SlideShare a Scribd company logo

PCI DSS Business as Usual

Download as PPTX, PDF
ControlCase
ControlCase

PCI version 3.0 mandates organizations to make compliance a business as usual activity instead of an annual audit. Contact ControlCase for more information on our GRC Platform which automates evidence collection and provides a configurable audit trail to track all record modifications and remediation workflows.

News & Politics
1 of 32
PCI DSS 3.0 – Making Compliance Business As Usual By Kishor Vaswani – CEO, ControlCase
Agenda • About PCI DSS • Overview of changes • PCI BAU by requirement number • Implementation tips • ControlCase solution • Q&A 1
About PCI DSS
What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card brands • Maintained by the PCI Security Standards Council (PCI SSC) 2
PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
Timeline of PCI DSS 3.0 4 • The new PCI DSS 3.0 have been published • Effective Jan 1st, 2014 • Must comply to PCI DSS 3.0 starting 2015
Overview of changes
Overview 5 Segmentation • Adequacy of segmentation • Penetration test Third parties/Service providers • Must validate PCI DSS compliance; OR • Must participate in customers PCI DSS compliance audit
Overview contd… 6 PCI DSS as Business as Usual • Monitoring of security controls • Review changes to environment • Review changes to org structure • Periodic review of controls vs. during audit • Separation of duties (operational vs. security) Physical protection of POS, ATM and Kiosks • Maintain inventory • Periodic inspection for tampering • Train personnel
PCI DSS 3.0 Business As Usual by Requirement Number
PCI Council Guidance on BAU 7 Monitoring of security controls • Firewalls • IDS/IPS • File Integrity Monitoring (FIM) • Anti Virus Ensuring failures in security controls are detected and responded • Restoring the security control • Identifying the root cause • Identifying any security issues because of the failure • Mitigation • Resume monitoring of security control • Segregation of duties between detective and preventive controls
PCI Council Guidance on BAU 8 Review changes to environment • Addition of new systems • Changes or organizational structure • Impact of change to PCI DSS scope • Requirement applicable to new scope • Implement any additional security controls because of change • New hardware and software (and older ones) continue to be supported and do not impact compliance Periodic reviews • Configuration • Physical security • Patches and Anti Virus • Audit logs • Access rights
Firewalls 9 People - PCI project manager to escalate non-compliance - Segregation of duties between operations performing change and compliance personnel reviewing change Process - PCI impact analysis as part of firewall change management process Technology - Automated/Periodic ruleset reviews - Weekly port scans from CDE to Internet to verify no outbound connections
Configuration Standards 10 People - PCI project manager to escalate non-compliance Process - Periodic update to configuration standards - New infrastructure onboarding process to include PCI configuration standards check Technology - Automated/Periodic configuration scans - Reminders to update configuration standards quarterly - Technology to flag new assets that have not formally undergone PCI configuration standards check
Protect Stored Cardholder Data 11 People - PCI project manager to escalate non-compliance to highest levels within organization Process - Periodic false positive management - Search for cardholder data during roll out tests/quality assurance Technology - Automated/Periodic cardholder data scans - Alerts in case of new cardholder data found
Protect Cardholder Data in Transmission 12 People - Training to ensure personnel do not email/chat clear text card data - Personnel allocated to review outbound data at random Process - Periodic review of modes of transmission i.e. wireless, chat, email etc. Technology - Automated technology to monitor transmission of card data through perimeter (e.g. email, chat monitoring)
Antivirus and Malware 13 People - PCI project manager to escalate non-compliance Process - Process to ensure all assets are protected by antivirus - Process to implement antivirus and anti-malware on all new systems being deployed Technology - Technology to detect any systems that do not have anti virus/anti malware installed
Secure Applications 14 People - Segregation of development and security duties - Periodic training of developers to security standards such as OWASP Process - Continuous scanning of applications - Scanning of applications as part of SDLC - Code review as part of SDLC - Review of QA/test cases on a periodic basis to ensure all of them have a security checkpoint and approval Technology - Application scanning software - Code review software - Identification of instances where changes have occurred to applications - Application firewalls
Access Control and User IDs 15 People - Segregation of personnel provisioning IDs and review of user access Process - Periodic review of user access - Attestation of user access - Onboarding procedures - Termination procedures Technology - Role based access control - Single sign on - Use of LDAP/AD/TACACS for password management
Physical Security 16 People - Designation of a person at every site as a site coordinator Process - Periodic walkthroughs and random audits of physical security - Weekly review of CCTV and badge logs - Periodic review of scope Technology - Alarms to report malfunction of devices such as cameras and badge access readers
Logging and Monitoring 17 People - Personnel to actively monitor logs 24/7/365 Process - Periodic review of asset inventory - Periodic review of scope - Process to ensure logs from all assets are feeding the SIEM solution - Restoration of logs from 12 months back every week/month Technology - Security and Event Management (SIEM) - Technology to identify new assets not covered within SIEM
Vulnerability Management 18 People - Segregation of personnel responsible for scanning vs remediation of anomalies - PCI project manager to escalate non-compliance Process - Ongoing review of target assets vs asset inventory for appropriateness/change - Periodic testing of IDS/IPS effectiveness through random penetration tests/vulnerability scans Technology - Automated scanning technology - Technology to manage false positives and compensating controls - Asset management repository - File Integrity Monitoring (FIM) technology
Policies and Procedures 19 People - Coordination between procurement and compliance personnel Process - PCI DSS requirements tied to procurement process - PCI anomalies to be tracked within vendor/third party management solution Technology - Vendor management/Third party management solution
PCI DSS Requirements 20 Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security
Key Implementation Tips
Key Themes 21 Segregation of duties Technology operating effectively Automation Dedicated PCI project manager Repeatability Periodic Reviews
Dashboard for tracking activities 22
Calendar of reminders/tracking back to controls 23
ControlCase Solutions
ControlCase Cloud GRC 24 • Out of box tracking of PCI Controls • Out of box reminders for key BAU activities • Out of box dashboard for key compliance tasks to be done periodically • Out of box tracking of BAU anomalies
To Learn More About PCI Compliance… • Visit www.controlcase.com • Call +1.703.483.6383 (US) • Call +91.9820293399 (India) 25
Thank You for Your Time

