PCI DSS can be one of the most infuriating set of standards on the compliance landscape. While it seems simple--six domains and twelve requirements--the art of interpreting PCI can lead to full blown war in an organization--with the security team at the center. In this session we’ll demystify some of the more difficult and misunderstood aspects of PCI DSS. We’ll cover the important changes from recently announced PCI DSS 3.0. We’ll also discuss the best practices for starting (and maintaining) a PCI DSS initiative in an organization and how to avoid battles with the QSA.
This document discusses PCI DSS (Payment Card Industry Data Security Standard) and protecting personally identifiable information (PII). It provides background on PCI DSS including its purpose of optimizing credit card security. It defines what constitutes cardholder data and who must comply with PCI DSS. The document also discusses risks of PII breaches and best practices for minimizing PII use and categorizing PII confidentiality levels. It emphasizes the need for coordination across an organization in managing PII issues and having an incident response plan for PII breaches.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
MTBiz is for you if you are looking for contemporary information on business, economy and especially on banking industry of Bangladesh. You would also find periodical information on Global Economy and Commodity Markets.
This document summarizes a presentation about Payment Card Industry Data Security Standards (PCI DSS) compliance. It discusses what PCI DSS is, the different compliance levels for merchants and service providers, validation requirements, and PCI DSS requirements. It also summarizes how the presenter's company achieved compliance, the benefits of compliance, and lessons learned. The overall presentation provided an overview of PCI DSS compliance for those processing, storing, or transporting payment card data.
Payment card industry data security standard 1wardell henley
The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It explains that PCI DSS is a set of security standards created by major credit card companies to protect customer payment card data from theft and security breaches. Businesses that accept credit/debit cards must comply with PCI DSS, which involves requirements for data security, network security, access control, and monitoring. Non-compliance can result in fines, loss of ability to process card payments, and lawsuits.
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
This document discusses various topics related to PCI compliance, including:
- Albert Gonzalez and major data breaches he was involved in stealing over 500 million records.
- The top 10 largest data breaches of all time totaling over 544 million lost records.
- Key players in payment processing like acquirers, merchants, and card brands.
- An overview of the PCI DSS and other standards like PA-DSS, PED, and how the PCI Council maintains and enforces compliance.
- Requirements for organizations of different levels based on transaction volume including validation requirements like external scans, self-assessment questionnaires, and audits.
Realex Payments is a PCI DSS compliant online payments provider that processes billions in payments annually. They aim to simplify PCI compliance for businesses through their hosted payment solutions. Realex claims they can help businesses reduce PCI audit costs by up to 70% and reduce total PCI requirements by up to 96% by using a hosted payment page that is already PCI compliant. They provide a case study of a customer, allpay, who was able to reduce their PCI overheads by 70% after partnering with Realex.
This document discusses PCI DSS (Payment Card Industry Data Security Standard) and protecting personally identifiable information (PII). It provides background on PCI DSS including its purpose of optimizing credit card security. It defines what constitutes cardholder data and who must comply with PCI DSS. The document also discusses risks of PII breaches and best practices for minimizing PII use and categorizing PII confidentiality levels. It emphasizes the need for coordination across an organization in managing PII issues and having an incident response plan for PII breaches.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
MTBiz is for you if you are looking for contemporary information on business, economy and especially on banking industry of Bangladesh. You would also find periodical information on Global Economy and Commodity Markets.
This document summarizes a presentation about Payment Card Industry Data Security Standards (PCI DSS) compliance. It discusses what PCI DSS is, the different compliance levels for merchants and service providers, validation requirements, and PCI DSS requirements. It also summarizes how the presenter's company achieved compliance, the benefits of compliance, and lessons learned. The overall presentation provided an overview of PCI DSS compliance for those processing, storing, or transporting payment card data.
Payment card industry data security standard 1wardell henley
The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It explains that PCI DSS is a set of security standards created by major credit card companies to protect customer payment card data from theft and security breaches. Businesses that accept credit/debit cards must comply with PCI DSS, which involves requirements for data security, network security, access control, and monitoring. Non-compliance can result in fines, loss of ability to process card payments, and lawsuits.
Payment Card Industry Compliance for Local Governments CSMFO 2009Donald E. Hester
This document discusses various topics related to PCI compliance, including:
- Albert Gonzalez and major data breaches he was involved in stealing over 500 million records.
- The top 10 largest data breaches of all time totaling over 544 million lost records.
- Key players in payment processing like acquirers, merchants, and card brands.
- An overview of the PCI DSS and other standards like PA-DSS, PED, and how the PCI Council maintains and enforces compliance.
- Requirements for organizations of different levels based on transaction volume including validation requirements like external scans, self-assessment questionnaires, and audits.
Realex Payments is a PCI DSS compliant online payments provider that processes billions in payments annually. They aim to simplify PCI compliance for businesses through their hosted payment solutions. Realex claims they can help businesses reduce PCI audit costs by up to 70% and reduce total PCI requirements by up to 96% by using a hosted payment page that is already PCI compliant. They provide a case study of a customer, allpay, who was able to reduce their PCI overheads by 70% after partnering with Realex.
