- PCI compliance involves meeting technical and operational security standards to protect credit card data as defined by the PCI Security Standards Council which includes Visa, MasterCard, and other major payment brands.
- If a business accepts credit cards, they must comply with the PCI Data Security Standard. Compliance is important to avoid consequences of a data breach such as fines, loss of customers, litigation, and damage to reputation.
- Common reasons for non-compliance found after data breaches include lack of network segmentation, failure to implement necessary access controls, and failure to apply security patches. Regular security monitoring is important for compliance.
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...- Mark - Fullbright
This document defines terms related to the Payment Card Industry Data Security Standard (PCI DSS). It includes definitions for over 100 terms covering topics such as account data, authentication, encryption, firewalls, intrusion detection systems, and virtualization. The glossary provides concise explanations of technical terms to facilitate understanding of the PCI security standards.
The document provides a career profile and work experience summary for an IT professional with 5 years of experience in technical support, infrastructure management, and end user support. Their most recent role was as an L2 Desktop Management engineer for Wipro from 2014 to 2016 where they responded to IT incidents and requests, troubleshot issues, and ensured tasks were completed on time. Prior experience includes roles as a technical support engineer and helpdesk engineer providing IT support services. They have qualifications and certifications in IT support areas like Windows administration, networking, and ITIL processes.
This document discusses risk-based penetration testing and how it differs from traditional penetration testing. Risk-based testing focuses on business risks rather than just technical vulnerabilities. It requires understanding both the technical aspects as well as the business processes. Test cases are developed based on risk scenarios specific to the business, and severity levels are assigned based on risk to the business rather than just technical parameters. The audience for risk-based testing reports also includes business stakeholders not just IT teams. Examples of risk-based testing for different types of organizations are provided.
Top10 Trends Impacting Marketing, Sales and Service The Circuit
Doss Ross offered The Circuit audience a review of the top 10 tech trends that could impact your business -- and some ideas to turn your competition into an encyclopedia salesman.
Doug Ross is Vice President and Chief Technology Officer at Western & Southern Financial Group, a Fortune 500 diversified financial services organization.
The Circuit is the IT Association in the SW Ohio Region since 1994 www.thecircuit.net
PCI Compliance Fundamentals The CircuitThe Circuit
Brian Herman of StillSecure presented on PCI Compliance Fundamentals for The Circuit. He offered information on what is it, why is it important, and suggestions to implement.
The document discusses Connie Wiedemann retiring from her role at The Circuit after more than 10 years. It then discusses how NexGen Consultants helps clients build applications on the Salesforce platform faster and easier. Finally, it provides an overview of The Circuit which connects the IT community in Cincinnati through networking and education events.
SCM304 Group 1: Operations Unlimited Powerpoint Presentation vmmarscher
Insourcing brings third-party outsourcers to work internally to maintain control over critical functions. It can increase costs but improves communication and ensures goals alignment. Outsourcing hires external suppliers to reduce production expenses through lower labor costs abroad. While saving money, it risks losing jobs domestically and issues from cultural/linguistic barriers. A company must weigh insourcing control versus outsourcing cost savings based on its priorities.
The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.
Payment Card Industry (PCI) Data Security Standard Glossary, Abbreviations an...- Mark - Fullbright
This document defines terms related to the Payment Card Industry Data Security Standard (PCI DSS). It includes definitions for over 100 terms covering topics such as account data, authentication, encryption, firewalls, intrusion detection systems, and virtualization. The glossary provides concise explanations of technical terms to facilitate understanding of the PCI security standards.
The document provides a career profile and work experience summary for an IT professional with 5 years of experience in technical support, infrastructure management, and end user support. Their most recent role was as an L2 Desktop Management engineer for Wipro from 2014 to 2016 where they responded to IT incidents and requests, troubleshot issues, and ensured tasks were completed on time. Prior experience includes roles as a technical support engineer and helpdesk engineer providing IT support services. They have qualifications and certifications in IT support areas like Windows administration, networking, and ITIL processes.