Recommended

Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSControlCase
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 

Recommended

Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSControlCase
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0PCI DSS & PA DSS Version 3.0
PCI DSS & PA DSS Version 3.0ControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceControlCase
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarControlCase
 
ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes ControlCase
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
Log monitoring and file integrity monitoring
Log monitoring and file integrity monitoringLog monitoring and file integrity monitoring
Log monitoring and file integrity monitoringControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PALog Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PAControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated ComplianceKimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSKimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 

More Related Content

What's hot

Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes ControlCase
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudControlCase
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
Log monitoring and file integrity monitoring
Log monitoring and file integrity monitoringLog monitoring and file integrity monitoring
Log monitoring and file integrity monitoringControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PALog Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PAControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001ControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 

What's hot (19)

Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
 
PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes PCI DSS and PA DSS Version 3.0 Changes
PCI DSS and PA DSS Version 3.0 Changes
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Log monitoring and file integrity monitoring
Log monitoring and file integrity monitoringLog monitoring and file integrity monitoring
Log monitoring and file integrity monitoring
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PALog Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
Log Monitoring, FIM– PCI DSS, ISO 27001, HIPAA, FISMA and EI3PA
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
Log Monitoring and File Integrity Monitoring for PCI DSS, EI3PA and ISO 27001
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 

Similar to PCI DSS Business as Usual

PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)ControlCase
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler HelpSystems
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
 
Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Hassan EL ALLOUSSI
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security StandardsAshintha Rukmal
 
Things to Keep in Mind Regarding PCI DSS Compliance
Things to Keep in Mind Regarding PCI DSS ComplianceThings to Keep in Mind Regarding PCI DSS Compliance
Things to Keep in Mind Regarding PCI DSS ComplianceINTERCERT
 

Similar to PCI DSS Business as Usual (20)

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
PCI presentation
PCI presentationPCI presentation
PCI presentation
 
How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler How to Achieve PCI Compliance with an Enterprise Job Scheduler
How to Achieve PCI Compliance with an Enterprise Job Scheduler
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...Presentation: To an efficient tool for securing the card data on the Cloud: C...
Presentation: To an efficient tool for securing the card data on the Cloud: C...
 