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
The document discusses the Payment Card Industry Data Security Standard (PCI DSS) compliance. It provides an overview of the PCI DSS requirements and compliance framework. Merchants and service providers are required to comply with the PCI DSS to protect credit card data and prevent data breaches. Non-compliance can result in significant fines and penalties, loss of customers, and reputational damage for companies that experience a data breach. The document also outlines the different merchant levels and validation requirements under the PCI DSS.
The document discusses the Payment Card Industry Data Security Standard (PCI-DSS) requirements for organizations in India. It provides background on the increasing use of debit/credit cards and e-commerce transactions, and the need to protect cardholder data. It describes the intended audience of the PCI-DSS standard, provides details on compliance requirements, certification processes, and challenges organizations face adhering to PCI-DSS. It also discusses instances of credit card fraud in India and how adherence to PCI-DSS can help mitigate such risks.
This document discusses security considerations for financial institutions evaluating data aggregation platforms. It notes that while aggregation enables powerful new financial applications, institutions must ensure the platform protects sensitive customer data. The best platforms have robust security measures like separate networks, access controls, encryption, and monitoring. They are also compliant with relevant regulations and undergo regular security audits. Envestnet | Yodlee is highlighted as a leading, regulated platform that meets high security and compliance standards.
From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
PCI Compliance is a standard for security of payment card data that all businesses processing credit cards must comply with. It aims to enhance payment security through requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The standard is maintained by the PCI Security Standards Council and enforced by the major credit card brands. Compliance involves conducting a risk assessment and completing a Self-Assessment Questionnaire to validate security controls.
This document discusses online payment transactions and the PCI DSS security standards. It explains that the PCI DSS was established by the major credit card companies to protect customer payment information. The PCI DSS has 12 requirements across 3 key goals - building a secure network, protecting stored data, and maintaining security. Merchants must be compliant with PCI DSS to accept credit cards. Compliance involves regularly assessing systems for vulnerabilities, remediating any issues found, and reporting on compliance efforts.
What is Social KYC?
We generate large amounts of data about ourselves online every single day. All of this activity, when analysed as a whole, builds up a very deep and unique digital footprint — something that’s exceedingly difficult for someone to steal or fake convincingly.
Social KYC harnesses this data and uses it to establish a person’s identity — on a consent driven basis, of course. Using algorithms to analyse and corroborate various data attributes across multiple online accounts it is possible to quickly establish the likelihood of a person being:
- real
- who they claim to be (including various demographic data related thereto)
- a legitimate potential user (rather than a fraudster trying to access your platform with malicious intent)
We’re all used to Single Sign On – using an existing social media account to sign up to a new service — and Social KYC is an extension of this. As all you’re doing is asking a user to log in to a variety of their online accounts to prove who they are, it makes for a far more fluid sign up experience which in turn will encourage more users onto your platform.
The document provides information about PCI compliance requirements for businesses that accept credit and debit card payments. It begins by explaining the risks to businesses if they do not protect customer payment card data and comply with PCI standards. It then discusses common myths and misconceptions around PCI compliance requirements, such as that small businesses or those that outsource processing are exempt. The document aims to make clear that all businesses that accept card payments are required to comply with PCI security standards.
This report provides an overview of global compliance with the Payment Card Industry Data Security Standard (PCI DSS) based on hundreds of assessments conducted between 2011-2013. The key findings are that only around 11% of companies assessed were fully compliant with all 12 PCI DSS requirements, and the report identifies areas where organizations commonly struggle with compliance. It recommends that organizations view PCI compliance as an ongoing process that requires executive sponsorship and should be part of wider governance, risk, and compliance efforts.
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
With the recent tightening of credit markets, companies are increasingly moving toward credit cards as the preferred receipt method. This helps companies transfer substantial part of credit risk to card issuer. However, processing of credit cards requires compliance with security standards, fraud prevention guidelines and often Purchase Card Industry Guidelines. This session will highlight the 10 things to know while implementing a credit card receipt model and how Oracle helps security and compliance. Learning Objectives: 1. Learn the credit card industry guidelines for security and compliance and industry operating model 2. Know how Oracle stores credit card data and the patches required for advanced security 3.Understand the zero-touch credit card processing features offered by Oracle Receivables and Payments 4.Case Study on how VeriSign Inc integrated its web stores with Oracle Payments and key lessons 5.Learn how Advanced Collections could be integrated with Payments for real-time credit card authorizations.
Payment card industry data security standardsallychiu
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide framework for protecting cardholder data. It was developed by the Payment Card Industry Security Standards Council in response to growing credit card fraud. PCI DSS consists of 12 requirements across 6 control objectives that entities must comply with depending on their level of cardholder transactions. Compliance is enforced by each card brand and validated by independent parties. Studies show that PCI DSS has been effective at improving security for many organizations, but compliant companies can still experience breaches, so it does not guarantee protection. PCI DSS presents opportunities for accountants to assist with compliance as Qualified Security Assessors or consultants.
The document discusses PCI compliance for businesses that accept credit card payments. It explains that all businesses that process credit/debit card transactions, regardless of size, are required to comply with PCI security standards. It addresses common myths about PCI compliance, clarifying that even small businesses and non-ecommerce companies must comply, and that outsourcing payment processing does not guarantee compliance. The document provides answers to frequently asked questions about PCI compliance levels, vulnerability scanning, and whether debit card transactions are in-scope.
