This webinar discusses techniques for reducing an organization's cardholder data footprint to simplify PCI DSS compliance. It covers tokenization, which replaces sensitive card data with random tokens that have no value. Tokenization stores the original data in a secure vault and allows transactions to use tokens instead of real card numbers, reducing the scope of systems and data in scope for PCI compliance. Other techniques discussed include network segmentation, point-to-point encryption, and outsourcing services to PCI-compliant vendors. Reducing an organization's cardholder data footprint lowers the cost and effort of compliance while also preventing data breaches and theft.
2. Webinar Objective
• Understanding the PCI DSS Compliance and its Requirements.
• How Businesses can Reduce their Compliance Scope with Reduced
Cardholder Data Footprint?
• Learn About the various Techniques of Reducing the Cardholder Data
Footprint
3. Topics Covered
• A Quick Introduction to PCI DSS Compliance
• PCI DSS Scoping Requirements
• Top 4 Techniques for reducing Cardholder Data footprint in your
enterprise
• What is Tokenization?
• Process of Tokenization
• How Does Tokenization Reduce Card Data Footprint?
4. Gain CPE Points Attending the Webinar!
• Attend the entire session of the Webinar and gain Continued
Professional Education points.
• It can be used for various certification such as CISA, CISSP,
CRISC, CISM, PCI QSA, etc.
5. Free Informative Resources
• Subscribe to our YouTube channel: https://www.youtube.com/c/vistainfosecofficial
• Get access to free informative videos on
• PCI DSS
• HIPAA
• GDPR
• SOC1 & SOC2
• Ethical Hacking
6. PAST WEBINARS
• PCI DSS - Managing your outsourced vendor.
• Log Management and reporting for the PCI environment.
• Best practices in Ecommerce security.
• PCI DSS and the Cloud – Top risks and Mitigations
• Wireless in the PCI environment – Top risks and Mitigations
• PCI DSS in the virtualized environment – Top risks and Mitigations
• Targeted attacks: Spear Phishing and Social Engineering.
• PCI DSS Scoping and Segmentation.
• Managing Data Leakage in your PCI environment.
• Strategies for migration from early TLS and SSL.
• Using PCI DSS for GDPR Compliance
7. PAST WEBINARS
• Using ISO27001 for PCI DSS
• SOC2 and YOU
• GDPR – Are you ready
• SOC2 – Beyond the myth
• GDPR – Steps to a successful DPIA
• Block chain – A crash course – What is it, potential uses and pitfalls
• Tackling Security in the Cloud: CASB to the rescue
• HIPAA – Basics and Beyond…
• Using SOC2 for HIPAA Compliance
• Developing a Cyber Security framework using NIST
8. PAST WEBINAR
• SOC for Cyber Security
• Rights of Data Subjects – GDPR and PDPA
• SOC2 Compliance and the Cloud
• Debunking Top 10 myths of PCI DSS
• Achieving PCI DSS in 90 days
• FDA CFR Part 11 – What’s the hype all about
• Achieving SOC2 Compliance in 90 days – Is it possible?
• Step by step approach to PDPA compliance
• 7 steps for Compliance with NIST 800-171 compliance
• PCI DSS - 5 Simple Techniques to reduce scope
9. PAST WEBINAR
• SOC2 and CCM
• In talks with Nitin Bhatnagar (PCI Council) - Meeting Payment Security
Needs Now and for the Future
• Covid-19 and Business Continuity
• PA DSS and PCI SSF – How they match up and how they map
• PCI PIN, PCI Cryptography & Key Management
• NESA – How it matters to you
10. As We Go Along
• Do type in your queries in the query box and I will answer as much as possible during
the webinar. If due to time constraints, I will surely write directly to you.
• Feel free to share a topic of your interest that you would like to learn more about from
our team ( Information Security- Compliance, Regulatory Standards, Risk Assessment
Services related topic).
