Tsurikov and Vladislav Horohorin carried out major payment card theft and fraud schemes. Tsurikov conducted an SQL injection attack on an RBS payment network, withdrawing $9 million from 2100 ATMs in 280 countries over one weekend. Horohorin operated carding websites and was arrested in France for trafficking in stolen credit card data. FortConsult is a leading PCI compliance consulting firm in Europe, providing penetration testing and assessments for financial companies. They have extensive experience in helping clients achieve and maintain PCI compliance.
Top 10 and Insight into IT Strategic challenges Presented at the IT Strategy Forum organized by IIRME in Dubai, UAE, presented by Jorge Sebastiao for eSgulf
Computers in Management BBA 2 Sem
We Also Provide SYNOPSIS AND PROJECT.
Contact www.kimsharma.co.in for best and lowest cost solution or
Email: amitymbaassignment@gmail.com
Call: 9971223030
Top 10 and Insight into IT Strategic challenges Presented at the IT Strategy Forum organized by IIRME in Dubai, UAE, presented by Jorge Sebastiao for eSgulf
Computers in Management BBA 2 Sem
We Also Provide SYNOPSIS AND PROJECT.
Contact www.kimsharma.co.in for best and lowest cost solution or
Email: amitymbaassignment@gmail.com
Call: 9971223030
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
PCI Descoping: How to Reduce Controls and Streamline ComplianceTokenEx
Descoping a data environment by decreasing the amount of PCI traversing it is one of the simplest and most effective ways of complying with the PCI DSS. By outsourcing the handling of sensitive payment information to security experts, organizations can reduce compliance and operational costs while minimizing the risk and liability associated with a potential data breach. Tokenization is especially effective at this due to its ability to remove sensitive data from an environment and store it in a secure, cloud-based token vault.
In this deck you will learn:
PCI controls for organizations that handle card information
Which controls can be removed from scope
How cloud-based tokenization outsources PCI compliance to a tokenization provider
Additional strategies and best practices for achieving PCI compliance
Data breaches and card-based transaction frauds are rampant in the e-commerce
industry, and it is of critical importance that businesses must improve their card
data security and compliance protocols. As more organizations adapt to online
payment methodology, organizations need to ensure that customers can implicitly
trust their payment network and technology infrastructure.
The denitive standard for compliance for the payment card industry, the Payment
Card Industry Data Security Standard (PCI DSS), is set by the Payment Card Industry
Security Standards Council (PCI SSC). It lays down the standard for all organizations
that handle cardholder information for the major debit, credit, prepaid, e-purse,
ATM, and POS cards. The implementation of the PCI standard has been mandated
by the central banks of many countries, and is applicable to all relevant
organizations like payment gateways, banks, third party processors, IT companies
and BPOs.
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
This presentation highlights the elements of PCI, the anatomy of a payment flow and the role of SonicWALL in the PCI ecosystem. This PowerPoint is suitable for external audiences, such as partners.
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
Point-to-point encryption (P2PE) is gaining momentum as one of the most effective ways to secure payment data as it moves through and from the merchant environment. Recently, the technology got the official nod from the PCI Council with the release of their final requirements to safely deploy P2PE solutions.
In this webinar, recorded on 9-26-12, attendees were able to:
* Find out what was discussed at the PCI Community Meeting and where the Council is headed as it relates to P2PE and PCI compliance
* Learn best practices for P2PE implementation and encryption key management
* Identify different types of P2PE solutions and evaluate which one is right for you
* Understand how the upcoming move to EMV will impact and integrate with P2PE
Organizations are increasingly looking to their Internal Auditors to provide independent assurance about cyber risks and the organization's ability to defend against cyber attacks. With information technology becoming an inherent critical success factor for every business and the emerging cyber threat landscape, every internal auditor needs to equip themselves on IT audit essentials and cyber issues.
In part 14 of our Cyber Security Series you will learn about the current cyber risks and attack methods from Richard Cascarino, including:
Where are we now and Where are we going?
