.0The specifics are:“Clarify that PCI DSS Requirements 3.3 and 3.4 apply only to PAN. Align language with PTS Secure Reading and Exchange of Data (SRED) module. Clarify that all locations and flows of cardholder data should be identified and documented to ensure accurate scoping of cardholder data environment. Expanded definition of system components to include virtual components. Updated requirement 2.2.1 to clarify intent of “one primary function per server” and use of virtualization. Provide clarification on secure boundaries between internet and card holder data environment (Requirement 1) Recognize that Issuers have a legitimate business need to store Sensitive Authentication Data. (Requirement 3.2)Clarify processes and increase flexibility for cryptographic key changes, retired or replaced keys, and use of split control and dual knowledge. (Requirement 3.6) Update requirement to allow vulnerabilities to be ranked and prioritized according to risk. (Requirement 6.2)Merge requirement 6.3.1 into 6.5 to eliminate redundancy for secure coding for internal and Web-facing applications. Include examples of additional secure coding standards, such as CWE and CERT (Requirement 6.5)Update requirement to allow business justification for copy, move, and storage of CHD during remote access (Requirement 12.3.10)”BTW, logs are in there to – but in PA-DSS“Add sub-requirement for payment applications to support centralized logging, in alignment with PCI DSS requirement 10.5.3. (PA-DSS Requirement 4.4 )”
  • Consulting Servicesfocused on security product strategy, SIEM / log management as well as PCI DSS and other regulatory compliance (details [PDF] )Technology Vendor ServicesThis section of the services is intended for security vendors and security services providers. The focus is on security and compliance strategy for product planning, development and marketing as well as on content development. Product management and strategyReview security product compliance strategy, PCI DSS strategy and optimize them for the marketPerform market assessment and analysis, competitive analysis, product strategy (build/buy/partner); prepare Market Requirements Documents (MRDs)Help develop and refine security product marketing and positioning messages, focused on compliance and new threatsAugment internal Product Management staff for strategic security and compliance projects, use case analysis, product definition, Product Requirement Documents (PRD) developmentWork with product management team to help define and prioritize product features based on market feedback and compliance requirements.Research and content developmentLead content development for whitepapers, "thought leadership"; documents, research papers and other messaging documents, related to security and regulatory compliance (example whitepaper, recent book on PCI DSS)Review security and compliance marketing materials, site contents and other public- or partner-facing materialsCreate correlation rules, reports as well as policies and procedures and other operational content to make SIEM and log management products more useful to your customersMap regulatory compliance controls such as PCI DSS (key focus!), HIPAA, NERC, FISMA, NIST, ISO, ITIL to security product features and document the use of the product in support of the mandatesDevelop compliance content such as reports, correlation rules, queries and other relevant compliance content for security product.Events and webinarsPrepare and conduct thought leadership webinars, seminars and other events on PCI DSS, log management, SIEM and other security topics (example webinar).TrainingPrepare and conduct customized training on log management, log review processes, logging "best practices," PCI DSS for customers and partners (example training class).Develop advanced training on effective operation and tuning of SIEM and log management tools to complement basic training.End-user Organization / Enterprise ServicesThis section of services menu applies to end-user organizations. The main theme is related to planning and implementing logging, log management and SIEM / SIM / SEM for security and compliance. Log management and Security Information and Event Management (SIEM) product selection - how to pick the right SIEM and logging product?Develop log management or SIEM product selection criteria (related writing)Identify key use cases aligning log management and SIEM tools with business, compliance and security requirementsPrepare RFP documents for SIEM, SEM, SIM or log managementAssist with analyzing RFP responses from SIEM and log management vendorsEvaluate and test log management and SIEM products together with internal IT security teamAdvise on final product selectionLogging and log management policyLogging and log management policy - how to develop the right logging policy? What to log?Develop logging policies and processes for servers and applications , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problemsInterpret regulations and create specific and actionable logging system settings , processes and log review procedures (example: what to log for PCI DSS?)Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validationCustomize industry "best practices" related to logging and log review to fit your environment, help link these practices to business services and regulations (example)Help integrate logging tools and processes into IT and business operationsSIEM and log management product operation optimization - how to get more value out of the tools available?Clarify security, compliance and operational requirementsTune and customize SIEM and log management tools based on requirementsContent developmentDevelop correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needsCreate and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulationsTraining - how to get your engineers to use the tools best?Provide the customized training on the tools and practices of log management for compliance, IT operations, or security needs (example training conducted)Develop training on effective operation and tuning of SIEM and log management tools to complement basic vendor training.Incident response artifact analysisAnalyze logs and other evidence collected during security incident response

PCI 2.0 What's Next for PCI DSS  by Dr. Anton Chuvakin PCI 2.0 What's Next for PCI DSS by Dr. Anton Chuvakin Presentation Transcript