SlideShare a Scribd company logo

PCI DSS Scoping and Controls

Download as PPTX, PDF
Manish Mahapatra
Manish Mahapatra

The document discusses scoping and controls for PCI DSS compliance. It describes how applications, servers, networks, and desktops can fall within or outside the PCI DSS scope depending on whether they process, store, or transmit full payment card details. It provides examples of controls that should be implemented for in-scope systems, including password policies, encryption, logging, patching, and vulnerability scanning. Finally, it outlines steps an organization can take to accurately map their PCI DSS scope, such as using a card finder tool and analyzing where full card numbers are received and stored.

Technology
1 of 15
Scoping and Controls for PCI DSS By Manish Mahapatra
By Manish Mahapatra PCI DSS and it’s applicability • Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system. • PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they drive the implementation of the standard across the globe. • Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
By Manish Mahapatra PCI DSS Scoping – Applications • This slide describes on how an Application come under the purview of PCI DSS • In-scope – If the application process, store or transmit the full card number at any point of time, then the application fall under the PCI DSS scope. ◦ Application can receive the card number as part of transaction processing, settlement process or as part of querying a transaction. • Out of scope – An application is out of scope, if it only receives the truncated card number. ◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked with ‘X’ or replaced with any character. ◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed, while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but the middle six needs to be truncated always. ◦ If the application receives the full 16-digit card number and then truncates it during storage, then the application comes under the PCI DSS scope.
By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes how Servers and Network falls under PCI DSS scope – • In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls under the PCI DSS scope. ◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN, comes under the purview of PCI DSS scope. ◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope. • In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes the measures for reducing the PCI DSS scope - • Scoping out – Using the following measures one can reduce the PCI DSS scope – ◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number) ◦ Deploy all the PCI scoped servers within the PCI V-LAN ◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and out-going traffic ◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI scoped servers from the jump server only ◦ Create dedicated V-LAN for the following segment – ◦ Support V-LAN for support serves like AV, Domain, NTP, etc.. ◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound and out-bound traffic.
By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4 previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and session time out of 15 minutes. ◦ User access control – ◦ Zero privilege or permission while creating a new user or role ◦ Option for giving permission for viewing full card number and permission for viewing full card number can be granted to a user and not to a role ◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm ◦ Audit trails – ◦ All successful and unsuccessful login attempts to the application ◦ All actions taken by the application administrator ◦ Any system object level changes made by the application
By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Encryption and Key Management – ◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128 bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number ◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the encryption keys ◦ Secure Code Review – ◦ For every major change to the application, Client needs to conduct a secure code review following the OWASP secure code review guide as reference. ◦ In-case of minor changes, then conduct the secure code review on an annual basis ◦ Application penetration testing following OWASP Testing Guide – ◦ If the application has a web interface or have web-service call, then web application penetration testing for the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
By Manish Mahapatra PCI DSS Controls – Servers • This slide describes the list of controls to be deployed on the Servers – ◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out for database and web servers as well. ◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for running a full system scan on a weekly basis. ◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes made to system configuration file and application configuration file ◦ Configure NTP – Server should be configured for time synchronization from a central NTP server ◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and pushing the same to a central log server ◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should not be restricted to just OS patches, but should cover application and application library patches as well ◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability assessment scan using either Nessus or Qualys Guard on a quarterly basis
By Manish Mahapatra PCI DSS Controls – Infrastructure • This slide describes the list of controls to be deployed at the infrastructure – ◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers ◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing traffic from the PCI scoped server segment ◦ Deploying a Centralized log server and log monitoring process – ◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a central log server ◦ A log monitoring solutions needs to be deployed for generating security alerts ◦ Deploying Centralized AV console and patch management system – The AV solution and patch management system needs to be a centralized solution
By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Change Management Process for making any changes at – ◦ For any Firewall rule change ◦ For any changes to the network component configuration ◦ For any changes to the server ◦ For any application level changes ◦ Hardening guidelines for hardening system and network components like – ◦ Hardening the server OS ◦ Hardening other application deployed in the server like data base, web server, etc. ◦ Hardening the network components
By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal application ◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis ◦ Process of conducting risk assessment on an annual basis for all process and environment handling card number ◦ Process for conducting internal information security awareness and training program on an annual basis ◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where the card number are getting captured ◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis ◦ An internal pen-test should be conducted on a bi-annual basis
By Manish Mahapatra PCI DSS Controls – Desktops • This slide describes the list of controls to be deployed for User Desktops which process card number ◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the finance or collection department) ◦ The desktops should have a DLP solution deployed ◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not ◦ Internet access should be restricted to a few white listed URL’s ◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log server ◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed ◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network segment.
By Manish Mahapatra Steps for confirming the PCI Scope • This slide details the next set of steps to be taken by client for determining the PCI DSS Scope – ◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet, log files, database, etc..) where the full card number are getting stored. ◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored and confirm on the following – ◦ Source from where the location is receiving the full card number ◦ Whether the full card number is required or whether only truncated card number will suffice ◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or business function requires the full card number, then confirm the following from them – ◦ When have they last used the full card number ◦ And whether they can use any other data apart from the full card number for the business function
By Manish Mahapatra Steps for confirming the Scope • This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope – ◦ Finalize the locations – Finalize all the locations where the full card number is required to processed, stored or transmitted. Please note that if the full card number is received and application only stores the truncated card number, then that system will be in PCI DSS scope. ◦ Based on the above step, identify and finalize all the servers and user desktops within Client network which process, store or transmit full card number. ◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s / network segment.
By Manish Mahapatra Thank You! Manish M Cyber Security Training Provider Manish.cor@gmail.com Contact: +91-9036350000 Linked-in: https://www.linkedin.com/in/manishmahapatra Join my group on https://www.linkedin.com/groups/6517220 for more updates.

