SlideShare a Scribd company logo

PCI DSS Implementation: A Five Step Guide

AlienVault
AlienVault

Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this guide you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization. AlienVault PCI DSS Compliance: https://www.alienvault.com/solutions/pci-dss-compliance Have a question? Ask it in our forum: http://forums.alienvault.com More videos: http://www.youtube.com/user/alienvaulttv AlienVault Blogs: http://www.alienvault.com/blogs AlienVault: http://www.alienvault.com

1 of 15
Download to read offline
PCI DSS Implementation: A 5 Step Guide www.alienvault.com
If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this paper you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.   The steps described in this paper are meant for readers already aware of each requirement within the PCI DSS. If you are not, you can head over to the PCI Standards Council website for a breakdown of all the requirements and then return to this paper for implementation and maintenance best practices. Additionally, the steps described here will be geared towards small to medium organizations that are required to comply with all components of the PCI DSS and not just portions of it. This resource was created in conjunction with Terra Verde Services. PCI DSS Implementation: A 5 Step Guide
PCI DSS Compliance Checklist The recipe for implementing and maintaining PCI DSS compliance includes the following five steps: • Determine Your True Business Requirements • Inventory Locations and Assets • Segment the Environment • Operationalize Controls • Automate Controls and Control Reporting
Often, most organizations don’t directly process credit cards. Instead they offload some of the risk to a third party. In this scenario you still need to ensure that the third- party is PCI compliant, but why incur the cost of PCI implementation and maintainance of all the controls if you don’t need to. There are many reasons why data is needed in organizations and most of the time it revolves around customer convenience or user experience. Although these are valid reasons, organizations should still do a thorough cost/benefit analysis on both short- term control PCI implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path. It’s important to keep in mind that PCI DSS compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. For instance, there will be long-term impacts including investments in training, personnel, and technology. Notice that technology is last here. Implementing PCI DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing. STEP 1Determine Your True Business Requirements
If you have determined that you truly have a business need to process credit card data, step 2 on your checklist should be to inventory all credit card locations and assets. This seems simple enough, but it’s often where many organizations struggle. Computers and computer networks are complex along with the politics in many organizations. Unless there are strong governance practices in place, it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features. For successful PCI implementation, you should be prepared to answer these fundamental questions about the PCI processing environment: STEP 2Inventory Locations and Assets • What business processes use credit card data? • Where is the cardholder data (CHD) stored? • How is the cardholder data (CHD) accessed? • What are the ports and protocols used when transmitting cardholder data (CHD)? • What technology assets are involved in the data flow? • Am I sure?
That last question from the previous slide is an interesting one. When performing GAP assessments, more often then not, you will find cardholder data flows that the customer was unaware of. Implementing PCI DSS is not just your best effort. If you have a breach, you may be on the hook for all those fraudulent transactions, as well as fines. Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your defined cardholder data flows and environments. Remember this is a process. You should expect to update inventories of flows and systems on an ongoing basis depending on business and technology changes. STEP 2Inventory Locations and Assets Continued
Now that you have located everything, it’s time to segment the technologies and, in some cases, the business processes that store, process, or transmit cardholder data. Even though PCI DSS does not require segmentation, it is a critical step in reducing short and long-term costs. Many organizations fail when they attempt to segment their environment for PCI DSS compliance. This occurs when they attempt to implement PCI DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have correctly segmented the PCI environment, only to find systems outside the segmented environment that process or store cardholder data. To ensure that this doesn’t happen at your organization, make sure that you segment your processing environment and implement inventory processes described above to validate whether cardholder data is flowing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in the correct network zones prior to being moved into production. STEP 3Segment the Environment
Once controls are in a PCI DSS compliant state, the checklist changes to maintaining that compliant state. A plan should be put into place to address how PCI DSS controls will be affected when employee turnover, employee promotion and changing priorities occur.  In fact, the PCI Standards Council made changes in PCI DSS v3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures. This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change. STEP 4Operationalize Controls