This document discusses risk-based penetration testing and how it differs from traditional penetration testing. Risk-based testing focuses on business risks rather than just technical vulnerabilities. It requires understanding both the technical aspects as well as the business processes. Test cases are developed based on risk scenarios specific to the business, and severity levels are assigned based on risk to the business rather than just technical parameters. The audience for risk-based testing reports also includes business stakeholders not just IT teams. Examples of risk-based testing for different types of organizations are provided.
Top10 Trends Impacting Marketing, Sales and Service The Circuit
Doss Ross offered The Circuit audience a review of the top 10 tech trends that could impact your business -- and some ideas to turn your competition into an encyclopedia salesman.
Doug Ross is Vice President and Chief Technology Officer at Western & Southern Financial Group, a Fortune 500 diversified financial services organization.
The Circuit is the IT Association in the SW Ohio Region since 1994 www.thecircuit.net
PCI Compliance Fundamentals The CircuitThe Circuit
Brian Herman of StillSecure presented on PCI Compliance Fundamentals for The Circuit. He offered information on what is it, why is it important, and suggestions to implement.
The document discusses Connie Wiedemann retiring from her role at The Circuit after more than 10 years. It then discusses how NexGen Consultants helps clients build applications on the Salesforce platform faster and easier. Finally, it provides an overview of The Circuit which connects the IT community in Cincinnati through networking and education events.
SCM304 Group 1: Operations Unlimited Powerpoint Presentation vmmarscher
Insourcing brings third-party outsourcers to work internally to maintain control over critical functions. It can increase costs but improves communication and ensures goals alignment. Outsourcing hires external suppliers to reduce production expenses through lower labor costs abroad. While saving money, it risks losing jobs domestically and issues from cultural/linguistic barriers. A company must weigh insourcing control versus outsourcing cost savings based on its priorities.
The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.
PCI compliance is important for businesses that handle credit card data to protect against data breaches and fines. The webinar discusses PCI compliance requirements and controls, including understanding what PCI is, identifying risks to card data, and how to achieve and maintain compliance. It also explains how PCI was established in response to lawsuits against businesses that experienced data breaches, and details the six goals and twelve requirements that make up the PCI Data Security Standard.
The document discusses PCI DSS compliance and maintaining ongoing compliance. It describes PCI DSS as a security standard developed by payment brands to ensure payment data security. Achieving and maintaining PCI compliance can be challenging due to evolving threats, technologies, and requirements. Outsourcing compliance tasks to an expert partner can help organizations adapt to changes and maintain ongoing compliance in a cost-effective manner.
This document discusses IBM DataPower PCI solutions. It provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its requirements. It then describes how IBM DataPower appliances can help organizations meet many of the PCI DSS requirements by providing functions like firewalling, encryption, access control, logging, and security policy management. The document also highlights some of DataPower's key products and capabilities for PCI compliance, and provides contact information for the IBM sales representative.
This document provides an overview of PCI DSS and PA DSS compliance standards. It discusses key requirements around network segmentation, penetration testing, and protecting stored cardholder data. It also covers topics like card data discovery, assessing data in memory, and the importance of regularly updating the scope of assessments to identify any cardholder data that is not within the defined environment. The presenter provides examples of how to pass segmentation testing and discusses various methods for conducting card data discovery across files, databases, and other systems.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
This document provides an overview of PCI compliance from the perspective of a Qualified Security Assessor (QSA). It discusses the history and organizations involved in establishing the PCI Data Security Standard (DSS). It outlines the 12 requirements of the DSS, including changes in version 3.0. It also summarizes the PCI compliance process and roles of various entities like merchants, banks, and QSAs.
PCI DSS is a security standard for payment card data that provides requirements for technical and operational security. Compliance is important to avoid consequences of a data breach like regulatory fines and loss of customers. The standard applies to any entity that stores, processes, or transmits cardholder data. It aims to protect data through requirements around firewalls, encryption, access control, vulnerability management, and more. The PCI Security Standards Council maintains and enhances PCI DSS and other standards for payment security.
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.