The document provides guidance for small merchants on protecting payment card data. It discusses understanding risks to payment card data, protecting business with basic security measures, and where to get help. The security basics are organized from easiest to most complex to implement, and include using strong unique passwords, protecting and limiting storage of card data, inspecting payment terminals for tampering, installing software updates, using trusted partners, and more. The goal is to help small businesses start with basic steps to enhance data security.
PCI Compliance for Community Colleges @One CISOA 2011Donald E. Hester
An introduction to PCI compliance and data security standard. Including attestation requirements, PCI merchant levels, reporting requirements. Steps to Document PCI Cardholder Data Environment CDE and to work toward compliance.
The document discusses the Payment Card Industry Data Security Standard (PCI DSS) compliance. It provides an overview of the PCI DSS requirements and compliance framework. Merchants and service providers are required to comply with the PCI DSS to protect credit card data and prevent data breaches. Non-compliance can result in significant fines and penalties, loss of customers, and reputational damage for companies that experience a data breach. The document also outlines the different merchant levels and validation requirements under the PCI DSS.
The document discusses the Payment Card Industry Data Security Standard (PCI-DSS) requirements for organizations in India. It provides background on the increasing use of debit/credit cards and e-commerce transactions, and the need to protect cardholder data. It describes the intended audience of the PCI-DSS standard, provides details on compliance requirements, certification processes, and challenges organizations face adhering to PCI-DSS. It also discusses instances of credit card fraud in India and how adherence to PCI-DSS can help mitigate such risks.
This document discusses security considerations for financial institutions evaluating data aggregation platforms. It notes that while aggregation enables powerful new financial applications, institutions must ensure the platform protects sensitive customer data. The best platforms have robust security measures like separate networks, access controls, encryption, and monitoring. They are also compliant with relevant regulations and undergo regular security audits. Envestnet | Yodlee is highlighted as a leading, regulated platform that meets high security and compliance standards.
From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.
PCI Compliance—Love It, Hate It, But Don’t Ignore It (11NTCpci)Miminten
PCI Compliance is a standard for security of payment card data that all businesses processing credit cards must comply with. It aims to enhance payment security through requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The standard is maintained by the PCI Security Standards Council and enforced by the major credit card brands. Compliance involves conducting a risk assessment and completing a Self-Assessment Questionnaire to validate security controls.
This document discusses online payment transactions and the PCI DSS security standards. It explains that the PCI DSS was established by the major credit card companies to protect customer payment information. The PCI DSS has 12 requirements across 3 key goals - building a secure network, protecting stored data, and maintaining security. Merchants must be compliant with PCI DSS to accept credit cards. Compliance involves regularly assessing systems for vulnerabilities, remediating any issues found, and reporting on compliance efforts.
What is Social KYC?
We generate large amounts of data about ourselves online every single day. All of this activity, when analysed as a whole, builds up a very deep and unique digital footprint — something that’s exceedingly difficult for someone to steal or fake convincingly.
Social KYC harnesses this data and uses it to establish a person’s identity — on a consent driven basis, of course. Using algorithms to analyse and corroborate various data attributes across multiple online accounts it is possible to quickly establish the likelihood of a person being:
- real
- who they claim to be (including various demographic data related thereto)
- a legitimate potential user (rather than a fraudster trying to access your platform with malicious intent)
We’re all used to Single Sign On – using an existing social media account to sign up to a new service — and Social KYC is an extension of this. As all you’re doing is asking a user to log in to a variety of their online accounts to prove who they are, it makes for a far more fluid sign up experience which in turn will encourage more users onto your platform.
The document provides information about PCI compliance requirements for businesses that accept credit and debit card payments. It begins by explaining the risks to businesses if they do not protect customer payment card data and comply with PCI standards. It then discusses common myths and misconceptions around PCI compliance requirements, such as that small businesses or those that outsource processing are exempt. The document aims to make clear that all businesses that accept card payments are required to comply with PCI security standards.
This report provides an overview of global compliance with the Payment Card Industry Data Security Standard (PCI DSS) based on hundreds of assessments conducted between 2011-2013. The key findings are that only around 11% of companies assessed were fully compliant with all 12 PCI DSS requirements, and the report identifies areas where organizations commonly struggle with compliance. It recommends that organizations view PCI compliance as an ongoing process that requires executive sponsorship and should be part of wider governance, risk, and compliance efforts.
10 Steps To Secure and PCI Compliant Credit Card Processing In Oracle Receiva...amadhireddy
With the recent tightening of credit markets, companies are increasingly moving toward credit cards as the preferred receipt method. This helps companies transfer substantial part of credit risk to card issuer. However, processing of credit cards requires compliance with security standards, fraud prevention guidelines and often Purchase Card Industry Guidelines. This session will highlight the 10 things to know while implementing a credit card receipt model and how Oracle helps security and compliance. Learning Objectives: 1. Learn the credit card industry guidelines for security and compliance and industry operating model 2. Know how Oracle stores credit card data and the patches required for advanced security 3.Understand the zero-touch credit card processing features offered by Oracle Receivables and Payments 4.Case Study on how VeriSign Inc integrated its web stores with Oracle Payments and key lessons 5.Learn how Advanced Collections could be integrated with Payments for real-time credit card authorizations.
