SlideShare a Scribd company logo

Firehost Webinar: Do you know where your Cardholder Data Environment is?

Armor
Armor

Figure out where your card data lives. Join us as we discuss: Key Elements of Defining CDE, Network Segmentation, and Third Party Services.

Economy & FinanceTechnology
1 of 15
Do you know where your CDE (Cardholder Data Environment) is? PCI 3.0 Webinar Series: Part 2 of 6 Kurt Hagerman Chief Information Security Officer
Today’s Speaker Kurt Hagerman Chief Information Security Officer Kurt Hagerman oversees all compliance related and security initiatives. He is responsible for leading FireHost in attaining ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve their own compliance requirements. He regularly speaks and writes on information security topics in the payments and health care spaces as well as on cloud security. Webinar Series: Defining Your CDE
Agenda • PCI DSS 3.0 • What To Think About 12 Months Out • Understanding Your Cardholder Data Environment (CDE) • Key Elements of Defining Your CDE • Defining Where Your Cardholder Data Lives • Network & Data Flow Diagrams • Inventory of Systems & Applications • Network Segmentation • Third Party Services • What’s Next • Questions & Answers Webinar Series: Defining Your CDE
PCI DSS 3.0: A New Era in Compliance • Changes reflect shifting security landscape • In effect now, but January 2015 is deadline • Critical to avoid fines and brand damage • Visit info.firehost.com/webinar-series-new-pci-register.html 3.0 Webinar Series: Defining Your CDE
What to think about 12 months out • Talk to your QSA • Know how the new standard impacts your organization • Identify issues now that may take longer to resolve • Begin integrating PCI compliance into your daily operations Webinar Series: Defining Your CDE
Understanding Your Cardholder Data Environment (CDE) • It’s about people, processes AND technology • Understand who interacts with cardholder data and how • Consider processes such as settlement, reconciliation, charge backs, as well as manual order processes • Technology elements • Network, servers, virtualization, security services • Applications that interact with cardholder data • Don’t forget your third party service providers Webinar Series: Defining Your CDE
Key Elements of Defining CDE • Define where your cardholder data lives • Create network & data flow diagrams • Create inventory of all systems and applications that interact with cardholder data • Detail any segmentation methods used to limit the scope of the CDE • Consider third party services Webinar Series: Defining Your CDE
Defining Where Your Cardholder Data Lives • Develop methodology for defining cardholder data in your environment • Demonstrate that cardholder doesn’t exist outside of where you say it exists • Don’t assume and limit your search • Analyze and identify where cardholder data is across your entire enterprise Webinar Series: Defining Your CDE
Network & data flow diagrams Organizations need clear network diagrams that show: • How all components of CDE are connected • Connections between CDE and other networks • How the CDE is related to your overall network • How cardholder data flows through your applications and systems • Where segmentation is used to limit the scope of the CDE Webinar Series: Defining Your CDE
Inventory of Systems & Applications Create and maintain inventory of all hardware/software • Network equipment • Payment applications • Security infrastructure • Server & storage infrastructure • Authentication infrastructure • Management applications Webinar Series: Defining Your CDE
Network Segmentation Segmentation isolates cardholder data into fewer locations to reduce: • Compliance scope • Audit costs • Compliance cost and complexity • The risk to an organization Network segmentation methods: • Properly configured internal network firewalls • Routers with strong access control lists • Other technologies that restrict data access Webinar Series: Defining Your CDE
Third Party Services • UNDERSTAND - anyone that has access to or can impact the security of your CDE is in scope • Examples: hosting providers, managed security service providers, DR providers, contractors, etc. • Identify and maintain list of service providers • Monitor service provider PCI compliance • Understand and define roles & responsibilities • Identify who’s responsible for what – get it spelled out • Use a provider who is transparent about how they help • Work with “validated” providers who undergo their own PCI DSS assessments Webinar Series: Defining Your CDE
What’s Next • Verifying Segmentation Effectiveness • Pen Testing • Credit Card Searches PCI 3.0: Part 3 Getting Ready 9 Months Out March 11, 2014 Webinar Series: Defining Your CDE
&Answers Questions Webinar Series: Defining Your CDE
Thank You Email Phone Kurt Hagerman Chief Information Security Officer kurt.hagerman@firehost.com 877 262 3473 x8073 Webinar Series: Defining Your CDE

Recommended

Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSKimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 

