Uploaded byAnton Chuvakin
PCI DSS Prioritized Webcast Presentation
Using the recently released PCI Council “Prioritized Approach” guidance, this briefing will discuss how organizations can effectively focus their PCI DSS implementation efforts in order to ensure the security of cardholder data, reduce information risk and protect the organization --- all while on the shortest path towards PCI DSS validation. The session will also cover how to use the new guidance to save time and money on compliance projects as well as how decide where to start with PCI DSS. There will be a Q&A session at the end of the briefing - which will then be posted on http://chuvakin.blogspot.com
PCI DSS Prioritized Webcast Presentation
- 1. PCI DSS PrioritizedPresented by: Anton Chuvakin - Director, Strategic Alliances Terry Ramos - VP, Strategic Alliances
- 2. Agenda The Intentof PCI DSS Challenges Prioritizing Compliance Efforts Resources Available Making a Prioritized Approach to PCI DSS Compliance Work for You Summary / Q&A
- 3. Payment Card IndustryData Security Standard PCI DSS is based on fundamental data security practices Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Protect Cardholder Data Maintain a policy that addresses information security Maintain an Information Security Policy Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Regularly Monitor and Test Networks Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Implement Strong Access Control Measures Use and regularly update anti-virus software Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network
- 4. PCI Validation: Merchant& Service Provider Levels
- 5. PCI DSS ChallengesHow to start the working on a PCI DSS project? How to proceed with compliance efforts? What to do next? When are you “done”? What (exactly) do you need to do?
- 6. Prioritized Approach ResourcesPCI Council document Prioritized Approach to PCI DSS Prioritized approach tool Available for Download at: https://www.pcisecuritystandards.org/education/prioritized.shtml Source: PCI Council website
- 7. Why a PrioritizedApproach? How does it help achieve compliance faster / better / cheaper? Guides you to focus on immediate card data risk Focuses on tasks with biggest gains towards card data security Allows you to track progress in a measurable way Source: PCI Council website
- 8. Prioritized Approach PhasesRemove sensitive authentication data and limit data retention. Key Step : Removing card data is easier than protecting it! Protect the perimeter, internal, and wireless networks . Network protection comes only after data scope is reduced. Secure payment card applications . Processing applications is how a lot of data is stolen today; protecting them is important, but difficult.
- 9. Prioritized Approach PhasesCont. Monitor and control access to your systems. Blocking alone will never make you secure; logging and monitoring must be added. Protect stored cardholder data. If you must store PAN data, implement the safeguards required. Finalize remaining compliance efforts, and ensure all controls are in place. PCI DSS is not only about data security technology, but includes key policy and process pieces . And Finally… everything implemented at Phases 1-6 needs to be maintained!
- 10. Example: Information CollectionSection Source: PCI Council website
- 11. Example: PCI ComplianceStatus Source: PCI Council website
- 12. Conclusions - HowTo Use It? How to Use PCI Prioritized Resources to make PCI DSS easy for you? Use the document to plan your PCI project from current state to compliant and secure state Use sheet for ongoing planning of the next steps and identifying weak areas / next area to handle Use Excel sheet to track status and create a report of compliance status
- 13. PCI Compliance forDummies eBook Read PCI Compliance for Dummies Get as much information as you can about PCI DSS and how it relates to your organization. Get it Free at www.qualys.com
Editor's Notes
- #2 Basics: What Is the Prioritized Approach? The Prioritized Approach provides six security milestones that will help merchants and other organizations incrementally protect against the highest risk factors and escalating threats while on the road to PCI DSS compliance. The Prioritized Approach and its milestones (described on page 2) are intended to provide the following benefits: • Roadmap that an organization can use to address its risks in priority order • Pragmatic approach that allows for “quick wins” • Supports financial and operational planning • Promotes objective and measurable progress indicators • Helps promote consistency among Qualified Security Assessors Objectives of the Prioritized Approach The Prioritized Approach provides a roadmap of compliance activities based on risk associated with storing, processing, and/or transmitting cardholder data. The roadmap helps to prioritize efforts to achieve compliance, establish milestones, lower the risk of cardholder data breaches sooner in the compliance process, and help acquirers objectively measure compliance activities and risk reduction by merchants, service providers, and others. The Prioritized Approach is suitable for merchants who choose an on-site assessment or use SAQ D.