Payment Card Industry Security Standards
Payment Card Industry Security StandardsPayment Card Industry Security Standards
Payment Card Industry Security Standards
 
Things to Keep in Mind Regarding PCI DSS Compliance
Things to Keep in Mind Regarding PCI DSS ComplianceThings to Keep in Mind Regarding PCI DSS Compliance
Things to Keep in Mind Regarding PCI DSS Compliance
 

More from ControlCase

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfControlCase
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxControlCase
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdfControlCase
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfControlCase
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfControlCase
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdfControlCase
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfControlCase
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdfControlCase
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxControlCase
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST CertificationControlCase
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceControlCase
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and CertificationControlCase
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance ChecklistControlCase
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyControlCase
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance MonitoringControlCase
 

More from ControlCase (20)

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
Integrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptxIntegrated Compliance Webinar.pptx
Integrated Compliance Webinar.pptx
 
2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf2022-Q2-Webinar-ISO_Spanish_Final.pdf
2022-Q2-Webinar-ISO_Spanish_Final.pdf
 
French PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdfFrench PCI DSS v4.0 Webinaire.pdf
French PCI DSS v4.0 Webinaire.pdf
 
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdfDFARS CMMC SPRS NIST 800-171 Explainer.pdf
DFARS CMMC SPRS NIST 800-171 Explainer.pdf
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
2022-Q3-Webinar-PPT-DataProtectionByDesign.pdf
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Webinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptxWebinar - CMMC Certification.pptx
Webinar - CMMC Certification.pptx
 
HITRUST Certification
HITRUST CertificationHITRUST Certification
HITRUST Certification
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
FedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP MarketplaceFedRAMP Certification & FedRAMP Marketplace
FedRAMP Certification & FedRAMP Marketplace
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
OneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to ManyOneAudit™ - Assess Once, Certify to Many
OneAudit™ - Assess Once, Certify to Many
 
Continuous Compliance Monitoring
Continuous Compliance MonitoringContinuous Compliance Monitoring
Continuous Compliance Monitoring
 

Recently uploaded

57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdf57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdfGerald Furnkranz
 
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...Axel Bruns
 
Referendum Party 2024 Election Manifesto
Referendum Party 2024 Election ManifestoReferendum Party 2024 Election Manifesto
Referendum Party 2024 Election ManifestoSABC News
 
Top 10 Wealthiest People In The World.pdf
Top 10 Wealthiest People In The World.pdfTop 10 Wealthiest People In The World.pdf
Top 10 Wealthiest People In The World.pdfauroraaudrey4826
 
Opportunities, challenges, and power of media and information
Opportunities, challenges, and power of media and informationOpportunities, challenges, and power of media and information
Opportunities, challenges, and power of media and informationReyMonsales
 
Different Frontiers of Social Media War in Indonesia Elections 2024
Different Frontiers of Social Media War in Indonesia Elections 2024Different Frontiers of Social Media War in Indonesia Elections 2024
Different Frontiers of Social Media War in Indonesia Elections 2024Ismail Fahmi
 
Quiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the roundsQuiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the roundsnaxymaxyy
 
N Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election Campaign
N Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election CampaignN Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election Campaign
N Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election Campaignanjanibaddipudi1
 
Brief biography of Julius Robert Oppenheimer
Brief biography of Julius Robert OppenheimerBrief biography of Julius Robert Oppenheimer
Brief biography of Julius Robert OppenheimerOmarCabrera39
 
AP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep Victory
AP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep VictoryAP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep Victory
AP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep Victoryanjanibaddipudi1
 
Chandrayaan 3 Successful Moon Landing Mission.pdf
Chandrayaan 3 Successful Moon Landing Mission.pdfChandrayaan 3 Successful Moon Landing Mission.pdf
Chandrayaan 3 Successful Moon Landing Mission.pdfauroraaudrey4826
 
VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012ankitnayak356677
 
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...Ismail Fahmi
 
Manipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpkManipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpkbhavenpr
 
Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.NaveedKhaskheli1
 
complaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfkcomplaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfkbhavenpr
 

Recently uploaded (16)

57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdf57 Bidens Annihilation Nation Policy.pdf
57 Bidens Annihilation Nation Policy.pdf
 
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
Dynamics of Destructive Polarisation in Mainstream and Social Media: The Case...
 
