PCI version 3.0 mandates organizations to make compliance a business as usual activity instead of an annual audit. Contact ControlCase for more information on our GRC Platform which automates evidence collection and provides a configurable audit trail to track all record modifications and remediation workflows.
4. What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or
transmitting payment card account data
• Established by leading payment card brands
• Maintained by the PCI Security Standards Council
(PCI SSC)
2
5. PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
3
6. Timeline of PCI DSS 3.0
4
• The new PCI DSS 3.0 have been published
• Effective Jan 1st, 2014
• Must comply to PCI DSS 3.0 starting 2015
8. Overview
5
Segmentation
• Adequacy of segmentation
• Penetration test
Third parties/Service providers
• Must validate PCI DSS compliance; OR
• Must participate in customers PCI DSS
compliance audit
9. Overview contd…
6
PCI DSS as Business as Usual
• Monitoring of security controls
• Review changes to environment
• Review changes to org structure
• Periodic review of controls vs. during audit
• Separation of duties (operational vs. security)
Physical protection of POS, ATM and Kiosks
• Maintain inventory
• Periodic inspection for tampering
• Train personnel
10. PCI DSS 3.0 Business As Usual by
Requirement Number
11. PCI Council Guidance on BAU
7
Monitoring of
security controls
• Firewalls
• IDS/IPS
• File Integrity Monitoring (FIM)
• Anti Virus
Ensuring failures
in security
controls are
detected and
responded
• Restoring the security control
• Identifying the root cause
• Identifying any security issues because of the failure
• Mitigation
• Resume monitoring of security control
• Segregation of duties between detective and
preventive controls
12. PCI Council Guidance on BAU
8
Review changes
to environment
• Addition of new systems
• Changes or organizational structure
• Impact of change to PCI DSS scope
• Requirement applicable to new scope
• Implement any additional security controls because of
change
• New hardware and software (and older ones) continue
to be supported and do not impact compliance
Periodic reviews
• Configuration
• Physical security
• Patches and Anti Virus
• Audit logs
• Access rights
13. Firewalls
9
People
- PCI project manager to
escalate non-compliance
- Segregation of duties
between operations
performing change and
compliance personnel
reviewing change
Process
- PCI impact analysis as part of
firewall change management
process
Technology
- Automated/Periodic ruleset
reviews
- Weekly port scans from CDE
to Internet to verify no
outbound connections
14. Configuration Standards
10
People
- PCI project manager to
escalate non-compliance
Process
- Periodic update to
configuration standards
- New infrastructure
onboarding process to include
PCI configuration standards
check
Technology
- Automated/Periodic
configuration scans
- Reminders to update
configuration standards
quarterly
- Technology to flag new assets
that have not formally
undergone PCI configuration
standards check
15. Protect Stored Cardholder Data
11
People
- PCI project manager to
escalate non-compliance to
highest levels within
organization
Process
- Periodic false positive
management
- Search for cardholder data
during roll out tests/quality
assurance
Technology
- Automated/Periodic
cardholder data scans
- Alerts in case of new
cardholder data found
16. Protect Cardholder Data in Transmission
12
People
- Training to ensure personnel
do not email/chat clear text
card data
- Personnel allocated to review
outbound data at random
Process
- Periodic review of modes of
transmission i.e. wireless,
chat, email etc.
Technology
- Automated technology to
monitor transmission of card
data through perimeter (e.g.
email, chat monitoring)
17. Antivirus and Malware
13
People
- PCI project manager to
escalate non-compliance
Process
- Process to ensure all assets
are protected by antivirus
- Process to implement
antivirus and anti-malware on
all new systems being
deployed
Technology
- Technology to detect any
systems that do not have anti
virus/anti malware installed
18. Secure Applications
14
People
- Segregation of development
and security duties
- Periodic training of
developers to security
standards such as OWASP
Process
- Continuous scanning of
applications
- Scanning of applications as
part of SDLC
- Code review as part of SDLC
- Review of QA/test cases on a
periodic basis to ensure all of
them have a security
checkpoint and approval
Technology
- Application scanning software
- Code review software
- Identification of instances
where changes have occurred
to applications
- Application firewalls
19. Access Control and User IDs
15
People
- Segregation of personnel
provisioning IDs and review of
user access
Process
- Periodic review of user access
- Attestation of user access
- Onboarding procedures
- Termination procedures
Technology
- Role based access control
- Single sign on
- Use of LDAP/AD/TACACS for
password management
20. Physical Security
16
People
- Designation of a person at
every site as a site
coordinator
Process
- Periodic walkthroughs and
random audits of physical
security
- Weekly review of CCTV and
badge logs
- Periodic review of scope
Technology
- Alarms to report malfunction
of devices such as cameras
and badge access readers
21. Logging and Monitoring
17
People
- Personnel to actively monitor
logs 24/7/365
Process
- Periodic review of asset inventory
- Periodic review of scope
- Process to ensure logs from all
assets are feeding the SIEM solution
- Restoration of logs from 12 months
back every week/month
Technology
- Security and Event
Management (SIEM)
- Technology to identify new
assets not covered within
SIEM
22. Vulnerability Management
18
People
- Segregation of personnel
responsible for scanning vs
remediation of anomalies
- PCI project manager to
escalate non-compliance
Process
- Ongoing review of target
assets vs asset inventory for
appropriateness/change
- Periodic testing of IDS/IPS
effectiveness through random
penetration
tests/vulnerability scans
Technology
- Automated scanning
technology
- Technology to manage false
positives and compensating
controls
- Asset management repository
- File Integrity Monitoring (FIM)
technology
23. Policies and Procedures
19
People
- Coordination between
procurement and compliance
personnel
Process
- PCI DSS requirements tied to
procurement process
- PCI anomalies to be tracked
within vendor/third party
management solution
Technology
- Vendor management/Third
party management solution
24. PCI DSS Requirements
20
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect
cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect cardholder data 3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability
management program
5. Use and regularly update anti-virus software on all systems
commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control
measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
Maintain an information security
policy
12. Maintain a policy that addresses information security
30. ControlCase Cloud GRC
24
• Out of box tracking of PCI Controls
• Out of box reminders for key BAU activities
• Out of box dashboard for key compliance
tasks to be done periodically
• Out of box tracking of BAU anomalies
31. To Learn More About PCI Compliance…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
25