12. About Me
NARENDRA SAHOO
Mr. Sahoo carries over 25 years of experience in the IT industry, out of which the last 16 years
has been dedicated to VISTA InfoSec. His professional qualifications includes PCI QSA, CISA,
CISSP, CRISC, ISO 27001 Lead Assessor. Starting off as an assembly language programmer, with
the advent of networking and the Internet in India, he moved on into networking and IT
management of which InfoSec was a natural progression.
A very well versed professional with proficiency in globally recognized standards such as
ISO27001, PCI DSS, ITIL/ISO 20000, COBIT and many international regulations such as HIPAA,
CSV, SOX, SSAE16, SOC, etc., Mr. Sahoo has conducted IT consulting and assessments for large
Banks, Software development organizations, Banks, Research & Development companies and
BPOs in India and overseas. Well versed with strategy development and an astute Technical
background, he has audited, designed and strategized for a wide variety of Information
security and networking technologies. He has provided consulting services for premier
organizations such as Tata Group, Shell Oil, Cipla, numerous payment processing organizations
and a host of banks including the Reserve Bank of India and the Indian armed forces.
He has recently been awarded the “Crest of Honor” by the Indian Navy for his contributions.
He was inducted into the CSI – Hall of Fame for his significant contributions to the fraternity.
Sectors: Worked in all vertical ranging from Government/PSU, BFSI, Pharma, Manufacturing,
ITES etc.
Designation - Founder &
Director of VISTA InfoSec
Certifications- PCI QPA,
PCI QSA, CISSP, CISA,
CRISC, ISO27001 LA
Industry Experience-25
Years
13.
14.
15.
16.
17. Survey Participation Request
We Value Your Feedback
• Request you to complete our brief
survey at the end of the webinar and
leave your valuable comments.
• Your Answer will allow us to meet your
expectations better
18. PCI HISTORY
• Late 90’s - Visa recognized a need to protect Card Data to prevent theft.
• June, 2001 – Visa mandated rules to protect Card Data.
• Later the other card associations followed Visa’s lead with their own
programs.
19. PCI HISTORY
The Four Programs Were Called:
• Visa: CISP – Cardholder Information Security Program
• MasterCard: SDP – Site Data Protection
• American Express: DSOP - Data Security Operating Policy
• Discover: DISC - Discover Information Security & Compliance
20. PCI History
Once there were four programs
• Confusion ensued
• There were now four set of rules,
guidelines, penalties and fines.
22. PCI History
• Establishment of a Standard organization named Payment Card Industry Security
Standards Council
• Also Known As: PCI
• The founding members were the five major card brands:
• American Express
• MasterCard
• Discover
• Visa
• JCB (Japan Credit Bureau)
• Primarily seen in Hawaii, California and other major T & E Markets in the USA
23. History in Brief
• Visa, MasterCard, American Express, Discover and JCB decided to standardize on
a common set of data security requirements for Merchants and Data Processors
– the PCI Data Security Standard (PCI DSS).
• PCI Security Standards Council was formed in 2004 as an independent
organization in order to maintain and promote the PCI DSS.
• Version 1.0 of the PCI DSS was published in January 2005.
• Version 1.1 published in September 2006.
• Version 1.2 released October 2008.
• Latest version 4.0 expected to be released in mid 2021 this year.
24. PCI History
• Not The Perfect Solution
• The Good News
• The security guidelines have been consolidated under a single entity – PCI DSS: Data Security Standard.
• Your Compliance and IT staff will appreciate this.
• The Bad News
• Due to federal restraint of trade laws, the card brands can not collude on the rules, penalties and fines
• So we must still please multiple masters.
• For the most part, Visa’s rules are the most restrictive and therefore are used as the bellweather guideline.
27. How can Cardholder Data & Environment
be Secured?
• Businesses falling in the scope of PCI DSS Compliance will have a significant impact on their resources (cost and
manpower).
• Any systems or applications that have access to sensitive card information whether encrypted or not shall fall in
scope.
• Enterprises looking for ways to simplify and reduce the scope of PCI DSS Compliance can possibly do so by reducing
the Card Data footprints in their systems and applications.
