PCI DSS Prioritized Presented by: Anton Chuvakin - Director, Strategic Alliances Terry Ramos - VP, Strategic Alliances

Agenda The Intent of PCI DSS Challenges Prioritizing Compliance Efforts Resources Available Making a Prioritized Approach to PCI DSS Compliance Work for You Summary / Q&A

The Intent of PCI DSS

Challenges

Prioritizing Compliance Efforts

Resources Available

Making a Prioritized Approach to PCI DSS Compliance Work for You

Summary / Q&A

Payment Card Industry Data Security Standard PCI DSS is based on fundamental data security practices Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Protect Cardholder Data Maintain a policy that addresses information security Maintain an Information Security Policy Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Regularly Monitor and Test Networks Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Implement Strong Access Control Measures Use and regularly update anti-virus software Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network

Protect stored data

Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a policy that addresses information security

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Restrict access to data by business need-to-know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Use and regularly update anti-virus software

Develop and maintain secure systems and applications

Install and maintain a firewall confirmation to protect data

Do not use vendor-supplied defaults for system passwords and other security parameters

PCI Validation: Merchant & Service Provider Levels

PCI DSS Challenges How to start the working on a PCI DSS project? How to proceed with compliance efforts? What to do next? When are you “done”? What (exactly) do you need to do?   

How to start the working on a PCI DSS project?

How to proceed with compliance efforts? What to do next? When are you “done”?

What (exactly) do you need to do?

Prioritized Approach Resources PCI Council document Prioritized Approach to PCI DSS Prioritized approach tool Available for Download at: https://www.pcisecuritystandards.org/education/prioritized.shtml Source: PCI Council website

PCI Council document Prioritized Approach to PCI DSS

Prioritized approach tool

Available for Download at: https://www.pcisecuritystandards.org/education/prioritized.shtml

Why a Prioritized Approach? How does it help achieve compliance faster / better / cheaper? Guides you to focus on immediate card data risk Focuses on tasks with biggest gains towards card data security Allows you to track progress in a measurable way Source: PCI Council website

How does it help achieve compliance faster / better / cheaper?

Guides you to focus on immediate card data risk

Focuses on tasks with biggest gains towards card data security

Allows you to track progress in a measurable way

Prioritized Approach Phases Remove sensitive authentication data and limit data retention. Key Step : Removing card data is easier than protecting it! Protect the perimeter, internal, and wireless networks . Network protection comes only after data scope is reduced. Secure payment card applications . Processing applications is how a lot of data is stolen today; protecting them is important, but difficult.

Remove sensitive authentication data and limit data retention.

Key Step : Removing card data is easier than protecting it!

Protect the perimeter, internal, and wireless networks .

Network protection comes only after data scope is reduced.

Secure payment card applications .

Processing applications is how a lot of data is stolen today; protecting them is important, but difficult.

Prioritized Approach Phases Cont. Monitor and control access to your systems. Blocking alone will never make you secure; logging and monitoring must be added. Protect stored cardholder data. If you must store PAN data, implement the safeguards required. Finalize remaining compliance efforts, and ensure all controls are in place. PCI DSS is not only about data security technology, but includes key policy and process pieces . And Finally… everything implemented at Phases 1-6 needs to be maintained!

Monitor and control access to your systems.

Blocking alone will never make you secure; logging and monitoring must be added.

Protect stored cardholder data.

If you must store PAN data, implement the safeguards required.

Finalize remaining compliance efforts, and ensure all controls are in place.

PCI DSS is not only about data security technology, but includes key policy and process pieces .

And Finally… everything implemented at Phases 1-6 needs to be maintained!

Example: Information Collection Section Source: PCI Council website

Example: PCI Compliance Status Source: PCI Council website

Conclusions - How To Use It? How to Use PCI Prioritized Resources to make PCI DSS easy for you? Use the document to plan your PCI project from current state to compliant and secure state Use sheet for ongoing planning of the next steps and identifying weak areas / next area to handle Use Excel sheet to track status and create a report of compliance status

How to Use PCI Prioritized Resources to make PCI DSS easy for you?

Use the document to plan your PCI project from current state to compliant and secure state

Use sheet for ongoing planning of the next steps and identifying weak areas / next area to handle

Use Excel sheet to track status and create a report of compliance status

PCI Compliance for Dummies eBook Read PCI Compliance for Dummies Get as much information as you can about PCI DSS and how it relates to your organization. Get it Free at www.qualys.com