Building PCI Compliance: organizing the process

1,671 views

Published on

Talk about how to organize cooperation between client, QSA and integrator during making PCI DSS compliant payment infrastructure

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,671
On SlideShare
0
From Embeds
0
Number of Embeds
22
Actions
Shares
0
Downloads
84
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Building PCI Compliance: organizing the process

  1. 1. Building PCI Compliance: organizing the process Sergey Shustikov Digital Security Head of information security governance direction, CISA, PCI QSA April 20, 2010
  2. 2. © 2002— 2010, Digital Security PCI Compliance 2 <ul><li>PCI Compliance is 100% satisfaction of standard’s requirements </li></ul><ul><li>PCI Compliance is necessary for every company, that stores, processes or transmits the cardholder data : banks , processors , merchants and service providers </li></ul><ul><li>Visa’s member deadline of achieving PCI Compliance in CEMEA – September 30, 2010 </li></ul><ul><li>Annual onsite QSA-assessment is required to validate compliance for every company, that processes more than 300 000 PANs per year </li></ul>Building PCI Compliance: organizing the process
  3. 3. © 2002— 2010, Digital Security PCI Compliance building process 3 <ul><li>Preliminary assessment – identification of initial level of non-compliance </li></ul><ul><li>Development of recommendations for non-compliance remediation </li></ul><ul><li>Development of technical project of necessary payment infrastructure changes </li></ul><ul><li>Implementation of changes into payment infrastructure </li></ul><ul><li>Development and documenting of information security management processes </li></ul><ul><li>Performing mandatory checks – penetration testing and ASV-scanning </li></ul><ul><li>Certification assessment – resultant compliance validation </li></ul><ul><li>Submission of resultant report to Payment Brands or acquirer </li></ul>Building PCI Compliance: organizing the process
  4. 4. © 2002— 2010, Digital Security Cast 4 Building PCI Compliance: organizing the process Client QSA-consultant System integrator
  5. 5. © 2002— 2010, Digital Security Variants of cooperation 5 <ul><li>Small and medium infrastructure, client implements changes himself (optimal for small) : </li></ul><ul><li>Big infrastructure, QSA is integrator (risk of extra expenses) : </li></ul><ul><li>Big infrastructure, QSA-consultant and integrator are independent (optimal for big) : </li></ul>Building PCI Compliance: organizing the process
  6. 6. © 2002— 2010, Digital Security Optimal process for small payment infrastructure 6 Building PCI Compliance: organizing the process <ul><li>QSA-consultant performs preliminary assessment </li></ul><ul><li>QSA-consultant develops detailed remediation recommendations </li></ul><ul><li>Client plans and implements changes into infrastructure </li></ul><ul><li>QSA-consultant documents security management processes </li></ul><ul><li>QSA-consultant (or third party) performs mandatory checks </li></ul><ul><li>QSA-consultant performs resultant certification assessment </li></ul>
  7. 7. © 2002— 2010, Digital Security Optimal process for big payment infrastructure 7 Building PCI Compliance: organizing the process <ul><li>QSA-consultant performs preliminary assessment </li></ul><ul><li>QSA-consultant develops detailed remediation recommendations </li></ul><ul><li>Integrator develops technical project of changes </li></ul><ul><li>Client and QSA-consultant approve technical project </li></ul><ul><li>Integrator implements changes into infrastructure </li></ul><ul><li>QSA-consultant reviews implementation process </li></ul>
  8. 8. © 2002— 2010, Digital Security Optimal process for big payment infrastructure 8 Building PCI Compliance: organizing the process <ul><li>QSA-consultant documents security management processes </li></ul><ul><li>Integrator develops low-level security procedures </li></ul><ul><li>QSA-consultant (or third party) performs mandatory checks </li></ul><ul><li>QSA-consultant performs resultant certification assessment </li></ul>
  9. 9. © 2002— 2010, Digital Security Documentation 9 Building PCI Compliance: organizing the process Preliminary assessment Development of recommendations Development of technical project Implementation of changes Documenting of ISMS processes Mandatory checks Certification assessment Submission resultant report to Payment Brand or acquirer ROC- ROC- Remediation recommendations Remediation recommendations Technical project Acceptance report ASV report Pentest report ROC+ AOC ISMS documentation Action Plan
  10. 10. <ul><li>compliance ≠ security </li></ul>© 2002— 2010, Digital Security Result 10 Building PCI Compliance: organizing the process Effort to compliance does not bring security Effort to security brings compliance
  11. 11. © 2002— 2010, Digital Security Questions ? 1 1 <ul><li>Answers on PCIDSSRU.COM! </li></ul>Building PCI Compliance: organizing the process

×