Recommended

Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSKimberly Simon MBA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101Saumya Vishnoi
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloudSaumya Vishnoi
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 
Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 

More Related Content

What's hot

PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101Saumya Vishnoi
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloudSaumya Vishnoi
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataUlf Mattsson
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)Kimberly Simon MBA
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)TokenEx
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteTokenEx
 

What's hot (20)

PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Privacy frameworks 101
Privacy frameworks 101Privacy frameworks 101
Privacy frameworks 101
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
Taming the compliance beast in cloud
Taming the compliance beast in cloudTaming the compliance beast in cloud
Taming the compliance beast in cloud
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
Isaca new delhi india privacy and big data
Isaca new delhi india privacy and big dataIsaca new delhi india privacy and big data
Isaca new delhi india privacy and big data
 
EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)EU's General Data Protection Regulation (GDPR)
EU's General Data Protection Regulation (GDPR)
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
 
Best Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & KyteBest Practices for PCI Scope Reduction - TokenEx & Kyte
Best Practices for PCI Scope Reduction - TokenEx & Kyte
 

Similar to Firehost Webinar: Do you know where your Cardholder Data Environment is?

Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?Kurt Hagerman
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantageMoshe Ferber
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011Donald E. Hester
 
Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Armor
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveAlgoSec
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 

Similar to Firehost Webinar: Do you know where your Cardholder Data Environment is? (20)

Firehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data EnvirnmentFirehost Webinar: Validating your Cardholder Data Envirnment
Firehost Webinar: Validating your Cardholder Data Envirnment
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
Reducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniquesReducing cardholder data footprint with tokenization and other techniques
Reducing cardholder data footprint with tokenization and other techniques
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?MYTHBUSTERS: Can You Secure Payments in the Cloud?
MYTHBUSTERS: Can You Secure Payments in the Cloud?
 
Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25Pci multitenancy exalogic at AMIS25
Pci multitenancy exalogic at AMIS25
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Transforming cloud security into an advantage
Transforming cloud security into an advantageTransforming cloud security into an advantage
Transforming cloud security into an advantage
 
IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011IT Series: Cloud Computing Done Right CISOA 2011
IT Series: Cloud Computing Done Right CISOA 2011
 
Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0Getting Ready for PCI DSS 3.0
Getting Ready for PCI DSS 3.0
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveTop PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
Top PCI Pitfalls and How to Avoid Them: The QSA’s Perspective
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 

More from Armor

The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderArmor
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Armor
 
Security Operations in the Cloud
Security Operations in the CloudSecurity Operations in the Cloud
Security Operations in the CloudArmor
 
Ransomware
Ransomware Ransomware
Ransomware Armor
 
Keys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudKeys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudArmor
 
With FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityWith FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityArmor
 
FireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedFireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedArmor
 
FireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudFireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudArmor
 
Making Sense of Security and Compliance
Making Sense of Security and ComplianceMaking Sense of Security and Compliance
Making Sense of Security and ComplianceArmor
 
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsFirehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsArmor
 
Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Armor
 
Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Armor
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactArmor
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Armor
 
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...Armor
 
FireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityFireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityArmor
 
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionFireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionArmor
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best PracticesArmor
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataArmor
 

More from Armor (20)

The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment ProviderCase Study - Currency from the Cloud: Security & Compliance for Payment Provider
Case Study - Currency from the Cloud: Security & Compliance for Payment Provider
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?
 
Security Operations in the Cloud
Security Operations in the CloudSecurity Operations in the Cloud
Security Operations in the Cloud
 
Ransomware
Ransomware Ransomware
Ransomware
 
Keys To Better Data Security In the Cloud
Keys To Better Data Security In the CloudKeys To Better Data Security In the Cloud
Keys To Better Data Security In the Cloud
 
With FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & SecurityWith FireHost You Can Have it All: Performance & Security
With FireHost You Can Have it All: Performance & Security
 
FireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository DeconstructedFireHost Webinar: HealthData Repository Deconstructed
FireHost Webinar: HealthData Repository Deconstructed
 
FireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the CloudFireHost Webinar: The Service You Should Expect in the Cloud
FireHost Webinar: The Service You Should Expect in the Cloud
 
Making Sense of Security and Compliance
Making Sense of Security and ComplianceMaking Sense of Security and Compliance
Making Sense of Security and Compliance
 
