SlideShare a Scribd company logo

PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition

S
Sally Sheward

In this presentation, Andy Cottrell, CEO and founder of Truvantis, reviews the changes between PCI 2.0 and 3.0 and provides practical tips on how to minimize the business impact of the transition. From these slides, you will learn the scope and timing of the new requirements, how they are likely to impact your business and ways to make implementation as painless as possible.

Technology
1 of 22
Download to read offline
Andy Cottrell 12/13/2013 1
 The PCI DSS refresh cycle  What has changed in general terms  Review of specific, significant changes   Requirement 0 Requirements 1-12  Reorganization  Final of documents notes  Q&A 12/13/2013 2
 IT security consulting company: www.truvantis.com  Authorized PCI DSS Qualified Security Assessor (QSA) Company  Deep, comprehensive expertise in IT security testing (pen testing, vulnerability assessments, etc.), policy creation, audit, PCI assessments and governance We also understand that IT security can’t get in the way of doing business! 12/13/2013 3
12/13/2013 4
A great deal of clarification  Some additional requirements  More useful narrative before the requirements  Reorganization of the documents  Focus on goals, not technology  Today, look at a few of the more important changes 12/13/2013 5
 Scope   Cannot store SAD after authorization even without the PAN Determination of the scope of the CDE is the entity’s responsibility  Segmentation   If a control is used to de-scope, then that control is in-scope A system can only be out of scope if its compromise would not impact the security of the CDE 12/13/2013 6
 Wireless  Don’t  Service  providers It’s still your job to monitor the compliance of your service providers  The fact that they have an AOC does not change that, it just helps with validation “For example, providing the AOC and/or relevant sections of the service provider’s ROC (redacted to protect any confidential information) could help provide all or some of the information.” 12/13/2013 7
 Business-as-Usual   Totally new section Discusses how to build compliance into your daily routine This is not a new requirement Consider it guidance and advice that will help 12/13/2013 8
 Security policies and daily operational procedures moved into relevant sections  Just moving section 12 items into a more sensible place  NEW: Inventory of system components and the function/use    You probably did this anyway Just leave an audit trail to show you keep it current TIP: Create a task regularly to review it 12/13/2013 9
 Still at least 7 characters, alphanumeric  Can now use equivalent strength   Do the math to establish equivalence TIP: This is a low bar – do better 12/13/2013 10
 2.0 “Deploy anti-virus software on all systems commonly affected by malicious software”  Now your responsibility to make sure they continue to not need it  3.0 “perform periodic evaluations to identify and evaluate evolving malware threats” 12/13/2013 11
 These   Security patches indicate vulnerabilities All vulnerabilities must be ‘risk-ranked’   requirements have been coordinated At least HIGH risk (to you) Additionally flag CRITICAL if  “they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed”  CRITICAL  One month  Other  vendor-supplied security patches vendor-supplied security patches ‘Appropriate’ time frame (Three months) 12/13/2013 12
 NEW: Broken authentication and session management    Flagging session tokens … as “secure” Not exposing session IDs in the URL Incorporating appropriate time-outs and rotation of session IDs after a successful login  PCI is following OWASP Top 10  TIP: OWASP has a new Top 10 for 2013  TIP: Also see www.securecoding.cert.org 12/13/2013 13
 NEW:     Protect devices that capture payment Mandatory after July 1st 2015 Maintain a list of devices Periodically inspect device surfaces to detect tampering Training for personnel to detect tampering or replacement 12/13/2013 14
 Scanning    for rogue devices Must test for all routes to get wireless devices in Just looking for add IP addresses is not enough USB etc. specifically called out  TIP: Focus on intent, not the language 12/13/2013 15
 Can now combine multiple scans to get a passing grade    Recognizes that new issues can arise during a remediation phase Re-test would show new failing items Avoid the never ending cycle of not passing 12/13/2013 16
 Greatly     enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015 Test de-scoping controls Review last 12mo threats and vulnerabilities The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment  TIP: Don’t be sold a vulnerability assessment as a pen test  TIP: Ask your penetration tester when they will be working with the new rules 12/13/2013 17
 “at least annually and after significant changes to the environment”  Many requirements now reference your risk assessment  TIP: Use the new prevalence of “Risk Assessment” in the standard to help you work out what your risk assessment should look like 12/13/2013 18
 Plan   not just for a major breach It should drill down into more alerts from monitoring systems like firewalls Larger mandate to choose what to monitor and where alerts should come from  TIP: Again - focus on intent, not language 12/13/2013 19
 Guidance regarding intent moved into the standard  Reporting instructions moved to a template  SAQs  will be updated - not released yet Expect:   Multiple SAQ submission will be permitted New SAQs such as hosted payment pages 12/13/2013 20
 Download and review the ‘Summary of Changes’ document now   Review every item and measure the impact Comply with the language, but focus on the intent  Review your ‘risk assessment’ in the light of 3.0  By understanding your risk, you can scale your behavior appropriately 12/13/2013 21
 By web: www.truvantis.com  By phone: +1 855.345.6298  By email: info@truvantis.com  View this presentation in the recorded webcast (with audio): http://youtu.be/mwvx1q9aMDw 12/13/2013 22