This webinar discusses PCI DSS compliance and how ControlCase can help organizations achieve and maintain compliance. It covers the basics of PCI DSS including the six principles and twelve requirements. It then outlines how ControlCase uses automation, continuous compliance management, and their One Audit approach to assess multiple standards at once to help clients comply in a cost-effective way. The webinar emphasizes that ControlCase can significantly reduce the effort and resources needed for PCI compliance.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
This document provides an overview of PCI compliance and security standards. It discusses the objectives of PCI DSS training, an introduction to PCI and the Payment Card Industry Security Standards Council, an overview of the PCI DSS requirements and framework, definitions of cardholder data and merchant levels, how compliance applies to different entity types, and resources for further information. The training is intended to help participants understand goals of PCI, key concepts such as cardholder data and merchant levels, and compliance responsibilities for different organizations that handle credit card transactions.
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
- PCI DSS Requirements & Secure Remote Working
- Assessments In Work From Home (WFH) Scenario
- Remote Security Testing
- Key Aspects For Remote Assessments
The document discusses strategies for complying with the Payment Card Industry Data Security Standard (PCI-DSS). It provides an overview of PCI-DSS, including its requirements for securing credit card data, different merchant levels and their associated validation requirements. It also summarizes the various Self-Assessment Questionnaires (SAQs) merchants can complete for validation, and offers guidelines for implementing a PCI compliance program, including governance, identifying applicable SAQs, and requirements for ongoing compliance.
PCI Certification and remediation servicesTariq Juneja
The document discusses the Payment Card Industry Data Security Standard (PCI DSS), which establishes security standards for businesses that accept payment cards. It aims to protect cardholder data and ensure privacy. The PCI DSS includes 12 requirements around data security best practices that cover managing, monitoring and securing cardholder information. It also introduces CompliancePoint, a company that assists other businesses in achieving and maintaining PCI compliance through services like security assessments, policy development and IT consulting.
This document discusses the Payment Card Industry Data Security Standard (PCI DSS), which aims to protect credit card data. It outlines the 12 requirements of the PCI DSS across 6 control groups related to network security, data protection, vulnerability management, access control, network monitoring, and maintaining security policies. The PCI DSS applies to all organizations that store, process or transmit cardholder data. Failure to comply can result in fines and penalties from credit card companies and a loss of ability to accept credit card payments. The document also discusses validation requirements for ongoing compliance monitoring and reporting.
This document provides an overview of PCI DSS compliance, including:
- What the PCI Security Standards Council is and its objectives in establishing payment security standards.
- Why compliance is important to avoid penalties, reduce risk, and protect an organization's reputation.
- How to achieve compliance through self-assessment questionnaires or audits depending on transaction volume.
- The requirements of the PCI DSS including building a secure network, protecting data, vulnerability management, and more.
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Mobile Apps for Business Productivity The CircuitThe Circuit
Chief Information Officer, Northern Kentucky University, Presented for The Circuit and discussed the various mobile platforms and the pros and cons of each
Edward Burghard will share some examples of marketing / branding strategies that we may use in our own companies.
Ed is a Retired Harley Procter Marketer at P&G. This is a competitive lifetime appointment from Procter & Gamble that is bestowed by the CEO and CMO on individuals within the corporation who possess acknowledged mastery of the craft, have built brands, and can teach others to do the same. Burghard is currently only one of 12 active Harley Procter Marketers worldwide.
Ed is CEO of The Burghard Group and OBDC Executive Director
PCI compliance is important for businesses that handle credit card data to protect against data breaches and fines. The webinar discusses PCI compliance requirements and controls, including understanding what PCI is, identifying risks to card data, and how to achieve and maintain compliance. It also explains how PCI was established in response to lawsuits against businesses that experienced data breaches, and details the six goals and twelve requirements that make up the PCI Data Security Standard.
The document discusses PCI DSS compliance and maintaining ongoing compliance. It describes PCI DSS as a security standard developed by payment brands to ensure payment data security. Achieving and maintaining PCI compliance can be challenging due to evolving threats, technologies, and requirements. Outsourcing compliance tasks to an expert partner can help organizations adapt to changes and maintain ongoing compliance in a cost-effective manner.
