SlideShare a Scribd company logo

PCI DSS and PA DSS Compliance

Download as PPTX, PDF
ControlCase
ControlCase

Visit - https://www.controlcase.com/certifications/ ControlCase discusses the following in the context of PCI DSS and PA DSS: - Network Segmentation - Card Data Discovery - Vulnerability Scanning and Penetration Testing - Card Data Storage in Memory

Technology
1 of 31
PCI DSS & PA DSS By Kishor Vaswani – CEO, ControlCase
Agenda • About PCI DSS & PA DSS • Segmentation and Penetration Testing • Card Data Discovery and Memory • Q&A 1
About PCI DSS & PA DSS
What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 2
PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
PCI DSS 3.2.1 4 • PCI DSS 3.2.1 in place starting 2019 • Removed Appendix A2 to report SSL/early TLS migration effort, as the migration date has passed. • Removed note from various requirements referring to an effective date of February 1, 2018, as this date has passed. • Updated Appendix A2 to reflect that the SSL/early TLS migration date of July 1, 2018 has passed. • Requirements A2.1–A2.3 updated to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.
PA DSS Introduction • Payment Application: A software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties. • Commercial Payment Applications that are typically sold and installed “off the shelf” without pre-installation customization by Vendors. › e.g. POS, Payment middleware, PG/Switch, Payment module • PA-DSS Does Not Apply to: • Operating systems onto which Payment Applications are installed. • Database systems that store cardholder data. • Back-office systems that store cardholder data (for example, for reporting or customer service purposes). 5
PA DSS Requirements 6 Requirement 1: Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2: Protect stored cardholder data Requirement 3: Provide secure authentication features Requirement 4: Log payment application activity Requirement 5: Develop secure payment applications Requirement 6: Protect wireless transmissions Requirement 7: Test payment applications to address vulnerabilities and maintain payment application updates Requirement 8: Facilitate secure network implementation Requirement 9: Cardholder data must never be stored on a server connected to the Internet Requirement 10: Facilitate secure remote access to payment application Requirement 11: Encrypt sensitive traffic over public networks Requirement 12: Secure all non-console administrative access Requirement 13: Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators Requirement 14: Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators
Segmentation and Penetration Testing
What is Network Segmentation • In the context of PCI DSS, Network Segmentation is a process where you isolate the CDE systems (Systems storing, processing & transmitting the CHD) from non-CDE systems. • Key thing to Note: Network Segmentation is not mandatory requirement. 7
Network Segmentation & Scoping Guidelines Store Process Transmit CDE Connected To Impact Security Provide Security Provide Segmentation People, Process and Technology 8
Flat Network Example Users Cardholder Servers Infrastructure servers Development Servers Since there is no segmentation done all the Systems will fall in PCI DSS scope 9
Segmented Network Example Other Users Cardholder Servers Infrastructure servers Development Servers Segmented network using Firewall/Core Switch, ensure that traffic is limited to finance users and scope is reduces to only finance users, cardholder servers and infrastructure servers Finance Users Firewall/Core Switch 10
• A method of evaluating the security of a computer system, network or application by simulating an attack by a malicious hacker. • Involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. • Carried out from the position of a potential attacker, and involves an active exploitation of security vulnerabilities. • Performed from outside the external perimeter or from within the internal network. What is a Penetration Test? 11
• To determine whether and how a malicious user can gain unauthorized access to assets and eventually sensitive data • To confirm that the applicable PCI DSS controls, such as configuration standards, vulnerability management, and segmentation are in place Why is it important? 12
• Entire CDE perimeter • Any critical systems that may impact the security of the CDE • External perimeter (public-facing attack surfaces) • Segmentation and scope-reduction controls What should we include in the test? 13
• 11.3.4 - CDE Segmentation Verification › Applicable if segmentation is used to isolate CDE from other networks › Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from in- scope systems › Must provide tester documentation of segmentation technologies › Testing against CDE systems from outside CDE › Testing against out-of-scope systems within the CDE Segmentation Verification 14
• Based on the best practices from Open-Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP) and NIST SP800-115 • Includes coverage of the CDE perimeter and critical systems • Includes testing from both inside and outside the network • Includes testing from non CDE internal network to CDE internal network • Includes testing to validate any segmentation and scope-reduction controls Methodology 15
Example Segmentation PT Result • Segmentation Failed › If we note that firewall is configured to allow unrestricted access (any ports and services) from the store/corporate general network into the store POS Network (CDE) › If firewall allows access from not-in-scope network to CDE • Segmentation Passed › If there is no access detected for any of the ports and services from the store general network into the store POS Network (CDE). 16
Best Practices to Pass Segmentation PT • Rule-set review shall be done to verify the rules against the business requirements. • All unused rules shall be removed • All ACLs shall be configured in a way that they do not allow access from out of scope to CDE. • All changes in network shall be done through change management process and in line with the “Network Segmentation” policy and procedure. • If non-CDE segments have access into the CDE, either the organization needs to restrict that access or a full network-layer penetration test should be performed to characterize the access. 17
Card Data Discovery & Memory
What is Data Discovery • Ability to identify and pinpoint sensitive data across › File Shares › Servers › Databases › Email › Log files › Etc. 18
Why is it important • CIA focuses on confidentiality, integrity and availability • Confidentiality is always focused on “Data” • Data that is sensitive must be protected, however the first step of that is to know where the data resides • Hence, it is important to identify where sensitive data resides 19
Protect Stored Cardholder Data You must ensure stored data is encrypted and protected. 20
PCI Council Advisory… • Importance of Updating Scope for PCI DSS Assessments There have been a number of high profile data compromises in the press recently. These reports serve as a daily reminder of the damage caused by compromises and of the need to keep business environments secure. Businesses evolve and change over time, and the scope of an entity's cardholder data environment must be reviewed and verified each time a PCI DSS assessment is undertaken. As has always been the case, many compromises are the result of businesses having data they weren't aware of. Please remember that scoping an assessment includes verifying that no cardholder data exists outside of the defined cardholder data environment. By ensuring the scope of an assessment is appropriate, the risk of data compromise is greatly reduced - a benefit to everyone involved. 21
Methods for Data Discovery • DLP Solutions (McAfee etc.) • Card Data Discovery Solutions (ControlCase etc.) • Manual Scripts and Regular Expressions • Forensic Technology (EnCase etc.) 22
Data Discovery Planning Considerations • Deployment and agents › Can get expensive › Technologically complicated › Long deployment cycles › Databases are a challenge • False Positives › Luhn’s formula narrows down but is not full proof › Many schemes use Luhn’s formula to generate numbers › Separators and delimiters change 23
Planning Considerations contd… • Performance within production environments › Database load › Large number of records in databases › Active directory scanning › Emails storing cardholder data • Tokenization › Differentiation between tokens and real card numbers • Exclusions › Directories › Files › Extension types › Tables/Columns 24
PA DSS and Card Data in Memory • PA DSS has requirement around card data storage in memory › Coding techniques must include how PAN and sensitive data is handled in memory per requirement 5 • Test for data in memory using memory dump tools such as Winhex • Cardholder Data in volatile memory must be handled securely to avoid memory scraping attacks • POS devices are primary targets • Applications must rewrite memory with NULL once the transaction authorization is completed 25
To Learn More About PCI Compliance… • Visit www.controlcase.com • contact@controlcase.com
Thank You for Your Time

