SlideShare a Scribd company logo

Looking Forward to PCI DSS v4.0

Kriangkrai Chumsaktrakul
Kriangkrai Chumsaktrakul

สถานการณ์ร่างมาตรฐาน และแนวทางที่จะเปลี่ยนไปในเวอร์ชั่นใหม่

Technology
1 of 11
Download to read offline
© ACinfotec 2020 Looking Forward to PCI DSS v4.0 (Draft)
© ACinfotec 2020 Speaker Profile ชื่อวิทยากร : เกรียงไกร ชุ่มศักดิ์ตระกูล ตาแหน่ง : Consulting Innovation Manager บริษัท ACinfotec ประกาศนียบัตร :  PECB Certified Trainer, PECB ISO27k Lead Implementer & Auditor  PCI Professional, IRCA ISMS Lead Auditor  CISSP, CEH, Security+ ประสบการณ์ : ที่ปรึกษามาตรฐาน ISO27001 ให้หน่วยงานภาครัฐ ภาคเอกชน หน่วยงานโครงสร้างพื้นฐานที่สาคัญของประเทศ ธนาคารในประเทศและ ต่างประเทศ ที่ปรึกษามาตรฐาน PCI DSS ให้ธนาคารในประเทศ และธุรกิจชาระเงินออนไลน์ ที่ปรึกษาด้านความปลอดภัยไซเบอร์ ให้บริษัทข้ามชาติในธุรกิจปิโตรเลียมและพลังงาน ธนาคารในประเทศ หน่วยงานกากับ และหน่วยงาน โครงสร้างพื้นฐานที่สาคัญของประเทศ
© ACinfotec 2020 History of PCI DSS
© ACinfotec 2020 PCI DSS - 12 Core Requirements
© ACinfotec 2020 PCI DSS – CHD & SAD
© ACinfotec 2020 ”Any organization that accepts payment cards or stores, processes, or transmits credit or debit card data must comply with the PCI DSS.” Who need to comply with PCI DSS?
© ACinfotec 2020 Goals for PCI DSS v4.0 • Ensure the standard continues to meet the security needs of the payments industry • Add flexibility and support additional methodologies to achieve security • Promote security as a continuous process • Enhance validation methods and procedure The standard is still on RFC process and won’t be published until 2021 and won’t be required for 2 years after the publication date.
© ACinfotec 2020 A first draft of PCI DSS v4.0 • The draft of PCI DSS v4.0 addresses feedback received during the 2017 RFC and reflects changes in payments environments and security technologies. • The updates made to the standard focus on strengthening security and adding flexibility. • While the 12 core PCI DSS requirements remain fundamentally the same, several new requirements are proposed to address evolving risks and threats to payment data and to reinforce security as a continuous process. • All requirements are redesigned to focus on security objectives, and there is a new validation option that gives more flexibility to organizations using different methodologies to meet the intent of PCI DSS requirements.
© ACinfotec 2020 Changes to PCI DSS’s layout and descriptions The overall structure of the PCI DSS is retained in version 4.0, and will keep the same 12 high level requirements. Changes to PCI DSS’s layout and descriptions v.4.0 will include: 1. More accurate requirement titles 2. Additional direction and guidance provided in the Overview section 3. Requirements organized into Security Objectives 4. Requirements refocused as objective or outcome-based statements focused on implementation of the security control as the end result. 5. Clear identification of Intent (Objective) for each requirement 6. Expanded Guidance
© ACinfotec 2020 Examples of some of the proposed new requirements 1. Scoping – Increased testing and documentation will be required for confirmation of the accuracy and completeness of scope of the cardholder data environment (CDE) and periodic scope validation processes. 2. CHD Protection – Card encryption requirements will be expanded to include all transmissions of CHD instead of only those across public networks. 3. Security awareness training – Requirements for training of end users will be enhanced to include more information regarding current threats and phishing, social engineering, etc. 4. Risk assessment – The Council recognizes that the current PCI DSS requirement that a risk assessment be conducted is not always resulting in useful risk analysis and risk management outcomes. This requirement will be modified to ensure that the risk assessment is not being treated as a “checkbox exercise” by organizations. 5. Authentication – The new version of the DSS will provide more flexibility for the use of authentication techniques and solutions within the CDE to align them with industry best practices. 6. Cloud environments – Version 4.0 will evolve all requirements to be more accommodating for the use of technologies such as cloud hosting services. 7. Sampling – Additional direction for assessors on sampling guidance will be included to verify that controls are in place consistently across the entire population.
© ACinfotec 2020 Two Implementation Options Defined Implementation • Follows current PCI DSS requirements and testing procedures • Supports entities whose security implementations align with current requirements • Provides direction on how to meet security objectives Customized Implementation • Focuses on the intent of each PCI DSS requirement • Provides greater flexibility for entities to demonstrate how security controls meet common security objectives • May suit risk-mature entities with a robust risk management approach • Unlike compensating controls, customized validation will not require a business or technical justification for meeting the requirements using alternative methods, as the requirements will now be outcome-based. (Compensating controls will be removed) Organizations can choose to report their compliance via one of these two options or choose a blended approach where some of the control requirements may be assessed under the defined implementation and others using the customized implementation approach.