Recommended

Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...Aruba, a Hewlett Packard Enterprise company
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC ServicesFlightcase1
 
03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigital03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigitalMalcolm-John Bell
 
ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016Fanky Christian
 
Intacct Security and Operations
Intacct Security and OperationsIntacct Security and Operations
Intacct Security and OperationsDean Dorton Software Team
 
PRTG NETWORK MONITORING
PRTG NETWORK MONITORINGPRTG NETWORK MONITORING
PRTG NETWORK MONITORINGFanky Christian
 
TRT Presentation SG 2016
TRT Presentation SG 2016TRT Presentation SG 2016
TRT Presentation SG 2016TRT Solutions Ltd Singapore
 
TRT GLOBAL - Company Overview
TRT GLOBAL - Company OverviewTRT GLOBAL - Company Overview
TRT GLOBAL - Company OverviewMina Sarah Marabe
 

Recommended

Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...Fast tracking network configuration with Aruba Solution Exchange (ASE) config...
Fast tracking network configuration with Aruba Solution Exchange (ASE) config...Aruba, a Hewlett Packard Enterprise company
 
24/7 Outsourced NOC Services
24/7 Outsourced NOC Services24/7 Outsourced NOC Services
24/7 Outsourced NOC ServicesFlightcase1
 
03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigital03FT_ManagedServicesBrochure_HRdigital
03FT_ManagedServicesBrochure_HRdigitalMalcolm-John Bell
 
ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016ServiceDesk Plus Overview - Des 2016
ServiceDesk Plus Overview - Des 2016Fanky Christian
 
Intacct Security and Operations
Intacct Security and OperationsIntacct Security and Operations
Intacct Security and OperationsDean Dorton Software Team
 
PRTG NETWORK MONITORING
PRTG NETWORK MONITORINGPRTG NETWORK MONITORING
PRTG NETWORK MONITORINGFanky Christian
 
TRT Presentation SG 2016
TRT Presentation SG 2016TRT Presentation SG 2016
TRT Presentation SG 2016TRT Solutions Ltd Singapore
 
TRT GLOBAL - Company Overview
TRT GLOBAL - Company OverviewTRT GLOBAL - Company Overview
TRT GLOBAL - Company OverviewMina Sarah Marabe
 
PCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from NettitudePCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from Nettitudespillans
 
TRT - Plate Spin Presentation
TRT - Plate Spin PresentationTRT - Plate Spin Presentation
TRT - Plate Spin PresentationTRT Solutions Ltd Singapore
 
