SlideShare a Scribd company logo
1 of 11
Download to read offline
The World’s First PCI Risk Assessment Tool



Understanding the Prioritized
Approach to PCI Compliance
  SMART-RA.com is a patent pending product of SISA Information Security




                                 smart-ra.com
Agenda

• The Basics

 - What is the Prioritized Approach?
 - Why a Prioritized Approach?
 - Who should adopt the Prioritized Approach and When



• The Prioritized Approach to PCI DSS Compliance

 - 6 Milestones


• Q&A

                          smart-ra.com
The Basics
 What is the Prioritized Approach?

- Created by the PCI SSC
      – Developed based on actual security incidents, feedback from
        QSAs, etc.

- Provides a
      – Structured guideline
      – Track-able roadmap to compliance


- Works by
      – Prioritizing the top compliance activities
      – Chalking out a roadmap to PCI compliance

- 6 Milestones
                              smart-ra.com
The Basics
Prioritized Approach: What its not:

      – A substitute for the actual PCI DSS Requirements
      – A one-size-fits-all solution for all organizations




                           smart-ra.com
The Basics
Why A Prioritized Approach?

Facilitates faster and cheaper compliance by

      – Setting the context

      – Identifying high risks

      – ‘Quick win’ RTP Items

      – Tracking compliance




                                 smart-ra.com
The Basics
Who should adopt the Prioritized Approach?

Merchants:
- Unsure about where to start with PCI Compliance
- Don’t know their high risk areas
- In case of an onsite assessment
- Use of SAQ D


Acquirers:
- To get compliance status updates from merchants and service
  providers.
- Ongoing monitoring of progress




                               smart-ra.com
The Prioritized Approach to PCI
 DSS Compliance
VISA Europe Technology
  Innovation Programme

EMV Chip Enabled Merchants who have

- Previously validated PCI Compliance         Waived from annual
      OR                                      revalidation assessment
- Provided a plan to comply
      AND
- Have not been involved in a recent
  card breach
      AND
- Met Milestones 1 and 2



                               smart-ra.com
The Prioritized Approach to PCI
 DSS Compliance
Milestone 1:

 PCI DSS Requirements
 1.1.2 Current network diagram
 3.1    Minimal storage of cardholder data
 3.2    No storage of SAD
 9.10   Destroy obsolete storage media
 12.1.1 Include a formal policy that addresses all PCI requirements
 12.1.2 Include a formal policy that leads to a formal risk assessment.




                                      smart-ra.com
The Prioritized Approach to PCI
 DSS Compliance
 Milestone 2:
PCI DSS Requirements
1.1.3    Firewall requirements
1.1.5    Documented use of ports, etc.
1.2      Restricted connections between untrusted networks and system components in the CDE
1.3      Prohibit direct public access between the Internet and any system component in the CDE.
1.4      Install personal firewall software on portable devices.
2.1      Change vendor-supplied system defaults.
2.3      Encrypt all non-console administrative access using strong cryptography.
4.1      Use strong cryptography and security protocols to safeguard CHD during transmission over open, public networks.
4.2      Never send unprotected PANs by end-user messaging technologies.
5.1      Deploy anti-virus software on all systems commonly affected by malicious software.
5.2      Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.
9.1      Use appropriate facility entry controls to monitor physical access to systems in the CDE.

11.2     Run network vulnerability scans at least quarterly and after any significant change in the network.
11.4     Use IDS/IPS
12.1.1   Addresses all PCI DSS requirements
12.8     If CHD is shared with service providers, implement policies to manage service providers.
12.8.2   Maintain a written agreement that the service providers are responsible for the security of CHD that they possess.
12.8.3   Ensure there is an established process for engaging service providers.
12.8.4   Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.
                                                           smart-ra.com
The Prioritized Approach to PCI
 DSS Compliance
Milestone 3:
Secure payment card applications.
This milestone targets controls for applications, application processes, and application
    servers. Weaknesses in these areas offer easy prey for compromising systems and
    obtaining access to cardholder data.

Milestone 4:
Monitor and control access to your systems.
Controls for this milestone allow you to detect the who, what, when, and how concerning
   who is accessing your network and cardholder data environment.

Milestone 5:
Protect stored cardholder data.
For those organizations that have analyzed their business processes and determined that
  they must store Primary Account Numbers, Milestone 5 targets key protection
  mechanisms for that stored data.

Milestone 6:
Finalize remaining compliance efforts, and ensure all controls are in place.
The intent of Milestone 6 is to complete PCI DSS requirements, and to finalize all
   remaining related policies, procedures, and processes needed to protect the cardholder
   data environment.                      smart-ra.com
Questions?
You can learn about PCI Risk Assessment by using SMART
Basic (FREE). Sign up today on www.smart-ra.com.