After implementing PCI DSS, here are some questions that may help you determine whether your control framework is operationalized for long-term success. • Is there support and awareness from your senior leadership team or board? • Is leadership fully aware of the contractual responsibility for securing cardholder data? • Are control owners assigned to each PCI control and do control owners understand their role in ensuring that the controls operate effectively? • Do written procedures exist for managing all control processes outlined within PCI DSS? • Do automated tools exist to help you operationalize ongoing security procedures (i.e. SIEM, vulnerability management, file integrity monitoring, etc.)? • Do automated tools exist to monitor the effectiveness of control activities? STEP 4Operationalize Controls Continued
The final step is actually a continuation of the concept of operationalizing controls. In order to ensure PCI compliance in the long-term, you must automate control activities. The primary reason for this is that no matter how hard we try, we humans are fallible. By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls. Here is a list of processes that can be quickly automated, given the right set of tools and/or capabilities. • Asset Discovery and Management • Logging and Security Event Monitoring • File Integrity Monitoring • Incident Response Tracking • Vulnerability Identification & Management • Default Password Checks • Firewall Rule Reviews • Wireless Rogue Access Point Detection • Access Provisioning & De-provisioning STEP 5Automate Controls and Control Monitoring
AlienVault Unified Security Management (USM) Asset Discovery and Management - An essential component of achieving PCI compliance is knowing what devices are in-scope, and the patch level. With AlienVault USM, you can automate the discovery and monitoring of the devices as well as the software deployed on them. Logging and Security Event Monitoring - AlienVault USM platform aggregates, correlates, and analyzes your security event monitoring. Over 2000 correlation rules eliminate the need for manual correlation and analysis of events. Incident Response Tracking - With USM, you can automatically identify and investigate security incidents with built-in threat intelligence, as well as manage the response. File Integrity Monitoring - File Integrity Monitoring (FIM) tracks who has accessed sensitive data as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.  Default Password Checks - Built-in, automated vulnerability assessment identifies the use of weak and default passwords, as well as host IDS and FIM will alert on the use of default passwords.
Must-have security Technologies for PCI DSS Compliance ALL IN A SINGLE PANE OF GLASS Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More >
Additional Resources Demonstrating compliance with PCI DSS is far from a trivial exercise. Hopefully this check list will help you on your quest to achieve and maintain PCI DSS compliance. Good Luck! To learn more about implementing and maintaining PCI DSS compliance, check out the following additional resources: • Solution Page: How AlienVault technology can help you with PCI DSS compliance • Webinar: PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting • Solution Page: PCI DSS Log Management & Monitoring • Solution Brief: Unify your Defenses and Accelerate PCI Compliance • Video: The Easier, Faster Path to PCI Compliance
Learn More about AlienVault At AlienVault, we’ve experienced firsthand just how frustrating and challenging security can be – the struggles with failing SIEM implementations; having to settle for inadequate security due to budget constraints; shelving hundreds of thousands of dollars of security software because it is just too hard to use; and, of course, the aftermath of security breaches that could have been prevented. We founded AlienVault to help organizations of all shapes and sizes achieve world-class security without the headaches and huge expense of other solutions. And we are passionate about our mission. Learn more about AlienVault
Learn More about Terra Verde Terra Verde has provided services to clients around the world. Large government agencies, Fortune 500 companies as well as small single-practitioner offices, have seen the value of our services and solutions. These services include assessing, designing and implementing technology solutions that are both secure and value- driven. As the largest Arizona headquartered security provider, we are your local one-stop-shop for all your security and compliance needs.  Learn More About Terra Verde

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 

Recommended

PCI DSS
PCI DSSPCI DSS
PCI DSSDuy Do Phan
 
A practical guides to PCI compliance
A practical guides to PCI complianceA practical guides to PCI compliance
A practical guides to PCI compliance
Jisc
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates Webinar - pci dss 4.0 updates
Webinar - pci dss 4.0 updates
VISTA InfoSec
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
Project plan for ISO 27001
Project plan for ISO 27001Project plan for ISO 27001
Project plan for ISO 27001
technakama
 
Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
Zscaler
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
Tharindunuwan9
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24David Ricketts
 

More Related Content

What's hot

Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
Zscaler
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
MdMofijulHaque
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
DevSecCon
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
Marcelo Martins
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
Tharindunuwan9
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureUppala Anand
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
ControlCase
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
McKonly & Asbury, LLP
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
Hybrid IT Europe
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Shawn Tuma
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 

What's hot (20)

Stopping zero day threats
Stopping zero day threatsStopping zero day threats
Stopping zero day threats
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
SWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptxSWIFT CSP Presentations.pptx
SWIFT CSP Presentations.pptx
 
Threat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert HurlbutThreat Modeling workshop by Robert Hurlbut
Threat Modeling workshop by Robert Hurlbut
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Risk management ISO 27001 Standard
Risk management ISO 27001 StandardRisk management ISO 27001 Standard
Risk management ISO 27001 Standard
 
ISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedureISO 27001:2013 Implementation procedure
ISO 27001:2013 Implementation procedure
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
SOC 2 Compliance and Certification
SOC 2 Compliance and CertificationSOC 2 Compliance and Certification
SOC 2 Compliance and Certification
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
Zero trust in a hybrid architecture
Zero trust in a hybrid architectureZero trust in a hybrid architecture
Zero trust in a hybrid architecture
 
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial InstitutionsCybersecurity: Cyber Risk Management for Banks & Financial Institutions
Cybersecurity: Cyber Risk Management for Banks & Financial Institutions
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 

Similar to PCI DSS Implementation: A Five Step Guide

PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCIKelly Lam
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
ObserveIT
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
mjschreck
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
himalya sharma
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
Lumension
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
Risk Crew
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
pcidss14s
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
VISTA InfoSec
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
Ulf Mattsson
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerSubhajit Bhuiya
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
Laura Perry
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
Holly Vega
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliantDivya Kothari
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 

Similar to PCI DSS Implementation: A Five Step Guide (20)

PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
PCI Article C24
PCI Article C24PCI Article C24
PCI Article C24
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
PCI and Remote Vendors
PCI and Remote VendorsPCI and Remote Vendors
PCI and Remote Vendors
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
Data Sheet For Erg
Data Sheet For ErgData Sheet For Erg
Data Sheet For Erg
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
Pci dss compliance
Pci dss compliancePci dss compliance
Pci dss compliance
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Pci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-convertedPci dss scoping and segmentation with links converted-converted
Pci dss scoping and segmentation with links converted-converted
 
Time to re think our security process
Time to re think our security processTime to re think our security process
Time to re think our security process
 
A systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archerA systematic approach to pci compliance using rsa archer
A systematic approach to pci compliance using rsa archer
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
When does a company need to be PCI compliant
When does a company need to be PCI compliantWhen does a company need to be PCI compliant
When does a company need to be PCI compliant
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 

More from AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
AlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
AlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
AlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

More from AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Recently uploaded