24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPsconcordantone
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product PresentationFanky Christian
 
Monitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerMonitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerManageEngine
 
Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceChristian Torres
 
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Precisely
 
Data center
Data centerData center
Data centergssmedia
 
NOC Service desk
NOC Service deskNOC Service desk
NOC Service deskamerica.gss
 
Tatanet Corporate Presentation
Tatanet Corporate PresentationTatanet Corporate Presentation
Tatanet Corporate PresentationRohit Kumar
 
Cybernetyx introduction
Cybernetyx introductionCybernetyx introduction
Cybernetyx introductionFanky Christian
 
How to create effective NOC in Poland
How to create effective NOC in PolandHow to create effective NOC in Poland
How to create effective NOC in PolandKamil Grabowski
 
Monitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureMonitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureStéphane Dorrekens
 
IT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisIT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisManageEngine, Zoho Corporation
 
Overview OpManager
Overview OpManagerOverview OpManager
Overview OpManagerFanky Christian
 
Network Operations Center
Network Operations CenterNetwork Operations Center
Network Operations CenterLorenta Erhabor
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc servicesElena Benson
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerManageEngine, Zoho Corporation
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerManageEngine, Zoho Corporation
 
Proof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerProof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerManageEngine, Zoho Corporation
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 

More Related Content

What's hot

PCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from NettitudePCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from Nettitudespillans
 
24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPsconcordantone
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product PresentationFanky Christian
 
Monitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerMonitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerManageEngine
 
Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceChristian Torres
 
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Precisely
 
Data center
Data centerData center
Data centergssmedia
 
NOC Service desk
NOC Service deskNOC Service desk
NOC Service deskamerica.gss
 
Tatanet Corporate Presentation
Tatanet Corporate PresentationTatanet Corporate Presentation
Tatanet Corporate PresentationRohit Kumar
 
How to create effective NOC in Poland
How to create effective NOC in PolandHow to create effective NOC in Poland
How to create effective NOC in PolandKamil Grabowski
 
Monitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureMonitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureStéphane Dorrekens
 
IT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisIT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisManageEngine, Zoho Corporation
 
Network Operations Center
Network Operations CenterNetwork Operations Center
Network Operations CenterLorenta Erhabor
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc servicesElena Benson
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerManageEngine, Zoho Corporation
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerManageEngine, Zoho Corporation
 

What's hot (20)

PCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from NettitudePCI DSS ASV Scanning from Nettitude
PCI DSS ASV Scanning from Nettitude
 
TRT - Plate Spin Presentation
TRT - Plate Spin PresentationTRT - Plate Spin Presentation
TRT - Plate Spin Presentation
 
24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs24 by 7 NOC service for MSPs
24 by 7 NOC service for MSPs
 
DCMS AKCP Product Presentation
DCMS AKCP Product PresentationDCMS AKCP Product Presentation
DCMS AKCP Product Presentation
 
Monitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManagerMonitor and manage everything Cisco using OpManager
Monitor and manage everything Cisco using OpManager
 
Rest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-serviceRest Solution : NOC-as-a-service
Rest Solution : NOC-as-a-service
 
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
Managed Resilience: Unparalleled Protection for Your IBM i System Availabilit...
 
Data center
Data centerData center
Data center
 
NOC Service desk
NOC Service deskNOC Service desk
NOC Service desk
 
Tatanet Corporate Presentation
Tatanet Corporate PresentationTatanet Corporate Presentation
Tatanet Corporate Presentation
 
Cybernetyx introduction
Cybernetyx introductionCybernetyx introduction
Cybernetyx introduction
 
How to create effective NOC in Poland
How to create effective NOC in PolandHow to create effective NOC in Poland
How to create effective NOC in Poland
 
Monitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM InfrastructureMonitoring a Dynamics CRM Infrastructure
Monitoring a Dynamics CRM Infrastructure
 
IT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysisIT Security: Eliminating threats with effective network & log analysis
IT Security: Eliminating threats with effective network & log analysis
 