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers ApplicationsFirehost Webinar: How a Secure High Performance Cloud Powers Applications
Firehost Webinar: How a Secure High Performance Cloud Powers Applications
 
Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0Firehost Webinar: Getting Ready for PCI 3.0
Firehost Webinar: Getting Ready for PCI 3.0
 
Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant Firehost Webinar: Getting Hipaa Compliant
Firehost Webinar: Getting Hipaa Compliant
 
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational ImpactFirehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
Firehost Webinar: Hipaa Compliance 101 Part 2- Your Organizational Impact
 
Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1Firehost Webinar: Hipaa Compliance 101 Part 1
Firehost Webinar: Hipaa Compliance 101 Part 1
 
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
FireHost Webinar: How a Secure High Performance Cloud Powers Critical Applica...
 
FireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent SecurityFireHost Webinar: Protect Your Application With Intelligent Security
FireHost Webinar: Protect Your Application With Intelligent Security
 
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster PreventionFireHost Webinar: 6 Must Have Tools For Disaster Prevention
FireHost Webinar: 6 Must Have Tools For Disaster Prevention
 
Cloud Computing Best Practices
Cloud Computing Best PracticesCloud Computing Best Practices
Cloud Computing Best Practices
 
Secure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your DataSecure Cloud Hosting: Real Requirements to Protect your Data
Secure Cloud Hosting: Real Requirements to Protect your Data
 

Recently uploaded

(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...ssifa0344
 
Quarter 4- Module 3 Principles of Marketing
Quarter 4- Module 3 Principles of MarketingQuarter 4- Module 3 Principles of Marketing
Quarter 4- Module 3 Principles of MarketingMaristelaRamos12
 
Instant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School DesignsInstant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School Designsegoetzinger
 
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsHigh Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
The Economic History of the U.S. Lecture 18.pdf
The Economic History of the U.S. Lecture 18.pdfThe Economic History of the U.S. Lecture 18.pdf
The Economic History of the U.S. Lecture 18.pdfGale Pooley
 
20240417-Calibre-April-2024-Investor-Presentation.pdf
20240417-Calibre-April-2024-Investor-Presentation.pdf20240417-Calibre-April-2024-Investor-Presentation.pdf
20240417-Calibre-April-2024-Investor-Presentation.pdfAdnet Communications
 
20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdfAdnet Communications
 
VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130
VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130
VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130Suhani Kapoor
 
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptxFinTech Belgium
 
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free DeliveryMalad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free DeliveryPooja Nehwal
 
Lundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdfLundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdfAdnet Communications
 
OAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptx
OAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptxOAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptx
OAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptxhiddenlevers
 
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...Call Girls in Nagpur High Profile
 
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptxFinTech Belgium
 
Andheri Call Girls In 9825968104 Mumbai Hot Models
Andheri Call Girls In 9825968104 Mumbai Hot ModelsAndheri Call Girls In 9825968104 Mumbai Hot Models
Andheri Call Girls In 9825968104 Mumbai Hot Modelshematsharma006
 
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
VIP Call Girls Thane Sia 8617697112 Independent Escort Service Thane
VIP Call Girls Thane Sia 8617697112 Independent Escort Service ThaneVIP Call Girls Thane Sia 8617697112 Independent Escort Service Thane
VIP Call Girls Thane Sia 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
fca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdffca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdfHenry Tapper
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptxFinTech Belgium
 

Recently uploaded (20)

(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(DIYA) Bhumkar Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
Solution Manual for Financial Accounting, 11th Edition by Robert Libby, Patri...
 
Quarter 4- Module 3 Principles of Marketing
Quarter 4- Module 3 Principles of MarketingQuarter 4- Module 3 Principles of Marketing
Quarter 4- Module 3 Principles of Marketing
 
Instant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School DesignsInstant Issue Debit Cards - School Designs
Instant Issue Debit Cards - School Designs
 
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsHigh Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
High Class Call Girls Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
The Economic History of the U.S. Lecture 18.pdf
The Economic History of the U.S. Lecture 18.pdfThe Economic History of the U.S. Lecture 18.pdf
The Economic History of the U.S. Lecture 18.pdf
 
20240417-Calibre-April-2024-Investor-Presentation.pdf
20240417-Calibre-April-2024-Investor-Presentation.pdf20240417-Calibre-April-2024-Investor-Presentation.pdf
20240417-Calibre-April-2024-Investor-Presentation.pdf
 