Referendum Party 2024 Election Manifesto
Referendum Party 2024 Election ManifestoReferendum Party 2024 Election Manifesto
Referendum Party 2024 Election Manifesto
 
Top 10 Wealthiest People In The World.pdf
Top 10 Wealthiest People In The World.pdfTop 10 Wealthiest People In The World.pdf
Top 10 Wealthiest People In The World.pdf
 
Opportunities, challenges, and power of media and information
Opportunities, challenges, and power of media and informationOpportunities, challenges, and power of media and information
Opportunities, challenges, and power of media and information
 
Different Frontiers of Social Media War in Indonesia Elections 2024
Different Frontiers of Social Media War in Indonesia Elections 2024Different Frontiers of Social Media War in Indonesia Elections 2024
Different Frontiers of Social Media War in Indonesia Elections 2024
 
Quiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the roundsQuiz for Heritage Indian including all the rounds
Quiz for Heritage Indian including all the rounds
 
N Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election Campaign
N Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election CampaignN Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election Campaign
N Chandrababu Naidu Launches 'Praja Galam' As Part of TDP’s Election Campaign
 
Brief biography of Julius Robert Oppenheimer
Brief biography of Julius Robert OppenheimerBrief biography of Julius Robert Oppenheimer
Brief biography of Julius Robert Oppenheimer
 
AP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep Victory
AP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep VictoryAP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep Victory
AP Election Survey 2024: TDP-Janasena-BJP Alliance Set To Sweep Victory
 
Chandrayaan 3 Successful Moon Landing Mission.pdf
Chandrayaan 3 Successful Moon Landing Mission.pdfChandrayaan 3 Successful Moon Landing Mission.pdf
Chandrayaan 3 Successful Moon Landing Mission.pdf
 
VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012VIP Girls Available Call or WhatsApp 9711199012
VIP Girls Available Call or WhatsApp 9711199012
 
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
HARNESSING AI FOR ENHANCED MEDIA ANALYSIS A CASE STUDY ON CHATGPT AT DRONE EM...
 
Manipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpkManipur-Book-Final-2-compressed.pdfsal'rpk
Manipur-Book-Final-2-compressed.pdfsal'rpk
 
Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.Global Terrorism and its types and prevention ppt.
Global Terrorism and its types and prevention ppt.
 
complaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfkcomplaint-ECI-PM-media-1-Chandru.pdfra;;prfk
complaint-ECI-PM-media-1-Chandru.pdfra;;prfk
 