Payment card industry data security standardsallychiu
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-wide framework for protecting cardholder data. It was developed by the Payment Card Industry Security Standards Council in response to growing credit card fraud. PCI DSS consists of 12 requirements across 6 control objectives that entities must comply with depending on their level of cardholder transactions. Compliance is enforced by each card brand and validated by independent parties. Studies show that PCI DSS has been effective at improving security for many organizations, but compliant companies can still experience breaches, so it does not guarantee protection. PCI DSS presents opportunities for accountants to assist with compliance as Qualified Security Assessors or consultants.
The document discusses PCI compliance for businesses that accept credit card payments. It explains that all businesses that process credit/debit card transactions, regardless of size, are required to comply with PCI security standards. It addresses common myths about PCI compliance, clarifying that even small businesses and non-ecommerce companies must comply, and that outsourcing payment processing does not guarantee compliance. The document provides answers to frequently asked questions about PCI compliance levels, vulnerability scanning, and whether debit card transactions are in-scope.
The document provides guidance for small merchants on protecting payment card data. It discusses understanding risks to payment card data, protecting business with basic security measures, and where to get help. The security basics are organized from easiest to most complex to implement, and include using strong unique passwords, protecting and limiting storage of card data, inspecting payment terminals for tampering, installing software updates, using trusted partners, and more. The goal is to help small businesses start with basic steps to enhance data security.
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.
The document discusses the Payment Card Industry Data Security Standard (PCI-DSS). It provides a brief history of credit cards and the PCI oversight council. It then explains what constitutes cardholder data and outlines the payment transaction cycle. Finally, it summarizes the key sections and requirements of the PCI-DSS, including installing firewalls, defining the scope of assessments, transitioning away from SSL/TLS, enforcing multi-factor authentication, implementing change management controls, and oversight of service providers.
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
The document discusses strategies for complying with the Payment Card Industry Data Security Standard (PCI-DSS). It provides an overview of PCI-DSS, including its requirements for securing credit card data, different merchant levels and their associated validation requirements. It also summarizes the various Self-Assessment Questionnaires (SAQs) merchants can complete for validation, and offers guidelines for implementing a PCI compliance program, including governance, identifying applicable SAQs, and requirements for ongoing compliance.
Are you trying to wrap your head around PCI security requirements, how to securely manage payment card data and what types of credit card fraud to watch out for? This session is for you!
Learn more about the implications of PCI-DSS requirements, best practices around securely storing credit card data and how to put tools in place to prevent costly (and frustrating) credit card fraud at your organization. Be prepared, get informed and don’t let the bad guys win!
PRESENTER
Patricia O'Connor – Partner Account Manager
iATS Payments (@iATSPayments) provides payment processing products and services to over 10,000 nonprofit organizations around the world. It 's not one of the things we do - it's the only thing we do
pci powerpoint 01-12-2012- cal poly basic rev 07-23-12b.pdfssuserbcc088
This document provides an overview and agenda for a training on PCI DSS (Payment Card Industry Data Security Standard) compliance at Cal Poly. The training objectives are to understand what PCI DSS is, how to comply with its requirements, and appropriate ways to handle payment card data. The agenda covers PCI basics, compliance drivers, securing card data, and a review. It emphasizes that PCI DSS is an industry standard to protect cardholder data and that non-compliance can result in fines.
This document provides an overview of PCI compliance and security standards. It discusses the objectives of PCI DSS training, an introduction to PCI and the Payment Card Industry Security Standards Council, an overview of the PCI DSS requirements and framework, definitions of cardholder data and merchant levels, how compliance applies to different entity types, and resources for further information. The training is intended to help participants understand goals of PCI, key concepts such as cardholder data and merchant levels, and compliance responsibilities for different organizations that handle credit card transactions.
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Rapid7
The Payment Card Industry Data Security Standards (PCI DSS), with its over 200 requirements, can seem like a daunting set of regulations. Nonetheless, if your organization handles any kind of credit card information, you must be PCI DSS compliant. As difficult as this can seem, you can get expert help with our new eBook: Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS Compliance.
The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.
The document discusses PCI Data Security Standards for merchants. It outlines the 12 key requirements of PCI compliance including protecting cardholder data, access controls, monitoring networks, maintaining security policies and vulnerability management. Merchants of different levels have different validation requirements to comply with PCI DSS. Evolution Security Systems provides PCI compliance services like gap analysis, remediation assistance and certification to help merchants achieve and maintain compliance.
This document provides an overview of PCI DSS compliance, including:
- What the PCI Security Standards Council is and its objectives in establishing payment security standards.
- Why compliance is important to avoid penalties, reduce risk, and protect an organization's reputation.
- How to achieve compliance through self-assessment questionnaires or audits depending on transaction volume.
- The requirements of the PCI DSS including building a secure network, protecting data, vulnerability management, and more.