20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf20240429 Calibre April 2024 Investor Presentation.pdf
20240429 Calibre April 2024 Investor Presentation.pdf
 
VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130
VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130
VIP Call Girls Service Dilsukhnagar Hyderabad Call +91-8250192130
 
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
02_Fabio Colombo_Accenture_MeetupDora&Cybersecurity.pptx
 
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free DeliveryMalad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
Malad Call Girl in Services 9892124323 | ₹,4500 With Room Free Delivery
 
Lundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdfLundin Gold April 2024 Corporate Presentation v4.pdf
Lundin Gold April 2024 Corporate Presentation v4.pdf
 
OAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptx
OAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptxOAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptx
OAT_RI_Ep19 WeighingTheRisks_Apr24_TheYellowMetal.pptx
 
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
VVIP Pune Call Girls Katraj (7001035870) Pune Escorts Nearby with Complete Sa...
 
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
05_Annelore Lenoir_Docbyte_MeetupDora&Cybersecurity.pptx
 
Andheri Call Girls In 9825968104 Mumbai Hot Models
Andheri Call Girls In 9825968104 Mumbai Hot ModelsAndheri Call Girls In 9825968104 Mumbai Hot Models
Andheri Call Girls In 9825968104 Mumbai Hot Models
 
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Maya Call 7001035870 Meet With Nagpur Escorts
 
VIP Call Girls Thane Sia 8617697112 Independent Escort Service Thane
VIP Call Girls Thane Sia 8617697112 Independent Escort Service ThaneVIP Call Girls Thane Sia 8617697112 Independent Escort Service Thane
VIP Call Girls Thane Sia 8617697112 Independent Escort Service Thane
 
fca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdffca-bsps-decision-letter-redacted (1).pdf
fca-bsps-decision-letter-redacted (1).pdf
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx
 

Firehost Webinar: Do you know where your Cardholder Data Environment is?

  • 1. Do you know where your CDE (Cardholder Data Environment) is? PCI 3.0 Webinar Series: Part 2 of 6 Kurt Hagerman Chief Information Security Officer
  • 2. Today’s Speaker Kurt Hagerman Chief Information Security Officer Kurt Hagerman oversees all compliance related and security initiatives. He is responsible for leading FireHost in attaining ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve their own compliance requirements. He regularly speaks and writes on information security topics in the payments and health care spaces as well as on cloud security. Webinar Series: Defining Your CDE
  • 3. Agenda • PCI DSS 3.0 • What To Think About 12 Months Out • Understanding Your Cardholder Data Environment (CDE) • Key Elements of Defining Your CDE • Defining Where Your Cardholder Data Lives • Network & Data Flow Diagrams • Inventory of Systems & Applications • Network Segmentation • Third Party Services • What’s Next • Questions & Answers Webinar Series: Defining Your CDE
  • 4. PCI DSS 3.0: A New Era in Compliance • Changes reflect shifting security landscape • In effect now, but January 2015 is deadline • Critical to avoid fines and brand damage • Visit info.firehost.com/webinar-series-new-pci-register.html 3.0 Webinar Series: Defining Your CDE
  • 5. What to think about 12 months out • Talk to your QSA • Know how the new standard impacts your organization • Identify issues now that may take longer to resolve • Begin integrating PCI compliance into your daily operations Webinar Series: Defining Your CDE
  • 6. Understanding Your Cardholder Data Environment (CDE) • It’s about people, processes AND technology • Understand who interacts with cardholder data and how • Consider processes such as settlement, reconciliation, charge backs, as well as manual order processes • Technology elements • Network, servers, virtualization, security services • Applications that interact with cardholder data • Don’t forget your third party service providers Webinar Series: Defining Your CDE
  • 7. Key Elements of Defining CDE • Define where your cardholder data lives • Create network & data flow diagrams • Create inventory of all systems and applications that interact with cardholder data • Detail any segmentation methods used to limit the scope of the CDE • Consider third party services Webinar Series: Defining Your CDE
  • 8. Defining Where Your Cardholder Data Lives • Develop methodology for defining cardholder data in your environment • Demonstrate that cardholder doesn’t exist outside of where you say it exists • Don’t assume and limit your search • Analyze and identify where cardholder data is across your entire enterprise Webinar Series: Defining Your CDE
  • 9. Network & data flow diagrams Organizations need clear network diagrams that show: • How all components of CDE are connected • Connections between CDE and other networks • How the CDE is related to your overall network • How cardholder data flows through your applications and systems • Where segmentation is used to limit the scope of the CDE Webinar Series: Defining Your CDE
  • 10. Inventory of Systems & Applications Create and maintain inventory of all hardware/software • Network equipment • Payment applications • Security infrastructure • Server & storage infrastructure • Authentication infrastructure • Management applications Webinar Series: Defining Your CDE
  • 11. Network Segmentation Segmentation isolates cardholder data into fewer locations to reduce: • Compliance scope • Audit costs • Compliance cost and complexity • The risk to an organization Network segmentation methods: • Properly configured internal network firewalls • Routers with strong access control lists • Other technologies that restrict data access Webinar Series: Defining Your CDE
  • 12. Third Party Services • UNDERSTAND - anyone that has access to or can impact the security of your CDE is in scope • Examples: hosting providers, managed security service providers, DR providers, contractors, etc. • Identify and maintain list of service providers • Monitor service provider PCI compliance • Understand and define roles & responsibilities • Identify who’s responsible for what – get it spelled out • Use a provider who is transparent about how they help • Work with “validated” providers who undergo their own PCI DSS assessments Webinar Series: Defining Your CDE
  • 13. What’s Next • Verifying Segmentation Effectiveness • Pen Testing • Credit Card Searches PCI 3.0: Part 3 Getting Ready 9 Months Out March 11, 2014 Webinar Series: Defining Your CDE
  • 15. Thank You Email Phone Kurt Hagerman Chief Information Security Officer kurt.hagerman@firehost.com 877 262 3473 x8073 Webinar Series: Defining Your CDE