Recommended

Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...truvantis
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
recupero dati
recupero datirecupero dati
recupero datishirt17owner
 
SureSense Brochure
SureSense BrochureSureSense Brochure
SureSense BrochureRandy Bickford
 
U08784 part 2 presentation
U08784 part 2 presentationU08784 part 2 presentation
U08784 part 2 presentationxero42
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
Whose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad WolfWhose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad Wolfghost nomad
 

Recommended

Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...
Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 ...truvantis
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
recupero dati
recupero datirecupero dati
recupero datishirt17owner
 
SureSense Brochure
SureSense BrochureSureSense Brochure
SureSense BrochureRandy Bickford
 
U08784 part 2 presentation
U08784 part 2 presentationU08784 part 2 presentation
U08784 part 2 presentationxero42
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
Whose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad WolfWhose Afraid Of The Big Bad Wolf
Whose Afraid Of The Big Bad Wolfghost nomad
 
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...ASBIS SK
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsElements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsEMMAIntl
 
sales-sheet-Business-Continuity
sales-sheet-Business-Continuitysales-sheet-Business-Continuity
sales-sheet-Business-ContinuityGeorge Carroll
 
Abb e guide3
Abb e guide3Abb e guide3
Abb e guide3Claricio Gobbo
 
Considerations Checklist: What is High Availability (HA)?
Considerations Checklist: What is High Availability (HA)?Considerations Checklist: What is High Availability (HA)?
Considerations Checklist: What is High Availability (HA)?Collaborative Consulting
 
Is Overcoming Data Center Outage Possible?
Is Overcoming Data Center Outage Possible?Is Overcoming Data Center Outage Possible?
Is Overcoming Data Center Outage Possible?Web Werks Data Centers
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Falgun Rathod
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3IANS
 
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...Nagios
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESHappiest Minds Technologies
 
AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper Meridian
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Managementn|u - The Open Security Community
 
Root cause analysis arg sc
Root cause analysis arg scRoot cause analysis arg sc
Root cause analysis arg scManish Chaurasia
 
Hippo e book 911 emergency
Hippo e book 911 emergencyHippo e book 911 emergency
Hippo e book 911 emergencyRahul Rathi
 
10 Qualities of Highly-Effective Incident Management Systems
10 Qualities of Highly-Effective Incident Management Systems10 Qualities of Highly-Effective Incident Management Systems
10 Qualities of Highly-Effective Incident Management Systems24/7 Software
 
Stanson Health Choosing Wisely Imaging Mandates
Stanson Health Choosing Wisely Imaging MandatesStanson Health Choosing Wisely Imaging Mandates
Stanson Health Choosing Wisely Imaging MandatesGarret Meyer
 