• Merchants and Service Providers are required to size and scope their Cardholder Data Environment to gauge the
current risk exposure.
• Scoping and analyzing the Cardholder Data Environment will indicate the likelihood of their business facing incidents
of data breaches.
• Depending on whether the Cardholder Data Environment (CDE) is minimal and adequately isolated or extensive, the
systems, applications, and network accordingly fall in the scope of PCI DSS that needs to be secured.
29. Importance of Understanding Scoping &
Segmentation
• There are many interpretations of “adequate network segmentation”
• Not all are accurate
• There are many motivations for wanting to reduce scope
• Not all motivations are in the best interests of security
• Improper scoping choices are contributing to compromises
• Cardholder data is still a very desirable target for hackers
30. Importance of Understanding Scoping &
Segmentation
• Bad interpretations and/or motivations can lead to-
• Aggressive or accidental under-scoping.
• Ineffective segmentation controls.
• Which can have disastrous consequences such as-
• Bad interpretations can also lead to unnecessary over-scoping.
• Can result in ineffective allocation of security resources.
31. Scoping Confusion
• What does “in scope” mean?
• Every PCI DSS requirement may not apply to an in-scope system. Consider:
• Requirements applicable for system function/use.
• Requirements applied at network level rather than on every system.
• Controls to reduce applicability of certain PCI DSS requirements (must be verified!).
• What does “out of scope” mean?
• Consider as ‘untrusted’.
• No security evaluation or validation of the system/network.
• If an “out-of-scope” system could lead a CDE compromise, it should not have been considered out of scope.
32. What is Scoping?
Scoping involves the identification of people, processes, and technologies
that interact with OR could otherwise impact the security of CHD.
33. Scoping Concepts
• Systems located within the CDE are in scope, irrespective of their functionality or the
reason why they are in the CDE.
• Similarly, systems that connect to a system in the CDE are in scope, irrespective of
their functionality or the reason they have connectivity to the CDE.
• In a flat network, all systems are in scope if any single system stores, processes, or
transmits account data.
36. PCI DSS Scoping
• PCI DSS applies to all systems and networks that store, process, and/or
transmit cardholder data, and all connected systems including-
• Networking equipment that transmits cardholder data (i.e. routers, switches,
firewalls, wireless access points).
• Encrypted Cardholder Data which still falls in scope.
39. Scope of PCI DSS
• If your shop handles financial card data:
• PCI DSS requirements are applicable if a Primary Account
Number (PAN) is stored, processed or transmitted.
• PCI DSS security requirements apply to all “system
components” – defined as “any network component, server or
application that is included in or connected to the cardholder
data environment”.
• Failure to comply will eventually result in surcharges, fines and
substantially increased liability in the event of a data breach.
• If a PAN is not stored, processed or transmitted then PCI DSS
requirements do not apply.
41. How to Reduce the Scope or Cardholder
Data Footprint in the Environment?
• Complex IT-environment can make it more costly and difficult for Merchants &
Service Providers to achieve and maintain PCI Compliance.
• For these reason, once they have identified what systems are in scope, they should
try to reduce their scope by limiting the Cardholder Data Footprint in the
Environment.
• While it is impossible to completely eliminate or reduce the Cardholder Data
footprint, but there are methods that considerably reduce and simplify PCI scope.
42. Techniques of Reducing Cardholder Data
Footprint
Reducing
Cardholder
Data Footprint
Network
Segmentation
Point-to-Point-
Encryption
Tokenization
Outsourcing
43. Techniques of Reducing Cardholder Data
Footprint
• Network Segmentation- Network segmentation involves isolating the Cardholder Data
Environment from the rest of the company’s network. This prevent systems that are out-
of-scope from communicating with, or impact the security of systems in the Cardholder
Data Environment. (Refer to our earlier webinar on PCI DSS Scoping & Network to learn
more about it)
• Tokenization- Tokenization is the process of converting sensitive data or replacing
cardholder data with a random-generated value called a token. Implementing this
process helps secure sensitive data and reduce the scope of Compliance as no card will
reside in the Cardholder Data Environment with the tokenized data flowing through your
systems.