This document discusses IBM DataPower PCI solutions. It provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its requirements. It then describes how IBM DataPower appliances can help organizations meet many of the PCI DSS requirements by providing functions like firewalling, encryption, access control, logging, and security policy management. The document also highlights some of DataPower's key products and capabilities for PCI compliance, and provides contact information for the IBM sales representative.
This document provides an overview of PCI DSS and PA DSS compliance standards. It discusses key requirements around network segmentation, penetration testing, and protecting stored cardholder data. It also covers topics like card data discovery, assessing data in memory, and the importance of regularly updating the scope of assessments to identify any cardholder data that is not within the defined environment. The presenter provides examples of how to pass segmentation testing and discusses various methods for conducting card data discovery across files, databases, and other systems.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
This document provides an overview of PCI compliance from the perspective of a Qualified Security Assessor (QSA). It discusses the history and organizations involved in establishing the PCI Data Security Standard (DSS). It outlines the 12 requirements of the DSS, including changes in version 3.0. It also summarizes the PCI compliance process and roles of various entities like merchants, banks, and QSAs.
PCI DSS is a security standard for payment card data that provides requirements for technical and operational security. Compliance is important to avoid consequences of a data breach like regulatory fines and loss of customers. The standard applies to any entity that stores, processes, or transmits cardholder data. It aims to protect data through requirements around firewalls, encryption, access control, vulnerability management, and more. The PCI Security Standards Council maintains and enhances PCI DSS and other standards for payment security.
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.
This webinar discusses PCI DSS compliance and how ControlCase can help organizations achieve and maintain compliance. It covers the basics of PCI DSS including the six principles and twelve requirements. It then outlines how ControlCase uses automation, continuous compliance management, and their One Audit approach to assess multiple standards at once to help clients comply in a cost-effective way. The webinar emphasizes that ControlCase can significantly reduce the effort and resources needed for PCI compliance.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
This document provides an overview of PCI compliance and security standards. It discusses the objectives of PCI DSS training, an introduction to PCI and the Payment Card Industry Security Standards Council, an overview of the PCI DSS requirements and framework, definitions of cardholder data and merchant levels, how compliance applies to different entity types, and resources for further information. The training is intended to help participants understand goals of PCI, key concepts such as cardholder data and merchant levels, and compliance responsibilities for different organizations that handle credit card transactions.
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
- PCI DSS Requirements & Secure Remote Working
- Assessments In Work From Home (WFH) Scenario
- Remote Security Testing
- Key Aspects For Remote Assessments
The document discusses strategies for complying with the Payment Card Industry Data Security Standard (PCI-DSS). It provides an overview of PCI-DSS, including its requirements for securing credit card data, different merchant levels and their associated validation requirements. It also summarizes the various Self-Assessment Questionnaires (SAQs) merchants can complete for validation, and offers guidelines for implementing a PCI compliance program, including governance, identifying applicable SAQs, and requirements for ongoing compliance.
PCI Certification and remediation servicesTariq Juneja
The document discusses the Payment Card Industry Data Security Standard (PCI DSS), which establishes security standards for businesses that accept payment cards. It aims to protect cardholder data and ensure privacy. The PCI DSS includes 12 requirements around data security best practices that cover managing, monitoring and securing cardholder information. It also introduces CompliancePoint, a company that assists other businesses in achieving and maintaining PCI compliance through services like security assessments, policy development and IT consulting.
This document discusses the Payment Card Industry Data Security Standard (PCI DSS), which aims to protect credit card data. It outlines the 12 requirements of the PCI DSS across 6 control groups related to network security, data protection, vulnerability management, access control, network monitoring, and maintaining security policies. The PCI DSS applies to all organizations that store, process or transmit cardholder data. Failure to comply can result in fines and penalties from credit card companies and a loss of ability to accept credit card payments. The document also discusses validation requirements for ongoing compliance monitoring and reporting.
This document provides an overview of PCI DSS compliance, including:
- What the PCI Security Standards Council is and its objectives in establishing payment security standards.
- Why compliance is important to avoid penalties, reduce risk, and protect an organization's reputation.