Overview OpManager
Overview OpManagerOverview OpManager
Overview OpManager
 
Network Operations Center
Network Operations CenterNetwork Operations Center
Network Operations Center
 
24/7 outsourced noc services
24/7 outsourced noc services24/7 outsourced noc services
24/7 outsourced noc services
 
Configlets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration ManagerConfiglets, compliance, RBAC & reports - Network Configuration Manager
Configlets, compliance, RBAC & reports - Network Configuration Manager
 
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManagerGulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
Gulf Chemicals & Metallurgy manages 1700 interfaces with OpManager
 
Proof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManagerProof of Concept Guide for ManageEngine OpManager
Proof of Concept Guide for ManageEngine OpManager
 

Similar to PCI DSS Scoping and Controls

PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxgealehegn
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS v3.2 Implementation - Bliss or Nightmare
PCI DSS v3.2 Implementation - Bliss or NightmarePCI DSS v3.2 Implementation - Bliss or Nightmare
PCI DSS v3.2 Implementation - Bliss or NightmareSivaramakrishnan N MBA PMP
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecurePaymetric, Inc.
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070retheauditors
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes ControlCase
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Cisco Russia
 

Similar to PCI DSS Scoping and Controls (20)

PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Pci dss intro v2
Pci dss intro v2Pci dss intro v2
Pci dss intro v2
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0
 
PCI DSS v3.2 Implementation - Bliss or Nightmare
PCI DSS v3.2 Implementation - Bliss or NightmarePCI DSS v3.2 Implementation - Bliss or Nightmare
PCI DSS v3.2 Implementation - Bliss or Nightmare
 
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...
 
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and SecureHow To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
How To Avoid PCI Pitfalls in Keeping Your SAP® System Compliant and Secure
 
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
SAS 70 in a Post-Sarbanes, SaaS World: Quest Session 52070
 
PCI DSS Compliance Readiness
PCI DSS Compliance ReadinessPCI DSS Compliance Readiness
PCI DSS Compliance Readiness
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности Текториал по тематике информационной безопасности
Текториал по тематике информационной безопасности
 