TANIA
TANIA TANIA
TANIA shesill
 
Is There An Estate Tax in Connecticut
Is There An Estate Tax in ConnecticutIs There An Estate Tax in Connecticut
Is There An Estate Tax in ConnecticutBarry D Horowitz
 
What Are The Gift Tax Exclusions in Connecticut
What Are The Gift Tax Exclusions in ConnecticutWhat Are The Gift Tax Exclusions in Connecticut
What Are The Gift Tax Exclusions in ConnecticutBarry D Horowitz
 
Medicare and Medicaid
Medicare and MedicaidMedicare and Medicaid
Medicare and MedicaidBarry D Horowitz
 

More Related Content

What's hot

VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...ASBIS SK
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsElements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsEMMAIntl
 
sales-sheet-Business-Continuity
sales-sheet-Business-Continuitysales-sheet-Business-Continuity
sales-sheet-Business-ContinuityGeorge Carroll
 
Considerations Checklist: What is High Availability (HA)?
Considerations Checklist: What is High Availability (HA)?Considerations Checklist: What is High Availability (HA)?
Considerations Checklist: What is High Availability (HA)?Collaborative Consulting
 
Is Overcoming Data Center Outage Possible?
Is Overcoming Data Center Outage Possible?Is Overcoming Data Center Outage Possible?
Is Overcoming Data Center Outage Possible?Web Werks Data Centers
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Falgun Rathod
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3IANS
 
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...Nagios
 
AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper Meridian
 
Root cause analysis arg sc
Root cause analysis arg scRoot cause analysis arg sc
Root cause analysis arg scManish Chaurasia
 
Hippo e book 911 emergency
Hippo e book 911 emergencyHippo e book 911 emergency
Hippo e book 911 emergencyRahul Rathi
 
10 Qualities of Highly-Effective Incident Management Systems
10 Qualities of Highly-Effective Incident Management Systems10 Qualities of Highly-Effective Incident Management Systems
10 Qualities of Highly-Effective Incident Management Systems24/7 Software
 
Stanson Health Choosing Wisely Imaging Mandates
Stanson Health Choosing Wisely Imaging MandatesStanson Health Choosing Wisely Imaging Mandates
Stanson Health Choosing Wisely Imaging MandatesGarret Meyer
 

What's hot (18)

VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
VMware: Nástroje na správu a efektívne riadenie fyzickej a virtuálnej infrašt...
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
Elements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDsElements to Consider for Risk Assessment in SaMDs
Elements to Consider for Risk Assessment in SaMDs
 
sales-sheet-Business-Continuity
sales-sheet-Business-Continuitysales-sheet-Business-Continuity
sales-sheet-Business-Continuity
 
Abb e guide3
Abb e guide3Abb e guide3
Abb e guide3
 
Considerations Checklist: What is High Availability (HA)?
Considerations Checklist: What is High Availability (HA)?Considerations Checklist: What is High Availability (HA)?
Considerations Checklist: What is High Availability (HA)?
 
Is Overcoming Data Center Outage Possible?
Is Overcoming Data Center Outage Possible?Is Overcoming Data Center Outage Possible?
Is Overcoming Data Center Outage Possible?
 
Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1Penetration Testing, Auditing & Standards Issue : 02_2012-1
Penetration Testing, Auditing & Standards Issue : 02_2012-1
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoring
 
What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3
 
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
Nagios Conference 2014 - Abbas Haider Ali - Proactive Alerting and Intelligen...
 
BEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICESBEST CYBER SECURITY PRACTICES
BEST CYBER SECURITY PRACTICES
 
AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper AcceleTest HIPAA Whitepaper
AcceleTest HIPAA Whitepaper
 
Vulnerability and Patch Management
Vulnerability and Patch ManagementVulnerability and Patch Management
Vulnerability and Patch Management
 
Root cause analysis arg sc
Root cause analysis arg scRoot cause analysis arg sc
Root cause analysis arg sc
 
Hippo e book 911 emergency
Hippo e book 911 emergencyHippo e book 911 emergency
Hippo e book 911 emergency
 
10 Qualities of Highly-Effective Incident Management Systems
10 Qualities of Highly-Effective Incident Management Systems10 Qualities of Highly-Effective Incident Management Systems
10 Qualities of Highly-Effective Incident Management Systems
 
Stanson Health Choosing Wisely Imaging Mandates
Stanson Health Choosing Wisely Imaging MandatesStanson Health Choosing Wisely Imaging Mandates
Stanson Health Choosing Wisely Imaging Mandates
 

Viewers also liked

Is There An Estate Tax in Connecticut
Is There An Estate Tax in ConnecticutIs There An Estate Tax in Connecticut
Is There An Estate Tax in ConnecticutBarry D Horowitz
 
What Are The Gift Tax Exclusions in Connecticut
What Are The Gift Tax Exclusions in ConnecticutWhat Are The Gift Tax Exclusions in Connecticut
What Are The Gift Tax Exclusions in ConnecticutBarry D Horowitz
 
Thoracic outlet syndrome
Thoracic outlet syndromeThoracic outlet syndrome
Thoracic outlet syndromechetan narra
 
Acetabular fractures
Acetabular fracturesAcetabular fractures
Acetabular fractureschetan narra
 
Comprendre et sécuriser votre contenu
Comprendre et sécuriser votre contenu Comprendre et sécuriser votre contenu
Comprendre et sécuriser votre contenu VeilleMag
 
2013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 2
2013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 22013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 2
2013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 2Cyrille P.
 
CMSday 2013 - Doper votre audience en optimisant votre référencement ?
CMSday 2013 - Doper votre audience en optimisant votre référencement ?CMSday 2013 - Doper votre audience en optimisant votre référencement ?
CMSday 2013 - Doper votre audience en optimisant votre référencement ?Smile I.T is open
 
Spotme Training Solutions for the Automotive Manufacturer Industry
Spotme Training Solutions for the Automotive Manufacturer IndustrySpotme Training Solutions for the Automotive Manufacturer Industry
Spotme Training Solutions for the Automotive Manufacturer IndustryAndy Frezza
 
Prezentacja tulipan
Prezentacja tulipanPrezentacja tulipan
Prezentacja tulipanbiogened
 
Power point hmj akuntansi
Power point hmj akuntansiPower point hmj akuntansi
Power point hmj akuntansiNydia Desideria
 

Viewers also liked (16)

TANIA
TANIA TANIA
TANIA
 
Is There An Estate Tax in Connecticut
Is There An Estate Tax in ConnecticutIs There An Estate Tax in Connecticut
Is There An Estate Tax in Connecticut
 
What Are The Gift Tax Exclusions in Connecticut
What Are The Gift Tax Exclusions in ConnecticutWhat Are The Gift Tax Exclusions in Connecticut
What Are The Gift Tax Exclusions in Connecticut
 
Medicare and Medicaid
Medicare and MedicaidMedicare and Medicaid
Medicare and Medicaid
 
Estate Planning Checklist
Estate Planning ChecklistEstate Planning Checklist
Estate Planning Checklist
 
Thoracic outlet syndrome
Thoracic outlet syndromeThoracic outlet syndrome
Thoracic outlet syndrome
 
Scoliosis
ScoliosisScoliosis
Scoliosis
 
Acetabular fractures
Acetabular fracturesAcetabular fractures
Acetabular fractures
 
Hallux valgus
Hallux valgusHallux valgus
Hallux valgus
 
Comprendre et sécuriser votre contenu
Comprendre et sécuriser votre contenu Comprendre et sécuriser votre contenu
Comprendre et sécuriser votre contenu
 
rapportDigital-TV
rapportDigital-TVrapportDigital-TV
rapportDigital-TV
 
2013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 2
2013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 22013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 2
2013 smrf-nodexl-sna-socialmedia-fr version -130320011951-phpapp01-1 2
 
CMSday 2013 - Doper votre audience en optimisant votre référencement ?
CMSday 2013 - Doper votre audience en optimisant votre référencement ?CMSday 2013 - Doper votre audience en optimisant votre référencement ?
CMSday 2013 - Doper votre audience en optimisant votre référencement ?
 