Editor's Notes

  1. Will: Hello and welcome to the second in our series on the PCI DSS 3.0 compliance changes. Today we’ll be talking about your CDE – your Cardholder Data Environment. We’ll leave some time at the end to take your questions, and you can also submit questions during the webinar through the chat feature. To mute your phone, <instructions>.
  2. Will: I’d like to introduce our speaker today. I’m Will Morgan and I’ll be moderating our discussion. Kurt Hagerman, FireHost’s Chief Information Security Officer, will be leading today’s session on the guidance you should take now to transition your compliance practices in time for the 3.0 deadline.
  3. Will: Now let’s take a look at our agenda today. We’ll be talking about the PCI DSS 3.0 changes and what you need to get started on right now. We’ll also talk about defining your CDE and using network segmentation, along with the data flow diagrams you’ll need. Finally, we’ll have some time at the end to take your questions live. Kurt, I’ll turn the discussion over to you as we talk more about the 3.0 changes.
  4. Kurt: Thank you, Will. - These changes reflect shifting security landscape. Compliance isn’t just about passing audits - it’s about successfully defeating threats like XSS attacks and SQL injections. Cybercriminals get more sophisticated every day. many new payment methods now which means that attack surfaces are now larger. hackers understand multiple points of access to cardholder data As all of you know, the new PCI DSS guidelines went into effect on the 1st of this year. You have until January 2015 to get ready, but there are factors you should start thinking about now to transition your compliance systems throughout the year. That’s what we’re talking about today. Just as before, meeting regulations is critical for avoiding the fines and brand damage that come with a breach. Important not to lose sight of that – doing this work is ultimately to your benefit. - If you didn’t attend our first webinar in the series, do so to make sure you have a complete grasp of the basics.  http://info.firehost.com/webinar-series-new-pci-register.htmll  
  5. Kurt: Today we’re going to focus on the factors you’ll want to start thinking about right now. First up, you’ll want to talk to your QSA – they are the arbiters of your compliance, so start those conversations now and find out what they think the impact of 3.0 will be on your organization. By identifying issues now that might take longer to resolve, you’ll face less work in crunch time. This includes looking at your business environments and security strategies and strengthening your provider relationship. 3.0 focuses on shifting from annual compliance checklist mindset to proactive, business-as-usual approach to security. Now is the time to begin integrating PCI compliance into your daily operations.  
  6. Will – let’s jump right into the cardholder data environment, the CDE. Kurt can you take us through… Kurt: 3.0 places more emphasis on defining the in-scope environment on a regular basis - these definitions help by pointing out potential weaknesses in your system. It’s important to remember that your CDE isn’t just about technology – it includes people, processes and technology Which means you must understand exactly who interacts with your cardholder data and how. Consider processes like settlements, charge backs, reconciliations, manual order process – all of those are subject to PCI requirements As far as technologies – that includes network devices, servers, virtualization, security services, and applications that interact with cardholder data. Remember that your 3rd party providers are included in this too.
  7. Kurt: Your first step: accurately determine CDE scope. First you must define where your cardholder data lives and create network and data flow diagrams that illustrate this. Identifying all locations and flows of cardholder data is critical to make sure no data exists outside of CDE. Next get a solid grasp on your inventory – what are all the devices and applications that interact with cardholder data? Security services and segmentation systems: authentication servers, internal firewalls, resolution or web redirection servers Virtualization components: virtual machines, switches/routers, appliances, applications, hypervisors. Network components: firewalls, switches, routers, wireless access points, network appliances Server types like web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS) All internal and external applications Finally, you’ll need to detail any all segmentation methods you’re using to limit your scope. And once again, you must consider your provider and how their systems influences your CDE.