Recently uploaded

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

PCI DSS Scoping and Controls

  • 1. Scoping and Controls for PCI DSS By Manish Mahapatra
  • 2. By Manish Mahapatra PCI DSS and it’s applicability • Payment Card Industry Data Security Standard (PCI DSS) is an Information Security Standard created by Payment Card Industry Security Standard Council (PCI SSC) for protecting the card eco-system. • PCI SSC body was created by the Payment Brands (VISA , MasterCard, AMEX, JCB and Discover) and they drive the implementation of the standard across the globe. • Any entity which Process, Store OR Transmit the full card number, needs to comply with all the PCI DSS controls. The entity can be a small brick and store merchant or an e-commerce site or a bank, but if they process, store or Transmit the full card number, then all of them needs to comply with PCI DSS.
  • 3. By Manish Mahapatra PCI DSS Scoping – Applications • This slide describes on how an Application come under the purview of PCI DSS • In-scope – If the application process, store or transmit the full card number at any point of time, then the application fall under the PCI DSS scope. ◦ Application can receive the card number as part of transaction processing, settlement process or as part of querying a transaction. • Out of scope – An application is out of scope, if it only receives the truncated card number. ◦ A card number is truncated, if only few of the digits are visible while the rest of the digits are marked with ‘X’ or replaced with any character. ◦ As per PCI DSS requirement, only the first 6 digits and last 4 digits of the card number can be displayed, while the middle six digits needs to be truncated. It is ok for truncating the first 6 and last 4 digits, but the middle six needs to be truncated always. ◦ If the application receives the full 16-digit card number and then truncates it during storage, then the application comes under the PCI DSS scope.
  • 4. By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes how Servers and Network falls under PCI DSS scope – • In-Scope (Servers) – If the server process, store or transmit the full card number, then the server falls under the PCI DSS scope. ◦ OR if the server is deployed in the same V-LAN where another server which process, store or transmit the full card number, then the V-LAN or network segment with all the servers deployed in the V-LAN, comes under the purview of PCI DSS scope. ◦ For example, consider V-LAN 101 which has around 50 servers. If one of the 50 servers, process, transmit or store the full card number, then the entire 50 servers comes under the purview of PCI DSS scope. • In-Scope (Support Servers) – Any support servers like AV server, NTP server, domain server which provides supporting function to the PCI DSS scoped servers, will also come under the purview of PCI DSS scope.
  • 5. By Manish Mahapatra PCI DSS Scoping – Network and Servers • This slide describes the measures for reducing the PCI DSS scope - • Scoping out – Using the following measures one can reduce the PCI DSS scope – ◦ Create a dedicate V-LAN for PCI scoped servers (Servers processing, transmitting or storing card number) ◦ Deploy all the PCI scoped servers within the PCI V-LAN ◦ Restrict inter V-LAN routing and deploy IP and port based ACL (Access Control List) for all in-coming and out-going traffic ◦ A jump server and two-factor authentication for accessing the jump server, and restricting access to PCI scoped servers from the jump server only ◦ Create dedicated V-LAN for the following segment – ◦ Support V-LAN for support serves like AV, Domain, NTP, etc.. ◦ Allow inbound and outbound traffic to PCI server V-LAN from these V-LAN, and deny all other in-bound and out-bound traffic.
  • 6. By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Password policy – 7 character alpha-numeric password with maximum age of 90 days, password history of 4 previous passwords, account lock out after 6 in-valid login attempts with a lock out period of 30 minutes and session time out of 15 minutes. ◦ User access control – ◦ Zero privilege or permission while creating a new user or role ◦ Option for giving permission for viewing full card number and permission for viewing full card number can be granted to a user and not to a role ◦ User passwords needs to be hashed using either SHA-256 or SHA-512 hashing algorithm ◦ Audit trails – ◦ All successful and unsuccessful login attempts to the application ◦ All actions taken by the application administrator ◦ Any system object level changes made by the application
  • 7. By Manish Mahapatra PCI DSS Controls – Application • This slide describes the list of controls to be deployed for applications processing, storing or transmitting card number - ◦ Encryption and Key Management – ◦ In-case the application stores the card number (full 16-digit) then the application should use either AES-128 bit or above, 3-DES or RSA – 1024 bit or above encryption algorithm for encrypting the card number ◦ Application should use the controls specified in PCI DSS Requirement 3.5 and 3.6 for managing the encryption keys ◦ Secure Code Review – ◦ For every major change to the application, Client needs to conduct a secure code review following the OWASP secure code review guide as reference. ◦ In-case of minor changes, then conduct the secure code review on an annual basis ◦ Application penetration testing following OWASP Testing Guide – ◦ If the application has a web interface or have web-service call, then web application penetration testing for the web interface and web-service, on a bi-annual basis following the OWASP Testing Guide