Visa Compliance Mark National CertificationMark Pollard
The document outlines 12 steps that businesses should take to comply with the Payment Card Industry Data Security Standard (PCI DSS) and help protect customer payment card data. It provides details on installing firewalls, encrypting data transmission, access controls, monitoring networks, maintaining security policies, and responding to security breaches. It also describes validation requirements for merchants and service providers to certify compliance based on their transaction volume level.
The complexity of the merchant onboarding and KYC compliance processes for card acquirers is quite staggering. Read why Card Acquirers Need Rapid Integration and Operationalized Risk Models to Meet Merchant Demand for Fast Onboarding
PCI compliance is important for businesses that handle credit card data to protect against data breaches and fines. The webinar discusses PCI compliance requirements and controls, including understanding what PCI is, identifying risks to card data, and how to achieve and maintain compliance. It also explains how PCI was established in response to lawsuits against businesses that experienced data breaches, and details the six goals and twelve requirements that make up the PCI Data Security Standard.
Pci compliance overview earth link businessMike Shelah
The document discusses Payment Card Industry Data Security Standard (PCI-DSS) compliance. It was established in 2004 to reduce credit card fraud and requires businesses that accept credit cards to follow security standards. There are six control objectives and over 280 audit procedures companies must pass to be compliant. Non-compliance can result in fines and loss of the ability to accept credit cards. The document outlines the steps businesses should take to achieve and maintain PCI compliance, including validating compliance through audits or scans, addressing security issues, ongoing employee training, and using a compliance partner.
pci-comp pci requirements and controls.pptgealehegn
The document discusses the Payment Card Industry Data Security Standard (PCI DSS), which establishes requirements for securely handling, storing, and transmitting credit card data. It requires merchants and service providers that process, store or transmit credit card data to comply with security standards covering areas like network security, data protection, access control, monitoring, and security policies. Non-compliance can result in fines, lawsuits, and loss of credit card processing privileges. The Commonwealth of Massachusetts is working to help state departments assess their PCI compliance status and achieve validation through qualified security assessors and approved scanning vendors.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
2. “Who Are You?”
• Michele Chubirka
aka @MrsYisWhy
• Security architect, engineer,
analyst.
• Blogs and hosts Healthy
Paranoia, information security
podcast channel of
Packetpushers.
www.healthyparanoia.net
• Researches and pontificates on
topics such as security
architecture and best practices.
3. Overview
• Background of PCI DSS
• Compliance vs. Non-compliance
• Basics of Standard
• What’s New in PCI 3.0
• The Jabberwocky: Scoping and
Compensating Controls
• Common Myths
• Getting it Right
4. “The time has come," the Walrus said,
“To talk of many things:
Of PINs and POS and CDEs
Of SAQs and ASVs
And why the sea is boiling hot
And whether QSA’s have wings."
6. • Proprietary framework released in 2004 by PCI
Security Standards Council to ensure secure
handling of credit card data.
www.pcisecuritystandards.org
• Founded by five global payment brands.
• Enforcement of compliance and penalties for non-
compliance determined by each brand, not the
council.
• Related standards include: Payment Application
Data Security Standard (PA-DSS) and PIN
Transaction Security (PTS)
PCI DSS: Payment Card Industry
Data Security Standard
7. Why Does PCI DSS Matter?
supporting standards, roadmaps, guidance, and methodologies is expanding. And our research
suggests that organizations are complying at a higher rate than in previous years.
After an uncertain start, many organizations now feel comfortable with and better understand what
the DSS is about, and accept that complying with it is not only a necessary part of accepting card
payments, but also a solid baseline of controls for protecting cardholder data.
Most analysts agree that, while the PCI standards are imperfect, they have evolved to clarify
expectations and address feedback from the industry, and today they provide an increasingly
mature framework for organizations to work toward.
So why is PCI compliance still worth talking, and indeed writing a major piece of research, about?
$10B
$12B
$0
$6B
$4B
$2B
$8B
Global Card Fraud Losses ($Billions)
‘00 ‘01 ‘02 ‘03 ‘04 ‘05 ‘06 ‘07 ‘08 ‘09 ‘10 ‘11 ‘12
Data from The Nilson Report, August 2013Figure 2: The cost of card fraud; data from The Nilson Report, August 2013
VERIZON 2014 PCI COMPLIANCE REPORT
8. “Payment card data remains one of the
easiest types of data to convert to cash, and
therefore the preferred choice of criminals.
74% of attacks on retail,
accommodation, and food services
companies target payment card
information.”
- Data from Verizon Data Breach
Investigations Reports (DBIRs), 2011, 2012
and 2013
9. Who’s Compliant?
d services
ies target
t card
tion.
Verizon Data
estigations Reports
11, 2012 and 2013
According to our research, only around one in ten organizations were fully compliant with PCI DSS
2.0 at the time of their baseline assessment. Despite the increasing maturity of the standard and
organizations’ understanding of it, attaining compliance remains far from easy — and so it should.
Protecting cardholder data is important and the threats to it are very real.
And the drivers for investing in security and compliance are more pressing than ever. The very
payment card data breaches that PCI DSS was designed to help avoid are growing in frequency and
scale, with compromised records often numbering in the millions. As consumers and businesses
continue to ditch cash and do more of their shopping online, the risk and impact of breaches is set
to grow further. The related disciplines of security and compliance are, consequently, still a top
business priority.