Spotme Training Solutions for the Automotive Manufacturer Industry
Spotme Training Solutions for the Automotive Manufacturer IndustrySpotme Training Solutions for the Automotive Manufacturer Industry
Spotme Training Solutions for the Automotive Manufacturer Industry
 
Prezentacja tulipan
Prezentacja tulipanPrezentacja tulipan
Prezentacja tulipan
 
Power point hmj akuntansi
Power point hmj akuntansiPower point hmj akuntansi
Power point hmj akuntansi
 

Similar to PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition

Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Web Application Penetration Tests - Reporting
Web Application Penetration Tests - ReportingWeb Application Penetration Tests - Reporting
Web Application Penetration Tests - ReportingNetsparker
 
data computer .ppt
data computer .pptdata computer .ppt
data computer .pptgoodperson7
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityPriyanka Aash
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsPriyanka Aash
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
Intro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerIntro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerSysCloud
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesPriyanka Aash
 
Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Jim Kaplan CIA CFE
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCruzIbarra161
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Michael Ofarrell
 
Implementing Security Cs Ps
Implementing Security Cs PsImplementing Security Cs Ps
Implementing Security Cs Psdenigoin
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceInformation Security Awareness Group
 
How to Close the SecOps Gap
How to Close the SecOps GapHow to Close the SecOps Gap
How to Close the SecOps GapBMC Software
 

Similar to PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition (20)

Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
 
1.basics of software testing
1.basics of software testing 1.basics of software testing
1.basics of software testing
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
 
Web Application Penetration Tests - Reporting
Web Application Penetration Tests - ReportingWeb Application Penetration Tests - Reporting
Web Application Penetration Tests - Reporting
 
data computer .ppt
data computer .pptdata computer .ppt
data computer .ppt
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Ciso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data securityCiso round table on effective implementation of dlp & data security
Ciso round table on effective implementation of dlp & data security
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
Intro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance centerIntro to sys cloud’s next generation security and compliance center
Intro to sys cloud’s next generation security and compliance center
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides Data analytics 2 analytics in the audit slides
Data analytics 2 analytics in the audit slides
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11Presentation to Irish ISSA Conference 12-May-11
Presentation to Irish ISSA Conference 12-May-11
 
Implementing Security Cs Ps
Implementing Security Cs PsImplementing Security Cs Ps
Implementing Security Cs Ps
 
Big data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security AllianceBig data analysis concepts and references by Cloud Security Alliance
Big data analysis concepts and references by Cloud Security Alliance
 
How to Close the SecOps Gap
How to Close the SecOps GapHow to Close the SecOps Gap
How to Close the SecOps Gap
 
Cissp Study notes.pdf
Cissp Study notes.pdfCissp Study notes.pdf
Cissp Study notes.pdf
 