- How to achieve compliance through self-assessment questionnaires or audits depending on transaction volume.
- The requirements of the PCI DSS including building a secure network, protecting data, vulnerability management, and more.
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Mobile Apps for Business Productivity The CircuitThe Circuit
Chief Information Officer, Northern Kentucky University, Presented for The Circuit and discussed the various mobile platforms and the pros and cons of each
Edward Burghard will share some examples of marketing / branding strategies that we may use in our own companies.
Ed is a Retired Harley Procter Marketer at P&G. This is a competitive lifetime appointment from Procter & Gamble that is bestowed by the CEO and CMO on individuals within the corporation who possess acknowledged mastery of the craft, have built brands, and can teach others to do the same. Burghard is currently only one of 12 active Harley Procter Marketers worldwide.
Ed is CEO of The Burghard Group and OBDC Executive Director
Virtualization Myths and Realities Exposed The CircuitThe Circuit
Bill Cashman from Peak 10 presented on virtualization myths and realities. The presentation addressed common misconceptions about the costs and capabilities of virtualization. It discussed how smaller organizations can benefit from virtualization using free hypervisors or virtual utility hosts. It also addressed myths around shared storage requirements, VMware costs, application compatibility, CPU and storage performance for virtualized databases. Real-world examples were given to show how SQL Server and Exchange can run effectively in virtual environments.
The Circuit was pleased to present Kevin Dugan, Empower MediaMarketing's Director of Marketing & James Pilcher, Business Reporter, The Cincinnati Enquirer, to discuss how the world of media, PR, and working with the press is all changing.
The Circuit proudly featured Debbie Simpson, CEO of Multi-Craft on Jan. 15th. The evaluations were excellent and these were written comments:
• Outstanding message!
• Great
• I thoroughly enjoyed Debbie’s talk. It’s always nice to hear someone be excited to talk about the things going on in their company
This document provides tips for creating effective PowerPoint presentations. It suggests that most PowerPoint presentations are boring and ineffective, relying too heavily on bullet points and clip art. The document recommends keeping presentations simple with few slides, short time limits, large font sizes, and telling a clear story. It also advises practicing presentations and focusing on ideas, facts, processes, and feelings rather than just words. The overall message is that PowerPoint should be used to enhance conversations or presentations, not replace them, by following some basic design principles.
Facebook - Beyond Joining - Make it Work for You!The Circuit
The Circuit and Regional Entrepreneur Forum (REF) - November 20, 2009
Krista Neher covered what Facebook is, how it works, who is on it and why it is so important.
The Circuit - The Market Has Changed...Have You?The Circuit
Learn a new strategy for selling in tough markets.
With the break down of the financial markets the very interpretation of value has altered; leaving us with in essence, a new market place. Customers behave differently and so must we, in how we sell to them.
The document discusses the benefits and features of using LinkedIn for social media marketing (SMM). It provides an overview of LinkedIn's key components like profiles, contacts, groups, status updates, and applications. It also covers tips for using these features to build relationships, brand awareness, and reputation through an online presence on LinkedIn. Potential threats to online reputation are also briefly discussed.
The Circuit on September 24, 2009 - Breakfast BYTES
Doug Ross, Vice President and Chief Technology Officer Western & Southern Financial Group (W&S) presented this outstanding Breakfast BYTES presentation on the Enterprise Use of Twitter.
The document summarizes the American Recovery and Reinvestment Act (ARRA) and its impact on electronic health records. It provides incentives for hospitals and physicians to implement qualified electronic health records systems and demonstrate meaningful use by 2015. Those that do not implement EHRs will face penalties after 2015. The ARRA sets standards for qualified EHRs and meaningful use, and provides Medicare and Medicaid incentive payments to support implementation from 2009 to 2015.
2. What is PCI Compliance? 2
• PCI Security Standards are technical and operational requirements set by
the PCI Security Standards Council (PCI SSC) to protect cardholder data.
– (American Express, Discover, JCB International, MasterCard, and Visa)
• Security Management and Monitoring
• Policies & Procedures
• Network Architecture
• Software design
• If you accept payment cards, you are required to be compliant with the PCI
Data Security Standard.