100%
0%
50%
25%
75%
Percentage of companies that passed
2 3 4 5 6 7 8 9 10 111
Number of requirements
%companies
12
11.1%
95.6% 95.6%
77.8%
71.1%
60.0%
51.1%
44.2%
42.2%
31.1%
24.4%
100.0%
11.1% of
companies
passed all 12
requirements
Over half (51.1%) of
companies passed 7
requirements.
Figure 3: Percentage of companies that passed; dataset 2013
10. Pass or Fail?
• 11.1% met all requirements of DSS 2.0 in 2013,
an increase of 3.6 percentage points from 2012.
• In 2013, companies were compliant with an
average of 85.2% of controls.
“…one in five organizations came close to complying
— they passed 95%+ of controls. Of these
organizations, more than half failed Requirement 11
[Regularly test security systems and processes].”
- From Verizon’s 2014 PCI Compliance Report
11. Does It Work?
Its effectiveness is determined by the
organization’s implementation, not the
auditor.
12. “Off With Her Head!”:
The Consequences of Non-compliance
13. • Lawsuits and countersuits
• Insurance claims
• Suspension of merchant status with
processor or in-depth assessments if
breached.
• Payment card issuer fines
• Possible government fines (depending
upon where you do business)
• Damage to reputation and business
14. “Will you, won't you, will you, won't
you, will you join the dance?”
• Any organization that accepts, processes, stores
and/or transmits member-branded card data
must comply.
• It’s like a game of cooties, if you touch CC data,
you’re infected.
• Compliance with standard is a binary yes | no.
15. Example: Target Breach
• Target CIO “resigned” after breach
of 40 million credit card and debit
records.
• At least 80 100 lawsuits filed.
• Earnings down 46% in 2013 4th
quarter.
• Total losses could reach one billion.
• Reportedly validated as
“compliant”
• Target’s QSA, Trustwave, is also in
litigation with banks.
17. Important Taxonomy
• Merchant – any entity that accepts payment cards
• Payment Card – card/device bearing logo of founding members of PCI SSC
• Issuer – entity issuing payment cards or performs, facilitates or supports issuing services.
• Service Provider or Merchant Service Provider (MSP) - furnishes all or some of payment services
for a merchant
• Payment Processor – type of MSP
• Acquiring Bank – connects to card brand network for payment processing
• QSA – qualified security assessor
• SAQ – self assessment questionnaire
• ASV – approved scanning vendor
• PAN – primary account number
• CVV – card verification value
• CSC – card security code
• POS – point of sale
• CDE – cardholder data environment
• ROC – report on compliance
• AOC – attestation of compliance
• AOV – attestation of validation
• Scoping – process identifying all system components, people and processes included in an
assessment
From PCI DSS and PA DSS “Glossary of Terms, Abbreviations, and Acronyms” V. 3.0, January 2014
18. “Speak English! I don't know
the meaning of half those
words, and I don't believe
you do either!”
19. Sometimes PCI is a hill,
and sometimes it’s a
mountain.
• Six domains, 12
requirements
• The goal is to reduce
risk of fraud
• Simple, right?
20. Validation Requirements
• Compliance vs. validation, what’s
the difference?
• Merchant and/or service provider
status
• Based upon volume of transactions.
• Method of acceptance
• Whether the merchant has ever
been breached.
• Varies by payment card brand.
• Can change. Expect stricter
requirements in the future.
21. Merchant Levels
• Level 1 – processes > 6MM Visa, MC or Discover
transactions annually, 2.5MM Amex, 1MM JCB
• Level 2 – 1 to 6MM Visa, MC or Discover, 50k to
2.5MM Amex, < 1MM JCB
• Level 3 – 20k to 1MM Visa or Discover card-not-
present transactions, >20k MC , <50k Amex
• Level 4 – Everyone else
22. Service Provider Levels
• Level 1 – All 3rd party providers (TPP), all data
storage entities (DSE) that store, transmit or
process > 300k MC, >=2.5MM Amex, >300k Visa
• Level 2 – DSEs < 300k MC, 50k to 2.5MM Amex,
<300k Visa
• Level 3 < 50k Amex
Visa Canada and Europe
have slightly different rules.
23. Validation Requirements
• Level 1 – ASV scan, QSA on-site assessment
• Level 2 – ASV scan, Visa SAQ, MC QSA/ISA on-
site assessment or assisted SAQ.
• Level 3 – ASV Scan, SAQ
• Level 4 – ASV scan if requested, SAQ
Amex requirements differ slightly - https://
www209.americanexpress.com/merchant/
services/en_US/data-security
24. SAQ Validation Types
• Type A – Merchants who keep only paper reports or receipts with cardholder data, do
not store cardholder data in electronic format and do not process or transmit any
cardholder data on their systems or premises. Does NOT apply to face-to-face
merchants.
• Type B - Imprint-only merchants with no electronic cardholder data storage, or
standalone, dial-out terminal merchants with no electronic cardholder data storage.
• Type C-VT - Merchants who process cardholder data only via isolated virtual
terminals on personal computers connected to the Internet. This SAQ option applies
only to merchants who manually enter a single transaction at a time via a keyboard
into an Internet-based virtual terminal solution.