Recommended

Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 

Recommended

Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECControlCase
 
Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1Vendor risk management webinar 10022019 v1
Vendor risk management webinar 10022019 v1ControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
PCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management CompliancePCI PIN Security & Key Management Compliance
PCI PIN Security & Key Management ComplianceControlCase
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) ControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceKimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PALog Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PAControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 

More Related Content

What's hot

Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECControlCase
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesControlCase
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar finalControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PALog Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PAControlCase
 

What's hot (20)

Vendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIECVendor Management for PCI DSS, HIPAA, and FFIEC
Vendor Management for PCI DSS, HIPAA, and FFIEC
 
Performing One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust PrinciplesPerforming One Audit Using Zero Trust Principles
Performing One Audit Using Zero Trust Principles
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
Integrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to ManyIntegrated Compliance – Collect Evidence Once, Certify to Many
Integrated Compliance – Collect Evidence Once, Certify to Many
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
 
Docker container webinar final
Docker container webinar finalDocker container webinar final
Docker container webinar final
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PALog Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
 

Similar to PCI DSS and PA DSS Compliance

PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes ControlCase
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 

Similar to PCI DSS and PA DSS Compliance (20)

PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 

More from ControlCase

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudControlCase
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 

More from ControlCase (20)

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
PCI DSS Compliance in the Cloud
PCI DSS Compliance in the CloudPCI DSS Compliance in the Cloud
PCI DSS Compliance in the Cloud
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 