  • 8. By Manish Mahapatra PCI DSS Controls – Servers • This slide describes the list of controls to be deployed on the Servers – ◦ Hardening – Client needs harden the server based on industry best practice. Hardening should be carried out for database and web servers as well. ◦ Deploy AV – AV solutions needs to be deployed on all the PCI scoped server and should be configured for running a full system scan on a weekly basis. ◦ Deploy File Integrity Monitoring (FIM) solution – FIM solution should be deployed for monitoring any changes made to system configuration file and application configuration file ◦ Configure NTP – Server should be configured for time synchronization from a central NTP server ◦ Configure the audit trails – Server should be configured for generating all types of logs and audit trails, and pushing the same to a central log server ◦ Monthly patching – Client should have a process of patching up the servers on a monthly basis and it should not be restricted to just OS patches, but should cover application and application library patches as well ◦ Quarterly Vulnerability Assessment Scans – Client needs to conduct a credential based vulnerability assessment scan using either Nessus or Qualys Guard on a quarterly basis
  • 9. By Manish Mahapatra PCI DSS Controls – Infrastructure • This slide describes the list of controls to be deployed at the infrastructure – ◦ Create de-militarized zone (DMZ) – Create a PCI DMZ for deploying all PCI scope web servers ◦ Deploying Intrusion Prevention System (IPS) – Deploy IPS for monitoring both incoming and outgoing traffic from the PCI scoped server segment ◦ Deploying a Centralized log server and log monitoring process – ◦ Logs and audit trail from all applications, servers and network components needs to be pushed to a central log server ◦ A log monitoring solutions needs to be deployed for generating security alerts ◦ Deploying Centralized AV console and patch management system – The AV solution and patch management system needs to be a centralized solution
  • 10. By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Change Management Process for making any changes at – ◦ For any Firewall rule change ◦ For any changes to the network component configuration ◦ For any changes to the server ◦ For any application level changes ◦ Hardening guidelines for hardening system and network components like – ◦ Hardening the server OS ◦ Hardening other application deployed in the server like data base, web server, etc. ◦ Hardening the network components
  • 11. By Manish Mahapatra PCI DSS Controls – Process Controls • This slide describes the list of process controls to be deployed for achieving PCI DSS – ◦ Incorporate security controls into the Software Development Life Cycle (SDLC) for developing internal application ◦ Process of reviewing the user list in Domain, applications, network components on a quarterly basis ◦ Process of conducting risk assessment on an annual basis for all process and environment handling card number ◦ Process for conducting internal information security awareness and training program on an annual basis ◦ Card finder tool should be run on a quarterly basis on all the servers to identify all the locations where the card number are getting captured ◦ A credential based internal vulnerability assessment should be conducted on a quarterly basis ◦ An internal pen-test should be conducted on a bi-annual basis
  • 12. By Manish Mahapatra PCI DSS Controls – Desktops • This slide describes the list of controls to be deployed for User Desktops which process card number ◦ The user desktops cover all client personnel who will be entering or viewing the full card number (like the finance or collection department) ◦ The desktops should have a DLP solution deployed ◦ Card finder tools should be run on a quarterly basis to identify whether cad number is getting captured or not ◦ Internet access should be restricted to a few white listed URL’s ◦ Desktops should be configured for generating the audit trails / logs and pushing the same to a central log server ◦ Other solutions like AV, FIM and VAPT (Vulnerability Assessment) needs to be deployed ◦ The user V-LAN or network segment will come under the purview of PCI DSS scope and all PCI DSS controls like AV, VAPT, FIM, audit trails needs to be configured on all the systems deployed in that V-LAN or network segment.
  • 13. By Manish Mahapatra Steps for confirming the PCI Scope • This slide details the next set of steps to be taken by client for determining the PCI DSS Scope – ◦ Run Card Finder Tool – Client needs to run card finder tools on all the servers and desktops across Client network. The objective of running the card finder tool is to identify all the locations (maybe excel sheet, log files, database, etc..) where the full card number are getting stored. ◦ Analyze to terminate or to include – Analyze each location where the full card number are getting stored and confirm on the following – ◦ Source from where the location is receiving the full card number ◦ Whether the full card number is required or whether only truncated card number will suffice ◦ Please note that in 99.99% of cases, the full card number will not be required. If any of the user or business function requires the full card number, then confirm the following from them – ◦ When have they last used the full card number ◦ And whether they can use any other data apart from the full card number for the business function
  • 14. By Manish Mahapatra Steps for confirming the Scope • This slide details the next set of steps to be taken by Client for determining the PCI DSS Scope – ◦ Finalize the locations – Finalize all the locations where the full card number is required to processed, stored or transmitted. Please note that if the full card number is received and application only stores the truncated card number, then that system will be in PCI DSS scope. ◦ Based on the above step, identify and finalize all the servers and user desktops within Client network which process, store or transmit full card number. ◦ The V-LAN or network segment in which these servers and user desktops are deployed, will come under the PCI DSS scope including all the servers and user desktops deployed in the scoped V-LAN’s / network segment.
  • 15. By Manish Mahapatra Thank You! Manish M Cyber Security Training Provider Manish.cor@gmail.com Contact: +91-9036350000 Linked-in: https://www.linkedin.com/in/manishmahapatra Join my group on https://www.linkedin.com/groups/6517220 for more updates.