PCI DSS Business as Usual

  • 1. PCI DSS 3.0 – Making Compliance Business As Usual By Kishor Vaswani – CEO, ControlCase
  • 2. Agenda • About PCI DSS • Overview of changes • PCI BAU by requirement number • Implementation tips • ControlCase solution • Q&A 1
  • 4. What is PCI DSS? Payment Card Industry Data Security Standard: • Guidelines for securely processing, storing, or transmitting payment card account data • Established by leading payment card brands • Maintained by the PCI Security Standards Council (PCI SSC) 2
  • 5. PCI DSS Requirements Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security 3
  • 6. Timeline of PCI DSS 3.0 4 • The new PCI DSS 3.0 have been published • Effective Jan 1st, 2014 • Must comply to PCI DSS 3.0 starting 2015
  • 8. Overview 5 Segmentation • Adequacy of segmentation • Penetration test Third parties/Service providers • Must validate PCI DSS compliance; OR • Must participate in customers PCI DSS compliance audit
  • 9. Overview contd… 6 PCI DSS as Business as Usual • Monitoring of security controls • Review changes to environment • Review changes to org structure • Periodic review of controls vs. during audit • Separation of duties (operational vs. security) Physical protection of POS, ATM and Kiosks • Maintain inventory • Periodic inspection for tampering • Train personnel
  • 10. PCI DSS 3.0 Business As Usual by Requirement Number
  • 11. PCI Council Guidance on BAU 7 Monitoring of security controls • Firewalls • IDS/IPS • File Integrity Monitoring (FIM) • Anti Virus Ensuring failures in security controls are detected and responded • Restoring the security control • Identifying the root cause • Identifying any security issues because of the failure • Mitigation • Resume monitoring of security control • Segregation of duties between detective and preventive controls
  • 12. PCI Council Guidance on BAU 8 Review changes to environment • Addition of new systems • Changes or organizational structure • Impact of change to PCI DSS scope • Requirement applicable to new scope • Implement any additional security controls because of change • New hardware and software (and older ones) continue to be supported and do not impact compliance Periodic reviews • Configuration • Physical security • Patches and Anti Virus • Audit logs • Access rights
  • 13. Firewalls 9 People - PCI project manager to escalate non-compliance - Segregation of duties between operations performing change and compliance personnel reviewing change Process - PCI impact analysis as part of firewall change management process Technology - Automated/Periodic ruleset reviews - Weekly port scans from CDE to Internet to verify no outbound connections
  • 14. Configuration Standards 10 People - PCI project manager to escalate non-compliance Process - Periodic update to configuration standards - New infrastructure onboarding process to include PCI configuration standards check Technology - Automated/Periodic configuration scans - Reminders to update configuration standards quarterly - Technology to flag new assets that have not formally undergone PCI configuration standards check
  • 15. Protect Stored Cardholder Data 11 People - PCI project manager to escalate non-compliance to highest levels within organization Process - Periodic false positive management - Search for cardholder data during roll out tests/quality assurance Technology - Automated/Periodic cardholder data scans - Alerts in case of new cardholder data found
  • 16. Protect Cardholder Data in Transmission 12 People - Training to ensure personnel do not email/chat clear text card data - Personnel allocated to review outbound data at random Process - Periodic review of modes of transmission i.e. wireless, chat, email etc. Technology - Automated technology to monitor transmission of card data through perimeter (e.g. email, chat monitoring)
  • 17. Antivirus and Malware 13 People - PCI project manager to escalate non-compliance Process - Process to ensure all assets are protected by antivirus - Process to implement antivirus and anti-malware on all new systems being deployed Technology - Technology to detect any systems that do not have anti virus/anti malware installed
  • 18. Secure Applications 14 People - Segregation of development and security duties - Periodic training of developers to security standards such as OWASP Process - Continuous scanning of applications - Scanning of applications as part of SDLC - Code review as part of SDLC - Review of QA/test cases on a periodic basis to ensure all of them have a security checkpoint and approval Technology - Application scanning software - Code review software - Identification of instances where changes have occurred to applications - Application firewalls
  • 19. Access Control and User IDs 15 People - Segregation of personnel provisioning IDs and review of user access Process - Periodic review of user access - Attestation of user access - Onboarding procedures - Termination procedures Technology - Role based access control - Single sign on - Use of LDAP/AD/TACACS for password management
  • 20. Physical Security 16 People - Designation of a person at every site as a site coordinator Process - Periodic walkthroughs and random audits of physical security - Weekly review of CCTV and badge logs - Periodic review of scope Technology - Alarms to report malfunction of devices such as cameras and badge access readers
  • 21. Logging and Monitoring 17 People - Personnel to actively monitor logs 24/7/365 Process - Periodic review of asset inventory - Periodic review of scope - Process to ensure logs from all assets are feeding the SIEM solution - Restoration of logs from 12 months back every week/month Technology - Security and Event Management (SIEM) - Technology to identify new assets not covered within SIEM
  • 22. Vulnerability Management 18 People - Segregation of personnel responsible for scanning vs remediation of anomalies - PCI project manager to escalate non-compliance Process - Ongoing review of target assets vs asset inventory for appropriateness/change - Periodic testing of IDS/IPS effectiveness through random penetration tests/vulnerability scans Technology - Automated scanning technology - Technology to manage false positives and compensating controls - Asset management repository - File Integrity Monitoring (FIM) technology
  • 23. Policies and Procedures 19 People - Coordination between procurement and compliance personnel Process - PCI DSS requirements tied to procurement process - PCI anomalies to be tracked within vendor/third party management solution Technology - Vendor management/Third party management solution
  • 24. PCI DSS Requirements 20 Control Objectives Requirements Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect cardholder data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement strong access control measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an information security policy 12. Maintain a policy that addresses information security
  • 27. Dashboard for tracking activities 22
  • 28. Calendar of reminders/tracking back to controls 23
  • 30. ControlCase Cloud GRC 24 • Out of box tracking of PCI Controls • Out of box reminders for key BAU activities • Out of box dashboard for key compliance tasks to be done periodically • Out of box tracking of BAU anomalies
  • 31. To Learn More About PCI Compliance… • Visit www.controlcase.com • Call +1.703.483.6383 (US) • Call +91.9820293399 (India) 25
  • 32. Thank You for Your Time