Recently uploaded

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 

Recently uploaded (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

PCI DSS and PA DSS Compliance

  • 1. PCI DSS & PA DSS By Kishor Vaswani – CEO, ControlCase
  • 2. Agenda • About PCI DSS & PA DSS • Segmentation and Penetration Testing • Card Data Discovery and Memory • Q&A 1
  • 3. About PCI DSS & PA DSS
  • 4. What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card issuers • Maintained by the PCI Security Standards Council (PCI SSC) 2
  • 5. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
  • 6. PCI DSS 3.2.1 4 • PCI DSS 3.2.1 in place starting 2019 • Removed Appendix A2 to report SSL/early TLS migration effort, as the migration date has passed. • Removed note from various requirements referring to an effective date of February 1, 2018, as this date has passed. • Updated Appendix A2 to reflect that the SSL/early TLS migration date of July 1, 2018 has passed. • Requirements A2.1–A2.3 updated to focus only on the allowance for POS POIs that are not susceptible to known exploits and their service provider termination points to continue using SSL/early TLS.
  • 7. PA DSS Introduction • Payment Application: A software application that stores, processes, or transmits cardholder data as part of authorization or settlement, where the payment application is sold, distributed, or licensed to third parties. • Commercial Payment Applications that are typically sold and installed “off the shelf” without pre-installation customization by Vendors. › e.g. POS, Payment middleware, PG/Switch, Payment module • PA-DSS Does Not Apply to: • Operating systems onto which Payment Applications are installed. • Database systems that store cardholder data. • Back-office systems that store cardholder data (for example, for reporting or customer service purposes). 5
  • 8. PA DSS Requirements 6 Requirement 1: Do not retain full track data, card verification code or value (CAV2, CID, CVC2, CVV2), or PIN block data Requirement 2: Protect stored cardholder data Requirement 3: Provide secure authentication features Requirement 4: Log payment application activity Requirement 5: Develop secure payment applications Requirement 6: Protect wireless transmissions Requirement 7: Test payment applications to address vulnerabilities and maintain payment application updates Requirement 8: Facilitate secure network implementation Requirement 9: Cardholder data must never be stored on a server connected to the Internet Requirement 10: Facilitate secure remote access to payment application Requirement 11: Encrypt sensitive traffic over public networks Requirement 12: Secure all non-console administrative access Requirement 13: Maintain a PA-DSS Implementation Guide for customers, resellers, and integrators Requirement 14: Assign PA-DSS responsibilities for personnel, and maintain training programs for personnel, customers, resellers, and integrators
  • 10. What is Network Segmentation • In the context of PCI DSS, Network Segmentation is a process where you isolate the CDE systems (Systems storing, processing & transmitting the CHD) from non-CDE systems. • Key thing to Note: Network Segmentation is not mandatory requirement. 7
  • 11. Network Segmentation & Scoping Guidelines Store Process Transmit CDE Connected To Impact Security Provide Security Provide Segmentation People, Process and Technology 8
  • 12. Flat Network Example Users Cardholder Servers Infrastructure servers Development Servers Since there is no segmentation done all the Systems will fall in PCI DSS scope 9
  • 13. Segmented Network Example Other Users Cardholder Servers Infrastructure servers Development Servers Segmented network using Firewall/Core Switch, ensure that traffic is limited to finance users and scope is reduces to only finance users, cardholder servers and infrastructure servers Finance Users Firewall/Core Switch 10
  • 14. • A method of evaluating the security of a computer system, network or application by simulating an attack by a malicious hacker. • Involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. • Carried out from the position of a potential attacker, and involves an active exploitation of security vulnerabilities. • Performed from outside the external perimeter or from within the internal network. What is a Penetration Test? 11
  • 15. • To determine whether and how a malicious user can gain unauthorized access to assets and eventually sensitive data • To confirm that the applicable PCI DSS controls, such as configuration standards, vulnerability management, and segmentation are in place Why is it important? 12
  • 16. • Entire CDE perimeter • Any critical systems that may impact the security of the CDE • External perimeter (public-facing attack surfaces) • Segmentation and scope-reduction controls What should we include in the test? 13