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

PCI DSS Implementation: A Five Step Guide

  • 1. PCI DSS Implementation: A 5 Step Guide www.alienvault.com
  • 2. If you haven’t guessed it by now, achieving and maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance can be both hard and expensive. For most small to medium sized organizations, it doesn’t have to be as long you have the right plan and tools in place. In this paper you’ll learn five steps that you can take to implement and maintain PCI DSS compliance at your organization.   The steps described in this paper are meant for readers already aware of each requirement within the PCI DSS. If you are not, you can head over to the PCI Standards Council website for a breakdown of all the requirements and then return to this paper for implementation and maintenance best practices. Additionally, the steps described here will be geared towards small to medium organizations that are required to comply with all components of the PCI DSS and not just portions of it. This resource was created in conjunction with Terra Verde Services. PCI DSS Implementation: A 5 Step Guide
  • 3. PCI DSS Compliance Checklist The recipe for implementing and maintaining PCI DSS compliance includes the following five steps: • Determine Your True Business Requirements • Inventory Locations and Assets • Segment the Environment • Operationalize Controls • Automate Controls and Control Reporting
  • 4. Often, most organizations don’t directly process credit cards. Instead they offload some of the risk to a third party. In this scenario you still need to ensure that the third- party is PCI compliant, but why incur the cost of PCI implementation and maintainance of all the controls if you don’t need to. There are many reasons why data is needed in organizations and most of the time it revolves around customer convenience or user experience. Although these are valid reasons, organizations should still do a thorough cost/benefit analysis on both short- term control PCI implementation and long-term control maintenance to gain a better understanding of the true impact of going down this path. It’s important to keep in mind that PCI DSS compliance is not a one-time event, but an ongoing process and, ultimately, a change to the way you do business. For instance, there will be long-term impacts including investments in training, personnel, and technology. Notice that technology is last here. Implementing PCI DSS is more about process than technology. You can certainly use technology to automate controls and processes, but most impacts occur in the area of internal resourcing. STEP 1Determine Your True Business Requirements
  • 5. If you have determined that you truly have a business need to process credit card data, step 2 on your checklist should be to inventory all credit card locations and assets. This seems simple enough, but it’s often where many organizations struggle. Computers and computer networks are complex along with the politics in many organizations. Unless there are strong governance practices in place, it can be easy to lose track of assets in a world of agile methodologies and the constant push for new product features. For successful PCI implementation, you should be prepared to answer these fundamental questions about the PCI processing environment: STEP 2Inventory Locations and Assets • What business processes use credit card data? • Where is the cardholder data (CHD) stored? • How is the cardholder data (CHD) accessed? • What are the ports and protocols used when transmitting cardholder data (CHD)? • What technology assets are involved in the data flow? • Am I sure?
  • 6. That last question from the previous slide is an interesting one. When performing GAP assessments, more often then not, you will find cardholder data flows that the customer was unaware of. Implementing PCI DSS is not just your best effort. If you have a breach, you may be on the hook for all those fraudulent transactions, as well as fines. Make sure you validate your asset inventory by sampling the systems, networks, and data stores to determine if there is cardholder data outside your defined cardholder data flows and environments. Remember this is a process. You should expect to update inventories of flows and systems on an ongoing basis depending on business and technology changes. STEP 2Inventory Locations and Assets Continued
  • 7. Now that you have located everything, it’s time to segment the technologies and, in some cases, the business processes that store, process, or transmit cardholder data. Even though PCI DSS does not require segmentation, it is a critical step in reducing short and long-term costs. Many organizations fail when they attempt to segment their environment for PCI DSS compliance. This occurs when they attempt to implement PCI DSS controls across the entire organization, not realizing the impacts to other business units that don’t handle cardholder data. Also, organizations might believe they have correctly segmented the PCI environment, only to find systems outside the segmented environment that process or store cardholder data. To ensure that this doesn’t happen at your organization, make sure that you segment your processing environment and implement inventory processes described above to validate whether cardholder data is flowing into environments that it shouldn’t. Lastly, implement strong governance (e.g. change management) practices to ensure systems are located in the correct network zones prior to being moved into production. STEP 3Segment the Environment