• PCI – The Gold Standard
– Compared to other standards the requirements are clearly defined
4. Why Is Compliance with PCI DSS Important? 4
• A security breach and subsequent compromise of payment card data has
far-reaching consequences for affected organizations, including:
– Regulatory notification requirements,
– Loss of reputation,
– Loss of customers,
– Potential financial liabilities (for example, regulatory and other fees and fines), and
– Litigation
5. Economics of an Credit Card Breach – Source CoalFire 5
A hypothetical merchant has 10,000 card numbers and account holder information compromised.
What is the potential financial impact to the merchant?
Notify Clients and Provide Privacy $30 x 10,000 = $300,000
Guard
Fines and Penalties from Card Brands $50,000 to $500,000
and Acquiring Banks
Increased PCI audits and $50,000 x 3 years = $150,000
requirements for new controls
Potential costs to re-issue credit 10,000 accounts x $20 = $200,000
cards
Reputation Loss PRICELESS!
Estimates are based on actual incidents examined by Coalfire’s forensic team. Fees and services required vary by incident.
For more information on potential costs and risk from credit card compromise, contact Coalfire (www.coalfiresystems.com)
6. Why Is Compliance with PCI DSS Important? 6
• Investigations after compromises consistently show common PCI DSS
violations, including but not limited to:
– Storage of magnetic stripe data (Requirement 3.2). It is important to note that many compromised
entities are unaware that their systems are storing this data.
– Inadequate access controls due to improperly installed merchant POS systems, allowing malicious
users in via paths intended for POS vendors (Requirements 7.1, 7.2, 8.2 and 8.3)
– Default system settings and passwords not changed when system was set up (Requirement 2.1)
– Unnecessary and insecure services not removed or secured when system was set up (Requirements
2.2.2 and 2.2.4)
– Poorly coded web applications resulting in SQL injection and other vulnerabilities, which allow access to
the database storing cardholder data directly from the web site (Requirement 6.5)
– Missing and outdated security patches (Requirement 6.1)
– Lack of logging (Requirement 10)
– Lack of monitoring (via log reviews, intrusion detection/prevention, quarterly vulnerability scans, and file
integrity monitoring systems) (Requirements 10.6, 11.2, 11.4 and 11.5)
– Poorly implemented network segmentation resulting in the cardholder data environment being
unknowingly exposed to weaknesses in other parts of the network that have not been secured
according to PCI DSS (for example, from unsecured wireless access points and vulnerabilities
introduced via employee e-mail and web browsing) (Requirements 1.2, 1.3 and 1.4)
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
8. Self-Assessment Questionnaire? 8
A) Requirement Areas: 9 & 12
13 Questions / requirements
B) Requirement Areas: 3,4,7,9 & 12
29 Questions / requirements
C-VT) Requirement Areas: 1-7,9 & 12
51 Questions / requirements
C) Requirement Areas: 1-9,11 & 12
80 Questions / requirements
D) Requirement Areas: 1-12
286 Questions / requirements
Does your company store any cardholder data in electronic format?
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0
9. Policies and Procedures 9
PCI requirement Policies/procedures
Requirement 1 Configuration standards, Change control approval and testing process, Firewall placement, Maintain current
Install and maintain a firewall configuration to network diagram, Description of Roles & Responsibilities, Documentation and business justification of all
protect cardholder data
ports, protocols and services, FW and Router review.