Recommended

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
ControlCase
 

Recommended

Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
ControlCase
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
Jim Gilsinn
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
SureCloud
 
Web5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBDWeb5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBD
SSIMeetup
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
Jiunn-Jer Sun
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
OneLogin
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
Maganathin Veeraragaloo
 
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformTrust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
Elisabeth Bitsch-Christensen
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
Network Intelligence India
 
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the CloudSession Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Amazon Web Services
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
himalya sharma
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
Dejan Kosutic
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
Mukesh Pant
 
The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
Ulf Mattsson
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
ControlCase
 

More Related Content

What's hot

Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
OneLogin
 
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the CloudSession Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Amazon Web Services
 

What's hot (20)

PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
ISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How ToISA/IEC 62443: Intro and How To
ISA/IEC 62443: Intro and How To
 
Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0Looking Forward: What to Expect With PCI 4.0
Looking Forward: What to Expect With PCI 4.0
 
Web5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBDWeb5 - Open to Build - Block-TBD
Web5 - Open to Build - Block-TBD
 
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
A Big Picture of IEC 62443 - Cybersecurity Webinar (2) 2020
 
Identity Access Management 101
Identity Access Management 101Identity Access Management 101
Identity Access Management 101
 
ISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptxISO_ 27001:2022 Controls & Clauses.pptx
ISO_ 27001:2022 Controls & Clauses.pptx
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
Trust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai PlatformTrust No One - Zero Trust on the Akamai Platform
Trust No One - Zero Trust on the Akamai Platform
 
SOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the CloudSession Sponsored by Splunk: Splunk for the Cloud, in the Cloud
Session Sponsored by Splunk: Splunk for the Cloud, in the Cloud
 
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAININGPCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
PCI DSS | PCI DSS Training | PCI DSS AWARENESS TRAINING
 
ISO 27001 Benefits
ISO 27001 BenefitsISO 27001 Benefits
ISO 27001 Benefits
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdfISO 27001 How to use the ISMS Implementation Toolkit.pdf
ISO 27001 How to use the ISMS Implementation Toolkit.pdf
 
ISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptxISMS User_Awareness Training.pptx
ISMS User_Awareness Training.pptx
 

Similar to Looking Forward to PCI DSS v4.0

SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
Mark Akins
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
Christopher Foot
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
Visionet Systems, Inc.
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Ariel Ben-Harosh
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 

Similar to Looking Forward to PCI DSS v4.0 (20)

The emerging pci dss and nist standards
The emerging pci dss and nist standardsThe emerging pci dss and nist standards
The emerging pci dss and nist standards
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
PCI DSS and Other Related Updates
PCI DSS and Other Related UpdatesPCI DSS and Other Related Updates
PCI DSS and Other Related Updates
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Pci dss in retail now and into the future
Pci dss in retail now and into the futurePci dss in retail now and into the future
Pci dss in retail now and into the future
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
ISO20000-1 mapping to PCI 【Continuous Study】
ISO20000-1 mapping to PCI 【Continuous Study】ISO20000-1 mapping to PCI 【Continuous Study】
ISO20000-1 mapping to PCI 【Continuous Study】
 
Presentation_Borne
Presentation_BornePresentation_Borne
Presentation_Borne
 
CompTIA CASP+ | Everything you need to know about the new exam
CompTIA CASP+ | Everything you need to know about the new examCompTIA CASP+ | Everything you need to know about the new exam
CompTIA CASP+ | Everything you need to know about the new exam
 
IT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet SystemsIT Security and Risk Management - Visionet Systems
IT Security and Risk Management - Visionet Systems
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
Securing Your Customers' Credit Card Information
Securing Your Customers' Credit Card InformationSecuring Your Customers' Credit Card Information
Securing Your Customers' Credit Card Information
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Recently uploaded (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Looking Forward to PCI DSS v4.0