Recently uploaded

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition

  • 2.  The PCI DSS refresh cycle  What has changed in general terms  Review of specific, significant changes   Requirement 0 Requirements 1-12  Reorganization  Final of documents notes  Q&A 12/13/2013 2
  • 3.  IT security consulting company: www.truvantis.com  Authorized PCI DSS Qualified Security Assessor (QSA) Company  Deep, comprehensive expertise in IT security testing (pen testing, vulnerability assessments, etc.), policy creation, audit, PCI assessments and governance We also understand that IT security can’t get in the way of doing business! 12/13/2013 3
  • 5. A great deal of clarification  Some additional requirements  More useful narrative before the requirements  Reorganization of the documents  Focus on goals, not technology  Today, look at a few of the more important changes 12/13/2013 5
  • 6.  Scope   Cannot store SAD after authorization even without the PAN Determination of the scope of the CDE is the entity’s responsibility  Segmentation   If a control is used to de-scope, then that control is in-scope A system can only be out of scope if its compromise would not impact the security of the CDE 12/13/2013 6
  • 7.  Wireless  Don’t  Service  providers It’s still your job to monitor the compliance of your service providers  The fact that they have an AOC does not change that, it just helps with validation “For example, providing the AOC and/or relevant sections of the service provider’s ROC (redacted to protect any confidential information) could help provide all or some of the information.” 12/13/2013 7
  • 8.  Business-as-Usual   Totally new section Discusses how to build compliance into your daily routine This is not a new requirement Consider it guidance and advice that will help 12/13/2013 8
  • 9.  Security policies and daily operational procedures moved into relevant sections  Just moving section 12 items into a more sensible place  NEW: Inventory of system components and the function/use    You probably did this anyway Just leave an audit trail to show you keep it current TIP: Create a task regularly to review it 12/13/2013 9
  • 10.  Still at least 7 characters, alphanumeric  Can now use equivalent strength   Do the math to establish equivalence TIP: This is a low bar – do better 12/13/2013 10
  • 11.  2.0 “Deploy anti-virus software on all systems commonly affected by malicious software”  Now your responsibility to make sure they continue to not need it  3.0 “perform periodic evaluations to identify and evaluate evolving malware threats” 12/13/2013 11
  • 12.  These   Security patches indicate vulnerabilities All vulnerabilities must be ‘risk-ranked’   requirements have been coordinated At least HIGH risk (to you) Additionally flag CRITICAL if  “they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed”  CRITICAL  One month  Other  vendor-supplied security patches vendor-supplied security patches ‘Appropriate’ time frame (Three months) 12/13/2013 12
  • 13.  NEW: Broken authentication and session management    Flagging session tokens … as “secure” Not exposing session IDs in the URL Incorporating appropriate time-outs and rotation of session IDs after a successful login  PCI is following OWASP Top 10  TIP: OWASP has a new Top 10 for 2013  TIP: Also see www.securecoding.cert.org 12/13/2013 13
  • 14.  NEW:     Protect devices that capture payment Mandatory after July 1st 2015 Maintain a list of devices Periodically inspect device surfaces to detect tampering Training for personnel to detect tampering or replacement 12/13/2013 14
  • 15.  Scanning    for rogue devices Must test for all routes to get wireless devices in Just looking for add IP addresses is not enough USB etc. specifically called out  TIP: Focus on intent, not the language 12/13/2013 15
  • 16.  Can now combine multiple scans to get a passing grade    Recognizes that new issues can arise during a remediation phase Re-test would show new failing items Avoid the never ending cycle of not passing 12/13/2013 16
  • 17.  Greatly     enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015 Test de-scoping controls Review last 12mo threats and vulnerabilities The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment  TIP: Don’t be sold a vulnerability assessment as a pen test  TIP: Ask your penetration tester when they will be working with the new rules 12/13/2013 17
  • 18.  “at least annually and after significant changes to the environment”  Many requirements now reference your risk assessment  TIP: Use the new prevalence of “Risk Assessment” in the standard to help you work out what your risk assessment should look like 12/13/2013 18
  • 19.  Plan   not just for a major breach It should drill down into more alerts from monitoring systems like firewalls Larger mandate to choose what to monitor and where alerts should come from  TIP: Again - focus on intent, not language 12/13/2013 19
  • 20.  Guidance regarding intent moved into the standard  Reporting instructions moved to a template  SAQs  will be updated - not released yet Expect:   Multiple SAQ submission will be permitted New SAQs such as hosted payment pages 12/13/2013 20
  • 21.  Download and review the ‘Summary of Changes’ document now   Review every item and measure the impact Comply with the language, but focus on the intent  Review your ‘risk assessment’ in the light of 3.0  By understanding your risk, you can scale your behavior appropriately 12/13/2013 21
  • 22.  By web: www.truvantis.com  By phone: +1 855.345.6298  By email: info@truvantis.com  View this presentation in the recorded webcast (with audio): http://youtu.be/mwvx1q9aMDw 12/13/2013 22