Requirement 2 Pre-production modifications, Develop configuration hardening standards, Removing/disabling
Do not use vendor supplied defaults for system insecure/unnecessary services, protocols and functionality, One function per server, Encrypting all non-
passwords and other security Parameters
console access
Requirement 3 Limit duration of data retention, Secure deletion, Data types retained, Display masking, Safe storage,
Protect stored cardholder data Encryption key management
Requirement 4 Minimum encryption standards, Wireless standards
Encrypt transmission of cardholder data across
open, public networks
Requirement 5 Antivirus validation, current-actively running and generating logs,
Use and regularly update anti-virus software or programs
Requirement 6 Vulnerability identification, rank and management, Patching and patch validation, Secure application
Develop and maintain secure systems and development and deployment, Change control, Code reviews
applications
Requirement 7 Data control need-to-know requirements, Role-based access
Restrict access to cardholder data by business need to
know
Requirement 8 Authentication and password management policies and procedures, Unique ID, user verification for password
Assign a unique ID to each person with computer access resets, Employee termination, Remove inactive users, Vendor access, length, duration, strength
Requirement 9 Access control, Badge assignment, Visitors, Media access, distribution and destruction
Restrict physical access to cardholder data
Requirement 10 Daily log review, Exception handling, log retention and availability
Track and monitor all access to network resources and
cardholder data
Requirement 11 Detect and identify wireless access points, Alerting, incident handling and response, IDS/IPS configuration
Regularly test security systems and processes and updates, Change control
Requirement 12 Information security policy, Risk assessment, Daily operational procedures, Usage policy, Personnel roles
Maintain a policy that addresses information security for and responsibilities, monitoring & analysis, incident response and escalation plan, security awareness
employees and contractors
program
10. Technologies 10
PCI requirement Technologies
Requirement 1 Firewall (network and personal), Routers and Switches, File Integrity Monitoring
Install and maintain a firewall configuration to
protect cardholder data
Requirement 2 Vulnerability Scanning / Management, VPN
Do not use vendor supplied defaults for system passwords and other security
Parameters
Requirement 3 Encryption, Backup / data retention
Protect stored cardholder data
Requirement 4 Encryption, VPN, Firewall, WAF, IDS/IPS
Encrypt transmission of cardholder data across
open, public networks
Requirement 5 Antivirus, File Integrity Monitoring, Log Management
Use and regularly update anti-virus software or programs
Requirement 6 Vulnerability Scanning / Management, Patch Management, WAF
Develop and maintain secure systems and
applications
Requirement 7 Firewall, VPN, Authentication, Application level access control
Restrict access to cardholder data by business need to know
Requirement 8 Multi-Factor Authentication, Application level access control, Firewall, VPN
Assign a unique ID to each person with computer access
Requirement 9 PCI Certified Data Centers
Restrict physical access to cardholder data
Requirement 10 Log Management, SIM , SEIM, File Integrity Monitoring, NTP Service
Track and monitor all access to network resources and cardholder data
Requirement 11 Vulnerability Scanning, IDS/IPS, File Integrity Monitoring, Log Management
Regularly test security systems and processes
Requirement 12 Log Management, SIM , SEIM, IDS/IPS
Maintain a policy that addresses information security for employees and contractors
11. Ten Common Myths of PCI DSS 11
Myth 1 – One vendor and product will make us compliant
Myth 2 – Outsourcing card processing makes us compliant
Myth 3 – PCI compliance is an IT project
Myth 4 – PCI will make us secure
Myth 5 – PCI is unreasonable; it requires too much
Myth 6 – PCI requires us to hire a Qualified Security Assessor
Myth 7 – We don’t take enough credit cards to be compliant
Myth 8 – We completed a SAQ so we’re compliant
Myth 9 – PCI makes us store cardholder data
Myth 10 – PCI is too hard
*Source: PCI Security Standards Council
12. Proven PCI management practices 12
• Limit the Scope of the PCI environment
• PCI embedded in an overall security program
• PCI compliant policies, procedures, and training
• Monitoring and Reporting
• Due diligence of your service provides, vendors
• Work with a QSA
• PCI DSS General Tips and Strategies to Prepare for Compliance Validation
1. Sensitive Authentication Data (includes the full track contents of the magnetic strip or
chip, card verification codes and values, PINs and PIN blocks:
1. NEVER STORE THIS DATA
2. Ask your POS vendor about the security of your system
3. Card holder data- if you don’t need it don’t store it!
1. Payment brand rules allow for the storage of Personal Account Number (PAN),
expiration date, cardholder name, and service code.
4. Card holder data- if you do need it, consolidate and isolate it.
5. Compensating Controls
*Source: PCI DSS Self-Assessment Questionnaire Instructions and Guidelines V2.0