PCI DSS Compliance Checklist

WEBINAR: PCI DSS
COMPLIANCE CHECKLIST
YOUR IT COMPLIANCE PARTNER –
GO BEYOND THE CHECKLIST
DOWNLOAD PCI DSS COMPLIANCE CHECKLIST
PCI DSS COMPLIANCE CHECKLIST BLOG
6 PRINCIPLES OF PCI DSS COMPLIANCE BLOG

What Are The 6 Principles Of PCI DSS?
ControlCase Introduction
What Is PCI DSS & Its Purpose?
Who Does PCI DSS Apply To?
What Are The 12 PCI DSS Requirements?
What Are The Potential Liabilities
Not Complying to PCI DSS?
How Can We Achieve Compliance In A
Cost-effective Manner
Why ControlCase
AGENDA
© 2020 ControlCase. All Rights Reserved. 2
4
1
2
3
5
6
7
8

1 CONTROLCASE INTRODUCTION

ControlCase Snapshot
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to:
Dramatically cut the time, cost and burden from becoming certified and maintaining IT compliance.
• Demonstrate compliance more efficiently
and cost effectively (cost certainty)
• Improve efficiencies
⁃ Do more with less resources and gain
compliance peace of mind
• Free up your internal resources to focus
on their priorities
• Offload much of the compliance burden to
a trusted compliance partner
1,000+ 300+
10,000+
CLIENTS IT SECURITY
CERTIFICATIONS
SECURITY
EXPERTS

Solution
Certification and Continuous Compliance Services
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center

Certification Services
One Audit™
Assess Once. Comply to Many.
“You have 27 seconds to make a first
impression. And after our initial
meeting, it became clear that they
were more interested in helping
our business and building a
relationship, not just getting the
business.
— Sr. Director, Information Risk & Compliance,
Large Merchant
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HITRUST CSF
HIPAA PCI P2PE GDPR NIST CSF Risk
Assessment
PCI PIN PCI PA-DSS FedRAMP PCI 3DS

2 WHAT IS PCI DSS & ITS PURPOSE?

Payment Card Industry Data Security Standard:
• Established in 2006 by
leading payment card
issuers.
(VISA, MasterCard, American
Express, JCB International &
Discover Financial Services)
• Maintained by the PCI
Security Standards
Council (PCI SSC).
• PCI DSS provides
operational and technical
requirements to protect
cardholder data.
What is PCI DSS?

PCI DSS Family of Standards
 PCI DSS Security of Environments that store, process or transmit account data
 PCI PA-DSS Secures payment applications support PCI DSS compliance
 PCI P2PE Ensures data is encrypted at POI and can only be decrypted by dedicated environment
 PCI TSP Requirements for token service providers for EMV Payment tokens
 PCI Card Production Physical and logical security requirements for card manufacturing and personalization
 PCI 3DS Physical and logical requirements for entities that implement 3DS Payment solution
 PCI PTS – HSM Physical and logical controls for securing HSM
 PCI PTS – POI Protection of sensitive data at POI
 PCI PTS – PIN Security Secure management, processing and transmission of PIN data

Data in Question (Credit and Debit Card Data)
Cardholder Data Includes:
• Primary Account Number (PAN)
• Cardholder’s Name
• Expiration Date
• Service Code
Sensitive Authentication Data Includes:
• Full Track Data
• CAV2/CVC2/CVV2/CID
• PINs/PIN blocks

3 WHO DOES PCI DSS APPLY TO?

Companies and Systems which STORE, PROCESS, TRANSMIT Cardholder Data
STORAGE PROCESS TRANSMIT
Applicability

Applicability
MERCHANTS
ACQUIRING
BANKS
QSA’s
PFI’s
& ASV’s
SERVICE
PROVIDERS
CARD
BRANDS
• Communicate with and educate merchants
• Report merchant compliance to Card Brands
• Enforce PCI DSS
• Promote Adoption
• Sanctions
• Rewards
• Verify compliance through onsite assessment
• Quarterly vulnerability scans
• Render opinions to merchant bank on compensating controls
• Forensics review of compromised entities
• Secure cardholder data
• Comply with PCI DSS
• Comply with PCI DSS
• Secure cardholder data
• Use compliant service providers
• Maintain PCI DSS
• Certify QSA’s & ASV’s

4
WHAT ARE THE 6 PRINCIPLES
OF PCI DSS?

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
1. Build & Maintain a Secure Network

2. Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

3. Maintain Vulnerability Management Program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
4. Implement Strong Access ControlCase Measures

5. Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

6. Maintain an Information Security Policy
12. Maintain a policy that addresses information security for employees and contractors

5
WHAT ARE THE 12 PCI DSS
REQUIREMENTS?

12 PCI DSS Requirements
CONTROL OBJECTIVES (6 PRINCIPLES) 12 REQUIREMENTS
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
Maintain an information security policy 12.Maintain a policy that addresses information security

Requirement 1 – Firewalls & DMZ
Secure Architecture. Firewall Ruleset Reviews.

Requirement 2: Configuration Standards
Ensure that secure
configuration standards
exist and are updated.
New and existing
systems comply with
the latest standards.
Method to track
and validate
against standards.