  8. Kurt: Now that you understand exactly what your CDE is, it’s time to define where your cardholder data lives. The most efficient way to do this is to develop a methodology for defining data in your environment. This is a two-way street; not only will you need to define the data in your CDE, you need to prove it doesn’t exist outside of that CDE. If you go into this process assuming you already know where the data is, you may overlook areas you’re unaware of – as a result, the data will be vulnerable. So it’s important not to limit your search – it’s necessary to identify where any cardholder data is across the entire enterprise.
  9. Kurt: You’ll need network diagrams that show: how all components of CDE are connected connections between CDE and other networks How the CDE is related to your overall network How cardholder data flows through your systems and applications Where segmentation is used to limit the scope of the CDE   These diagrams show the success of your network segmentation at isolating the CDE and help you understand and keep track of your scope - without them, devices could be accidentally overlooked and vulnerable to attack - diagrams must be kept current and updated  
  10. Kurt: The 3.0 is very clear on the need to maintain a complete and accurate inventory of all systems and applications in scope. That includes: Network equipment Server and storage infrastructure Security infrastructure Authentication infrastructure Payment applications Management applications
  11. Kurt: Segmentation reduces your scope for cardholder data - isolates cardholder data into fewer, more controlled locations Shrinking the organization’s attack surface creates fewer points of entry for attackers - lightens your compliance burden, lowers your risk. without network segmentation, your entire network is in scope and that’s going to be a major headache. You want to address this right now - restricting cardholder data to a few locations means eliminating unnecessary data, and consolidating the right data. That can mean you need to rejigger your usual processes, and even part of your foundational infrastructure sometimes - important to start now. Using network segmentation: properly configured internal network firewalls routers with strong access control lists or other technologies that restrict access to a particular segment of a network.  
  12. NOTE: Might bleed onto two slides to keep from being too word heavy – defer to Casey Kurt: Compliance validation must be performed on all system components in the CDE – anyone that has access to your CDE or impacts it is in scope. This includes any third-party hosting providers, managed security service providers, DR providers, contractors -their routers, firewalls, databases, physical security and servers After identifying and putting together a clear list of all relevant providers, you’ll need to identify who’s responsible for what.   Don’t make assumptions – get everything spelled out in contracts, whether it’s an MOU, SLA or Terms of Service contract.    Also important to work with a “validated” provider who undergoes their own PCI DSS assessments and can show you evidence of their compliance.  
  13. Kurt - Next up in March, we’ll have another webinar on PCI 3.0 – this time we’ll talk about what you need to do 9 months out. We’ll talk about the controls you need to test and verify your CDE, including pen testing, credit card searches and more.
  14. Will: Now that we’ve taken a look at what you need to do now to get ready for 3.0, let’s hear your questions. If you have any compliance struggles or challenges that you’re facing, let us know and we’ll talk about the right actions to take. Just use the chat feature to submit your questions.
  15. Will: Thank you for joining us today. We hope you enjoyed learning more about getting ready for PCI DSS 3.0 and that we answered all of your questions. Within a day or so, you’ll receive a recording of this webinar in an email. To learn more, please visit us at firehost.com – and don’t forget to attend our next webinar on March 25 for part 3 of “Getting Ready for PCI 3.0.” We look forward to seeing you again.