44. Techniques of Reducing Cardholder Data
Footprint
• Point-to-Point Encryption- P2PE involves encrypting the Payment Card Data at point of interaction
when swiping Payment Card, until the point that it reaches the decryption environment. The data
is indecipherable during the transaction process and protects the data against hacking, theft and
fraud. Merchants who implement P2PE solutions are subject to fewer PCI requirements.
• Outsourcing- Outsourcing is always a good option provided you outsource it to the right vendors.
By right vendors we mean, PCI compliant vendors. This will definitely help reduce your PCI scope
and Card Data footprint. By opting a PCI Compliant solution or simply moving to a PCI DSS
compliant cloud-hosting platform, you will automatically reduce the scope of compliance.
Outsourcing in general can reduce costs related to compliance, and also minimize efforts required
to meet the requirements in PCI DSS. However, it important that we evaluate the security levels
and compliance status of the third-party vendors before considering as an outsourcing option.
45. What is Tokenization?
• Tokenization can be referred to as the process of replacing a credit card number with an
alternate set of characters, or elements that have no significant value.
• It is a technique that involves replacing sensitive data with non-sensitive elements or
numbers that are randomly generated and known as a token.
• It is a unique process of protecting sensitive data while retaining all the relevant information
without compromising its security.
• Tokenization works on the principles of devaluing the sensitive data such as to make it
unviable for the hackers to breach the data defenses.
• The entire Tokenization process is very different from encryption, wherein it does not allow
the token to be deciphered and reveal the sensitive data that is processed.
47. How Does Tokenization Card Data
Footprint?
• Secure Data Vault- The technique of Tokenization involves replacing of sensitive payment card data with a
token and storing the original data in a highly secure centralized data vault. With this, the sensitive data is not
accessible outside of the data vault, except when originally captured at the beginning of a transaction or, later,
accessed from the data vault by an authorized user or an authenticated application. This completely draws out
the risk of sensitive data exposure in the payment card environment. So, organizations can reduce the number
of systems, applications and processes that are directly exposed to the sensitive data and in turn reduce the
overall scope for compliance with PCI DSS.
• Data Surrogates- In the process of tokenization, a token is used as a replacement or as a surrogate value to the
original sensitive data. The token represents the original data, which is encrypted and stored in a central data
vault. So, in the process, the application does not contain any credit card information including the data in an
encrypted format. This in turn reduces the Cardholder Data footprint and enables the entire application in this
scenario falls out of the PCI DSS scope.
48. How Does Tokenization Reduce Card Data
Footprint?
• Data Relation Token- Tokenization facilitates a one-to-one data relation token between the
credit card number and the token to maintain referential integrity across systems. The
referential integrity allows for a transaction analysis with tokens, thus eliminating the need of
accessing the sensitive credit card number directly. This helps remove the sensitive card data
out of the environment, thus reducing the card data footprint and the PCI scope.
• Tokens Have No Value- Tokens are replaced alternate set of characters, or elements that
have no significant value. So, they can be easily transmitted across the networks and
applications without having the original sensitive data in the environment. The original data
on the other hand is securely stored in a central data vault, outside the Cardholder Data
environment with access only limited to the authorized applications for retrieving it. This way
the footprint of sensitive data is reduced in the environment while also the need to secure
and monitor it frequently is reduced.
49. Key Takeaway
• Reducing the Cardholder Data footprint in the environment is crucial for it helps
reduce the scope of Compliance.
• With less sensitive data, it translates into fewer compliance requirements which
may in turn enable quicker audits.
• Not just that, reducing Cardholder Data Footprint in the environment will in a
way also prevent incidents of data breach or theft.
• Apart from the above mentioned significant reasons, reducing the Cardholder
Data footprint in the environment also lowers the cost of compliance and the
required resources for achieving compliance.