Write to Us
 dharshan.s@smart-ra.com

 praveen.v@smart-ra.com




                           smart-ra.com
                              smart-ra.com

More Related Content

Featured

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity -  Best PracticesTime Management & Productivity -  Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 

The Prioritized Approach To Pci Dss Compliance

  • 1. The World’s First PCI Risk Assessment Tool Understanding the Prioritized Approach to PCI Compliance SMART-RA.com is a patent pending product of SISA Information Security smart-ra.com
  • 2. Agenda • The Basics - What is the Prioritized Approach? - Why a Prioritized Approach? - Who should adopt the Prioritized Approach and When • The Prioritized Approach to PCI DSS Compliance - 6 Milestones • Q&A smart-ra.com
  • 3. The Basics What is the Prioritized Approach? - Created by the PCI SSC – Developed based on actual security incidents, feedback from QSAs, etc. - Provides a – Structured guideline – Track-able roadmap to compliance - Works by – Prioritizing the top compliance activities – Chalking out a roadmap to PCI compliance - 6 Milestones smart-ra.com
  • 4. The Basics Prioritized Approach: What its not: – A substitute for the actual PCI DSS Requirements – A one-size-fits-all solution for all organizations smart-ra.com
  • 5. The Basics Why A Prioritized Approach? Facilitates faster and cheaper compliance by – Setting the context – Identifying high risks – ‘Quick win’ RTP Items – Tracking compliance smart-ra.com
  • 6. The Basics Who should adopt the Prioritized Approach? Merchants: - Unsure about where to start with PCI Compliance - Don’t know their high risk areas - In case of an onsite assessment - Use of SAQ D Acquirers: - To get compliance status updates from merchants and service providers. - Ongoing monitoring of progress smart-ra.com
  • 7. The Prioritized Approach to PCI DSS Compliance VISA Europe Technology Innovation Programme EMV Chip Enabled Merchants who have - Previously validated PCI Compliance Waived from annual OR revalidation assessment - Provided a plan to comply AND - Have not been involved in a recent card breach AND - Met Milestones 1 and 2 smart-ra.com
  • 8. The Prioritized Approach to PCI DSS Compliance Milestone 1: PCI DSS Requirements 1.1.2 Current network diagram 3.1 Minimal storage of cardholder data 3.2 No storage of SAD 9.10 Destroy obsolete storage media 12.1.1 Include a formal policy that addresses all PCI requirements 12.1.2 Include a formal policy that leads to a formal risk assessment. smart-ra.com
  • 9. The Prioritized Approach to PCI DSS Compliance Milestone 2: PCI DSS Requirements 1.1.3 Firewall requirements 1.1.5 Documented use of ports, etc. 1.2 Restricted connections between untrusted networks and system components in the CDE 1.3 Prohibit direct public access between the Internet and any system component in the CDE. 1.4 Install personal firewall software on portable devices. 2.1 Change vendor-supplied system defaults. 2.3 Encrypt all non-console administrative access using strong cryptography. 4.1 Use strong cryptography and security protocols to safeguard CHD during transmission over open, public networks. 4.2 Never send unprotected PANs by end-user messaging technologies. 5.1 Deploy anti-virus software on all systems commonly affected by malicious software. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. 9.1 Use appropriate facility entry controls to monitor physical access to systems in the CDE. 11.2 Run network vulnerability scans at least quarterly and after any significant change in the network. 11.4 Use IDS/IPS 12.1.1 Addresses all PCI DSS requirements 12.8 If CHD is shared with service providers, implement policies to manage service providers. 12.8.2 Maintain a written agreement that the service providers are responsible for the security of CHD that they possess. 12.8.3 Ensure there is an established process for engaging service providers. 12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually. smart-ra.com
  • 10. The Prioritized Approach to PCI DSS Compliance Milestone 3: Secure payment card applications. This milestone targets controls for applications, application processes, and application servers. Weaknesses in these areas offer easy prey for compromising systems and obtaining access to cardholder data. Milestone 4: Monitor and control access to your systems. Controls for this milestone allow you to detect the who, what, when, and how concerning who is accessing your network and cardholder data environment. Milestone 5: Protect stored cardholder data. For those organizations that have analyzed their business processes and determined that they must store Primary Account Numbers, Milestone 5 targets key protection mechanisms for that stored data. Milestone 6: Finalize remaining compliance efforts, and ensure all controls are in place. The intent of Milestone 6 is to complete PCI DSS requirements, and to finalize all remaining related policies, procedures, and processes needed to protect the cardholder data environment. smart-ra.com
  • 11. Questions? You can learn about PCI Risk Assessment by using SMART Basic (FREE). Sign up today on www.smart-ra.com. Write to Us dharshan.s@smart-ra.com praveen.v@smart-ra.com smart-ra.com smart-ra.com