  • 1. © ACinfotec 2020 Looking Forward to PCI DSS v4.0 (Draft)
  • 2. © ACinfotec 2020 Speaker Profile ชื่อวิทยากร : เกรียงไกร ชุ่มศักดิ์ตระกูล ตาแหน่ง : Consulting Innovation Manager บริษัท ACinfotec ประกาศนียบัตร :  PECB Certified Trainer, PECB ISO27k Lead Implementer & Auditor  PCI Professional, IRCA ISMS Lead Auditor  CISSP, CEH, Security+ ประสบการณ์ : ที่ปรึกษามาตรฐาน ISO27001 ให้หน่วยงานภาครัฐ ภาคเอกชน หน่วยงานโครงสร้างพื้นฐานที่สาคัญของประเทศ ธนาคารในประเทศและ ต่างประเทศ ที่ปรึกษามาตรฐาน PCI DSS ให้ธนาคารในประเทศ และธุรกิจชาระเงินออนไลน์ ที่ปรึกษาด้านความปลอดภัยไซเบอร์ ให้บริษัทข้ามชาติในธุรกิจปิโตรเลียมและพลังงาน ธนาคารในประเทศ หน่วยงานกากับ และหน่วยงาน โครงสร้างพื้นฐานที่สาคัญของประเทศ
  • 4. © ACinfotec 2020 PCI DSS - 12 Core Requirements
  • 5. © ACinfotec 2020 PCI DSS – CHD & SAD
  • 6. © ACinfotec 2020 ”Any organization that accepts payment cards or stores, processes, or transmits credit or debit card data must comply with the PCI DSS.” Who need to comply with PCI DSS?
  • 7. © ACinfotec 2020 Goals for PCI DSS v4.0 • Ensure the standard continues to meet the security needs of the payments industry • Add flexibility and support additional methodologies to achieve security • Promote security as a continuous process • Enhance validation methods and procedure The standard is still on RFC process and won’t be published until 2021 and won’t be required for 2 years after the publication date.
  • 8. © ACinfotec 2020 A first draft of PCI DSS v4.0 • The draft of PCI DSS v4.0 addresses feedback received during the 2017 RFC and reflects changes in payments environments and security technologies. • The updates made to the standard focus on strengthening security and adding flexibility. • While the 12 core PCI DSS requirements remain fundamentally the same, several new requirements are proposed to address evolving risks and threats to payment data and to reinforce security as a continuous process. • All requirements are redesigned to focus on security objectives, and there is a new validation option that gives more flexibility to organizations using different methodologies to meet the intent of PCI DSS requirements.
  • 9. © ACinfotec 2020 Changes to PCI DSS’s layout and descriptions The overall structure of the PCI DSS is retained in version 4.0, and will keep the same 12 high level requirements. Changes to PCI DSS’s layout and descriptions v.4.0 will include: 1. More accurate requirement titles 2. Additional direction and guidance provided in the Overview section 3. Requirements organized into Security Objectives 4. Requirements refocused as objective or outcome-based statements focused on implementation of the security control as the end result. 5. Clear identification of Intent (Objective) for each requirement 6. Expanded Guidance
  • 10. © ACinfotec 2020 Examples of some of the proposed new requirements 1. Scoping – Increased testing and documentation will be required for confirmation of the accuracy and completeness of scope of the cardholder data environment (CDE) and periodic scope validation processes. 2. CHD Protection – Card encryption requirements will be expanded to include all transmissions of CHD instead of only those across public networks. 3. Security awareness training – Requirements for training of end users will be enhanced to include more information regarding current threats and phishing, social engineering, etc. 4. Risk assessment – The Council recognizes that the current PCI DSS requirement that a risk assessment be conducted is not always resulting in useful risk analysis and risk management outcomes. This requirement will be modified to ensure that the risk assessment is not being treated as a “checkbox exercise” by organizations. 5. Authentication – The new version of the DSS will provide more flexibility for the use of authentication techniques and solutions within the CDE to align them with industry best practices. 6. Cloud environments – Version 4.0 will evolve all requirements to be more accommodating for the use of technologies such as cloud hosting services. 7. Sampling – Additional direction for assessors on sampling guidance will be included to verify that controls are in place consistently across the entire population.
  • 11. © ACinfotec 2020 Two Implementation Options Defined Implementation • Follows current PCI DSS requirements and testing procedures • Supports entities whose security implementations align with current requirements • Provides direction on how to meet security objectives Customized Implementation • Focuses on the intent of each PCI DSS requirement • Provides greater flexibility for entities to demonstrate how security controls meet common security objectives • May suit risk-mature entities with a robust risk management approach • Unlike compensating controls, customized validation will not require a business or technical justification for meeting the requirements using alternative methods, as the requirements will now be outcome-based. (Compensating controls will be removed) Organizations can choose to report their compliance via one of these two options or choose a blended approach where some of the control requirements may be assessed under the defined implementation and others using the customized implementation approach.