  • 17. • 11.3.4 - CDE Segmentation Verification › Applicable if segmentation is used to isolate CDE from other networks › Verifies that segmentation methods are operational and effective, and isolate all out-of-scope systems from in- scope systems › Must provide tester documentation of segmentation technologies › Testing against CDE systems from outside CDE › Testing against out-of-scope systems within the CDE Segmentation Verification 14
  • 18. • Based on the best practices from Open-Source Security Testing Methodology Manual (OSSTMM), Open Web Application Security Project (OWASP) and NIST SP800-115 • Includes coverage of the CDE perimeter and critical systems • Includes testing from both inside and outside the network • Includes testing from non CDE internal network to CDE internal network • Includes testing to validate any segmentation and scope-reduction controls Methodology 15
  • 19. Example Segmentation PT Result • Segmentation Failed › If we note that firewall is configured to allow unrestricted access (any ports and services) from the store/corporate general network into the store POS Network (CDE) › If firewall allows access from not-in-scope network to CDE • Segmentation Passed › If there is no access detected for any of the ports and services from the store general network into the store POS Network (CDE). 16
  • 20. Best Practices to Pass Segmentation PT • Rule-set review shall be done to verify the rules against the business requirements. • All unused rules shall be removed • All ACLs shall be configured in a way that they do not allow access from out of scope to CDE. • All changes in network shall be done through change management process and in line with the “Network Segmentation” policy and procedure. • If non-CDE segments have access into the CDE, either the organization needs to restrict that access or a full network-layer penetration test should be performed to characterize the access. 17
  • 22. What is Data Discovery • Ability to identify and pinpoint sensitive data across › File Shares › Servers › Databases › Email › Log files › Etc. 18
  • 23. Why is it important • CIA focuses on confidentiality, integrity and availability • Confidentiality is always focused on “Data” • Data that is sensitive must be protected, however the first step of that is to know where the data resides • Hence, it is important to identify where sensitive data resides 19
  • 24. Protect Stored Cardholder Data You must ensure stored data is encrypted and protected. 20
  • 25. PCI Council Advisory… • Importance of Updating Scope for PCI DSS Assessments There have been a number of high profile data compromises in the press recently. These reports serve as a daily reminder of the damage caused by compromises and of the need to keep business environments secure. Businesses evolve and change over time, and the scope of an entity's cardholder data environment must be reviewed and verified each time a PCI DSS assessment is undertaken. As has always been the case, many compromises are the result of businesses having data they weren't aware of. Please remember that scoping an assessment includes verifying that no cardholder data exists outside of the defined cardholder data environment. By ensuring the scope of an assessment is appropriate, the risk of data compromise is greatly reduced - a benefit to everyone involved. 21
  • 26. Methods for Data Discovery • DLP Solutions (McAfee etc.) • Card Data Discovery Solutions (ControlCase etc.) • Manual Scripts and Regular Expressions • Forensic Technology (EnCase etc.) 22
  • 27. Data Discovery Planning Considerations • Deployment and agents › Can get expensive › Technologically complicated › Long deployment cycles › Databases are a challenge • False Positives › Luhn’s formula narrows down but is not full proof › Many schemes use Luhn’s formula to generate numbers › Separators and delimiters change 23
  • 28. Planning Considerations contd… • Performance within production environments › Database load › Large number of records in databases › Active directory scanning › Emails storing cardholder data • Tokenization › Differentiation between tokens and real card numbers • Exclusions › Directories › Files › Extension types › Tables/Columns 24
  • 29. PA DSS and Card Data in Memory • PA DSS has requirement around card data storage in memory › Coding techniques must include how PAN and sensitive data is handled in memory per requirement 5 • Test for data in memory using memory dump tools such as Winhex • Cardholder Data in volatile memory must be handled securely to avoid memory scraping attacks • POS devices are primary targets • Applications must rewrite memory with NULL once the transaction authorization is completed 25
  • 30. To Learn More About PCI Compliance… • Visit www.controlcase.com • contact@controlcase.com
  • 31. Thank You for Your Time