• Type C – Those with payment application systems (for example, point-of-sale
systems) that are connected to the Internet (for example, via DSL, cable modem, etc.)
either because:
– The payment application system is on a personal computer that is connected to
the Internet (for example, for e-mail or web browsing), or
– The payment application system is connected to the Internet to transmit
cardholder data.
• Type D – All others
25. Caution: Make sure to carefully
read the “Self-Assessment
Questionnaire Instructions and
Guidelines” document, not just the
questionnaire itself.
26. PCI DSS Domains
1. Build and maintain a secure network.
2. Protect cardholder data.
3. Maintain a vulnerability management program.
4. Implement strong access control measures.
5. Regularly monitor and test networks.
6. Maintain an information security policy.
28. Requirements
1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other
security parameters.
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.
5. Protect all systems against malware and regularly update anti-virus
software or programs.
6. Develop and maintain secure systems and applications.
7. Restrict access to cardholder data by business need to know.
8. Identify and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security for all personnel.
29. PCI DSS V3.0 is 112 pages
• That doesn’t even include the additional
guidance documentation.
• Every requirement has sub-requirements, testing
procedures and now guidance (new in 3.0).
• Example: requirement one has 23 sub-
requirements.
30. PCI DSS Requirements Testing Procedures Guidance
1.3 Prohibit direct public access
between the Internet and any system
component in the cardholder data
environment.
1.3 Examine firewall and router configurations—including but
not limited to the choke router at the Internet, the DMZ router
and firewall, the DMZ cardholder segment, the perimeter router,
and the internal cardholder network segment—and perform the
following to determine that there is no direct access between the
Internet and system components in the internal cardholder
network segment:
A firewall's intent is to manage and control all
connections between public systems and internal
systems, especially those that store, process or
transmit cardholder data. If direct access is
allowed between public systems and the CDE, the
protections offered by the firewall are bypassed,
and system components storing cardholder data
may be exposed to compromise.
1.3.1 Implement a DMZ to limit
inbound traffic to only system
components that provide authorized
publicly accessible services, protocols,
and ports.
1.3.1 Examine firewall and router configurations to verify that a
DMZ is implemented to limit inbound traffic to only system
components that provide authorized publicly accessible
services, protocols, and ports.
The DMZ is that part of the network that manages
connections between the Internet (or other
untrusted networks), and services that an
organization needs to have available to the public
(like a web server).
This functionality is intended to prevent malicious
individuals from accessing the organization's
internal network from the Internet, or from using
services, protocols, or ports in an unauthorized
manner.
1.3.2 Limit inbound Internet traffic to IP
addresses within the DMZ.
1.3.2 Examine firewall and router configurations to verify that
inbound Internet traffic is limited to IP addresses within the
DMZ.
1.3.3 Do not allow any direct
connections inbound or outbound for
traffic between the Internet and the
cardholder data environment.
1.3.3 Examine firewall and router configurations to verify direct
connections inbound or outbound are not allowed for traffic
between the Internet and the cardholder data environment.
Examination of all inbound and outbound
connections allows for inspection and restriction of
traffic based on the source and/or destination
address, as well as inspection and blocking of
unwanted content, thus preventing unfiltered
access between untrusted and trusted
environments. This helps prevent, for example,
malicious individuals from sending data they've
obtained from within your network out to an
external untrusted server in an untrusted network.
31. “Say what you mean…”
• The requirements seem simple, but the meaning
is nuanced.
• Sometimes interpreted differently by QSAs and
ISAs.
• PCI DSS 3.0 adds a guidance column with more
detail to clarify intent of requirements.
• Best defense is for everyone to thoroughly read
the standard.
• Ignorance is not an acceptable excuse.
32. What’s New in 3.0: Highlights
• Moved from 2 year to 3 year standards development
lifecycle.
• Requirements are the same, but with modifications
to sub-requirements.
• V2.0 active until Dec. 31, 2014, some new V3.0
requirements not mandatory until July 2015.
• Clarifies scoping and reporting
• Focus on consistency, proactivity and best practices
• Addition of security policy/procedure into each
requirement.
• Clarifies handling of sensitive authentication data
(SAD).
33. Specific Requirement Additions
1. Current diagram with cardholder data flows in
addition to network diagrams.
2. Maintain inventory of in-scope system
components and change default passwords on
application/service accounts.
3. More options for secure storage of crypto keys.
Clarification regarding dual control.
5. Evaluate evolving malware threats for systems
not commonly affected by malware.
34. Requirement Additions Continued
6. Update list of common vulnerabilities, align with
OWASP, NIST, SANS for secure coding practices.
8. Security considerations for authentication mechanisms
such as tokens, smart cards and certs. Enhanced guidance
on good password practices. More flexibility to
accommodate variations in secure implementations.
9. Protect POS terminals and devices from tampering or
substitution.
10. Clarifies intent and scope of daily log reviews by
focusing on identifying suspicious activity.
11. Implement pentesting method to validate segmentation.
12. Maintain info about status of PCI DSS for 3rd party
providers.