  • 8. Once controls are in a PCI DSS compliant state, the checklist changes to maintaining that compliant state. A plan should be put into place to address how PCI DSS controls will be affected when employee turnover, employee promotion and changing priorities occur.  In fact, the PCI Standards Council made changes in PCI DSS v3.0 that enforces the concept of operationalizing security controls within business-as-usual activities by requiring much more rigor around operational security procedures. This is, again, a common theme that many QSAs see when assessing organizations both big and small. The intent to be PCI compliant is there, but the willingness or ability to keep up with ongoing processes wanes without proper organizational governance and support. This may be one of the most challenging steps that your organization will face as it may involve significant organizational change. STEP 4Operationalize Controls
  • 9. After implementing PCI DSS, here are some questions that may help you determine whether your control framework is operationalized for long-term success. • Is there support and awareness from your senior leadership team or board? • Is leadership fully aware of the contractual responsibility for securing cardholder data? • Are control owners assigned to each PCI control and do control owners understand their role in ensuring that the controls operate effectively? • Do written procedures exist for managing all control processes outlined within PCI DSS? • Do automated tools exist to help you operationalize ongoing security procedures (i.e. SIEM, vulnerability management, file integrity monitoring, etc.)? • Do automated tools exist to monitor the effectiveness of control activities? STEP 4Operationalize Controls Continued
  • 10. The final step is actually a continuation of the concept of operationalizing controls. In order to ensure PCI compliance in the long-term, you must automate control activities. The primary reason for this is that no matter how hard we try, we humans are fallible. By removing the human element we can ensure proper control execution as well as reduce the overall cost related to performing the controls. Here is a list of processes that can be quickly automated, given the right set of tools and/or capabilities. • Asset Discovery and Management • Logging and Security Event Monitoring • File Integrity Monitoring • Incident Response Tracking • Vulnerability Identification & Management • Default Password Checks • Firewall Rule Reviews • Wireless Rogue Access Point Detection • Access Provisioning & De-provisioning STEP 5Automate Controls and Control Monitoring
  • 11. AlienVault Unified Security Management (USM) Asset Discovery and Management - An essential component of achieving PCI compliance is knowing what devices are in-scope, and the patch level. With AlienVault USM, you can automate the discovery and monitoring of the devices as well as the software deployed on them. Logging and Security Event Monitoring - AlienVault USM platform aggregates, correlates, and analyzes your security event monitoring. Over 2000 correlation rules eliminate the need for manual correlation and analysis of events. Incident Response Tracking - With USM, you can automatically identify and investigate security incidents with built-in threat intelligence, as well as manage the response. File Integrity Monitoring - File Integrity Monitoring (FIM) tracks who has accessed sensitive data as well as what they did to that data. This provides a necessary audit trail, as well as allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the data.  Default Password Checks - Built-in, automated vulnerability assessment identifies the use of weak and default passwords, as well as host IDS and FIM will alert on the use of default passwords.
  • 12. Must-have security Technologies for PCI DSS Compliance ALL IN A SINGLE PANE OF GLASS Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More > Learn More >
  • 13. Additional Resources Demonstrating compliance with PCI DSS is far from a trivial exercise. Hopefully this check list will help you on your quest to achieve and maintain PCI DSS compliance. Good Luck! To learn more about implementing and maintaining PCI DSS compliance, check out the following additional resources: • Solution Page: How AlienVault technology can help you with PCI DSS compliance • Webinar: PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting • Solution Page: PCI DSS Log Management & Monitoring • Solution Brief: Unify your Defenses and Accelerate PCI Compliance • Video: The Easier, Faster Path to PCI Compliance
  • 14. Learn More about AlienVault At AlienVault, we’ve experienced firsthand just how frustrating and challenging security can be – the struggles with failing SIEM implementations; having to settle for inadequate security due to budget constraints; shelving hundreds of thousands of dollars of security software because it is just too hard to use; and, of course, the aftermath of security breaches that could have been prevented. We founded AlienVault to help organizations of all shapes and sizes achieve world-class security without the headaches and huge expense of other solutions. And we are passionate about our mission. Learn more about AlienVault
  • 15. Learn More about Terra Verde Terra Verde has provided services to clients around the world. Large government agencies, Fortune 500 companies as well as small single-practitioner offices, have seen the value of our services and solutions. These services include assessing, designing and implementing technology solutions that are both secure and value- driven. As the largest Arizona headquartered security provider, we are your local one-stop-shop for all your security and compliance needs.  Learn More About Terra Verde