Requirement 3: Protect Stored Cardholder Data
You must ensure stored data is encrypted and protected.

Requirement 4: Protect Cardholder Data in Transmission
You must ensure data being transmitted is encrypted.

Requirement 5: Antivirus
Antivirus must be installed on
all systems commonly affected
by viruses/malware.
Configuration of antivirus.
Antivirus logs must be
captured, reviewed and
stored appropriately.

Requirement 6: Secure Applications
You must ensure all applications are developed securely and without vulnerabilities.

Requirements 7 & 8: Access Control
Appropriate access control
mechanisms.
Appropriate review
of user access.
Appropriate password
strength.
Appropriate two factor
procedures for remote access.
Appropriate onboarding
and termination procedures.

Requirement 9: Physical Security
Badge and other
access controls.
CCTV and
access logs.
Visitor
procedures.
Security of media
(including tapes, CD’s).
Appropriate systems to
control badge access.
Review of
access logs.

Requirement 10: Logging and Monitoring
Capturing logs on
all devices in the cardholder
data environment.
Appropriate data
points to be captured
within logs.
Review of logs
and related anomalies
in a timely manner.
Use of Intrusion Detection and File
Integrity Monitoring techniques.
Appropriate synching
of time using NTP.

Quarterly Vulnerability Scanning
• Wireless
• Internal
• External
Annual Penetration Tests
• Internal network
• External network
• Application layer
• Others (such as social
engineering and war dialing)
Requirement 11: Vulnerability Management

Requirement 12: Policies and Procedures
Documented information
security policies and
procedures.
Annual user
awareness training.
Background
checks.
Vendor (Third Party)
management program.
Incident management
program.

6
WHAT ARE THE POTENTIAL
LIABILITIES OF NOT COMPLYING
WITH PCI DSS

Potential Liabilities for not complying with PCI DSS
• Loss of revenue through hacking or vulnerability attack.
• Penalties ranging from $5,000 to $100,000 per month. Penalties depend on the following:
• Volume of clients
• Volume of transactions
• Level of PCI-DSS that the company should be on,
• Length of time that the company has been non-compliant.
• Damage to Company Reputation or Credit Rating.
• Loss of Contracts.

7
HOW TO ACHIEVE COMPLIANCE IN A
COST-EFFECTIVE MANNER

Automation
ACE
• Automated Compliance
Engine
• Collect evidence such
as configurations
remotely
CDD
• Data Discovery Solution
• Scan end user
workstations for
card data
VAPT
• Vulnerability
Assessment and
Penetration Testing
• Perform remote
vulnerability scans and
penetration tests
LOGS
• Log Analysis and
Alerting
• Review log settings and
identify missing logs
remotely
1 2 3 4

One Audit™
Assess Once. Comply to Many.
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
PCI SSF HIPAA PCI P2PE
GDPR NIST CSF PCI PIN PCI PA-DSS CSA STAR Microsoft SSPA

Continuous Compliance Management
WHAT IS
CONTINUOUS COMPLIANCE
BENEFITS OF
DELIVERABLE OF
• Eliminates the need for potential
major last minute audit findings
• Reduces effort for final audit by
approximately 25%
• Reduces the risk of technical
shortcomings such as,
• Quarterly scans missed
certain assets
• Logs from all assets not
reporting
• Quarterly review of 20-25 high
impact/high risk questions
• Technical review of vulnerability
scans, log management, asset
list and other available
automated systems

8 WHY CONTROLCASE

Solution - Certification and Continuous Compliance Services
“I’ve worked on both sides of
auditing. I have not seen any other
firm deliver the same product and
service with the same value. No
other firm provides that continuous
improvement and the level of detail
and responsiveness.
— Security and Compliance Manager,
Data Center
Certification and Continuous Compliance Services

Areas of Focus for Continuous Compliance Management
CONTROLCASE SOLUTION
CONTINUOUS
An effective compliance program for
cyber security must provide a stream
of continuous, accurate information
about posture.
INTEGRATED
The best compliance programs are
integrated into the systems being
measured, versus built as after-the-
fact overlays.
AUTOMATED
Continuous compliance requires an
automated platform that collects and
processes data in as close to real-time as
can be achieved.

Summary – Why ControlCase
“They provide excellent service,
expertise and technology. And,
the visibility into my compliance
throughout the year and during
the audit process provide a lot
of value to us.
— Dir. of Compliance,
SaaS company

THANK YOU FOR THE OPPORTUNITY TO CONTRIBUTE
TO YOUR IT COMPLIANCE PROGRAM.
www.controlcase.com
(US) + 1 703.483.6383 (INDIA) + 91.22.62210800
contact@controlcase.com
DOWNLOAD PCI DSS COMPLIANCE CHECKLIST
PCI DSS COMPLIANCE CHECKLIST BLOG
6 PRINCIPLES OF PCI DSS COMPLIANCE BLOG

PCI DSS Compliance Checklist

More Related Content

What's hot

Similar to PCI DSS Compliance Checklist

More from ControlCase

Recently uploaded

PCI DSS Compliance Checklist

Editor's Notes