35. Scope
According to PCI SSC, the CDE
consists of
“…people, processes and technology
that store, process or transmit
cardholder data or sensitive
authentication data….”
• Firewalls
• Switches
• Access Points
• Network and Security Appliances
• Servers
36. Scoping
• Anything included or connected to CDE is “in
scope.”
• Isolating (segmenting), the CDE from the rest of the
network is not a requirement.
• Technique that shrinks the scope of the assessment,
reducing cost and difficulty.
• Reduces risk.
• Without scoping, entire network is in scope of the
assessment.
• To be “out of scope”, the component must be
properly segmented from the CDE, so that if
compromised it could not impact CDE.
37. Compensating Controls
“Compensating controls may be considered
for most PCI DSS requirements when an
entity cannot meet a requirement explicitly as
stated, due to legitimate technical or
documented business constraints, but has
sufficiently mitigated the risk associated with
the requirement through implementation of
other, or compensating, controls.”
From Appendix B, PCI DSS, v3.0
38. Compensating Controls Must
• Meet intent of original requirement.
• Provide similar level of defense.
• Go “above and beyond”.
• Be commensurate with additional risk.
• Be more work to implement, not less.
• Pass an audit.
40. 1. I only process a small number of credit
card transactions, so it’s not a big deal.
• You MUST be compliant with PCI DSS,
regardless of transaction numbers.
• If you outsource, you must verify their PCI DSS
compliance status in accordance with
requirement 12.
• Outsourcing simplifies your requirements, but
doesn’t eliminate the need to address it.
41. 2. I only have to submit an SAQ, so all
the requirements don’t apply
• All requirements still apply.
• The questionnaire is misleading because there
are fewer questions.
• This is because the categories assume reduced
scope, based upon a decision tree in the “SAQ
Instructions and Guidelines” document.
42. PCI DSS Self-Assessment Questionnaire Instructions and Guidelines, v2.0 October 2010
Copyright 2010 PCI Security Standards Council LLC Page 17
Which SAQ Best Applies to My Environment?
43. 3. Wireless requirements only apply if
card data transits the WLAN.
• Wireless is perceived as a vulnerable medium.
• You must still validate that wireless is “out of
scope” to meet fewer requirements.
• See requirements 1.2.3, 9.1.3, 10.5.4, 11.1
44. 4. To reduce scope, I need to have
physically separate networks.
You have to implement
controls which segment
and restrict access to the
CDE.
45. 5. Mixed-mode virtualized
environments aren’t permitted
From “PCI DSS Virtualization Guidelines” 2011 document:
“…any VM or other virtual component that is hosted on the same
hardware or hypervisor as an in-scope component would also be in
scope for PCI DSS, as both the hypervisor and underlying host provide
a connection (either physical, logical, or both) between the virtual
components....
… In order for in-scope and out-of-scope VMs to co-exist on the same
host or hypervisor, the VMs must be isolated from each other such
that they can effectively be regarded as separate hardware on
different network segments with no connectivity to each other.…
Even if adequate segmentation between virtual components could be
achieved, the resource effort and administrative overhead required to
enforce the segmentation and maintain different security levels on each
component would likely be more burdensome than applying PCI DSS
controls to the system as a whole.
46. 6. Supporting systems aren’t in scope
REMEMBER:
“…included in or connected
to the cardholder data
environment.”
It’s just like a game of
cooties.
47. 7. Compliance requirements are based
upon merchant or service provider level.
• No, VALIDATION
requirements differ.
• Everyone must comply
with ALL of PCI DSS,
regardless of level.
• This is not optional.
48. 8. I can just use a compensating control to
meet a requirement that’s too difficult.
Compensating
controls are stricter.
The key phrase is
“above and
beyond.”
49. Getting It Right
• Data inventory and classification
• Data flow and inventory of CDE
• Reduce scope wherever possible.
• Identify data custodians and stakeholders outside of
IT. Embed ownership in entire organization.
• Avoid Compensating Controls, using as last resort.
• Remove CC data wherever possible.
• If you can’t remove, tokenize.
• Consider outsourcing.
• If > level 4 merchant or SP and you qualify for SAQ
D, consider using QSA or auditor for initial
assessment or occasional follow-up.
50. References
Chuvakin, Anton, Branden R. Williams, and Ward
Spangenberg. PCI Compliance: Understand and
Implement Effective PCI Data Security Standard
Compliance. Burlington, MA: Syngress, 2010. Print.
"Documents Library." PCI Security Standards
Documents: PCI DSS, PA-DSS, PED Standards,
Compliance Guidelines and More. Payment Card
Industry Security Standards Council, n.d. Web. 17 Mar.
2014.
Van Oosten, Ciske. PCI Compliance Report. Rep. no.
GL00648-17. Verizon, Feb. 2014. Web. <http://
www.verizonenterprise.com/pcireport/2014/>.
52. Where Can You Find Me?
• Spending quality time in kernel mode practicing
and refining my particular form of snark.
• www.healthyparanoia.net
• Twitter @MrsYisWhy
• Google+ MrsYisWhy
• networksecurityprincess@gmail.com
• chubirka@packetpushers.net
• http://www.networkcomputing.com/blogs/
author/Michele-Chubirka