Current Cyberrisks
• Data Breach and Cloud Misconfigurations
• Insecure Application User Interface (API)
• The growing impact of AI and ML
• Malware Attack
• Single factor passwords
• Insider Threat
• Shadow IT Systems
• Crime, espionage and sabotage by rogue nation-states
• IoT
• CCPA and GDPR
• Cyber attacks on utilities and public infrastructure
• Shift in attack vectors
"Client authentication in e-commerce solutions" by Jānis Kūliņš from Tieto La...DevClub_lv
In his presentation, Janis will try to describe current situation and technologies used in online payments, and clients authentication in particular. He will try not to dig too deep into technical details, but to explain basic principles of existing version of 3D Secure protocol and payment system working principles in general.
Other part of presentation will be dedicated to upcoming changes in online payment industry. New 3D Secure protocol version, industry regulations and card scheme regulations will significantly change way how cardholders interact with payment system and online merchant. It create lot of uncertainty, problems, but also lot of new business opportunities and approaches for system development
Jānis is Senior Solution consultant in Tieto Latvia with almost 10 year experience in card business and e-commerce solutions. Janis specializes in 3D Secure solutions which are used for client authentication during internet purchases. Also he provide support for banks and processing centres during new ecomm solution implementations and day to day tasks.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
PCI Solna EDB 101020 FortConsult
1. Tsurikov and Vladislav Horohorin
Tsurikov
SQL injection/pin cracking attack on RBS payment card network
14,000 withdrawals from 2100 ATMs in 280 countries over one
weekend
$9 million in losses
Horohorin
International carder/casher
CarderPlanet, BadB.biz
Automated online ordering system for stolen credit card info
Arrested by French police on US warrant 2 months ago
2. FortConsult - short
Core competence is penetration tests for financial companies
(extensive creative hacking)
Probably the largest pentest team in Europe (strong focus)
3rd largest PCI assessor (QSA) in Europe
32 people employed in Copenhagen,
We are PCI / pentest consultants only – we do not finance the PCI
projects by selling other services
First QSA (2005), PA-QSA (2008) and ASV (2004) in Scandinavia
QSA for banks and bank hosting centres, covering more than 250
banks in 13 countries in Europe
QSA for 3 out the 5. largest Scandinavian banks
AAA rating from Dun & Bradstreet
3. My background
Product manager for PCI since 2006
Heavily involved in communication and updates from PCI council
and the card schemes
Has been involved in 80 PCI projects
Working primary with PCI for issuing/acquiring banks and their
serviceproviders
Are chairman for the danish banks PCI working group (formed 2
years ago)
Member of the PCI compliance steering group committee for 2 very
large banks
Educated as HD in Informatics and Management Accounting from
Copenhagen Business School
4. PCI Council and the card brands
PCI council defines the PCI-DSS, PA-DSS and PTS
standard
VISA controls the compliance proces from London
Mastercard controls the compliance proces from
USA
7. Issuer compliance in EUIssuer compliance in EUIssuer compliance in EU
General requirements for banks:
Must be PCI compliant now and all the time(MasterCard
operation manual, VISA EU member letter & requirements,
American Express contract)
Special efforts to remove sensitive authenfication data
Register their service providers (2009-2010)
VISA member letter 28/06 & 27/09 MasterCard Section
10.3 of the Security Rules and Procedures)
Monitor the PCI status of their serviceproviders
Acquirers must submit an action plan for compliance to
VISA at latest december 2010
VISA member banks service provider must be compliant
at 1. october 2010
8. The card data is a moving target
• PCI had Initial focus on merchants and POS
• Removing of carddata and EMV
implementation pass the problem
on in the chain
10. The virtual bank robbery
1 mio Euro.
Spreadsheet.XLS
50.000
numbers
11. The overall issues for the banks
For consumers, banks are mostly about
• Lending some money
• Moving money around with the netbank
• Using a credit/debit card on daily basis
A lot of the processes are tied to the card data
Card data must be in most systems
This leads to things like:
All employee think they need access to card data
Card number are primary key in a lot of db and request
Decentralised systems with card data
The fact that card number is not traditionally seen as confidential data
makes theese things even worse
12. The Self assessment, examples from
Danske Bank
Did an internal Self assessment in 2007, which
said:
90% compliant:
• Most remaining issues related to encryption on
mainframe
Scope:
Was not defined before the Self assessment
(but was problaly:)
• Mainframe, part of the network, firewall
13. The new scope, the findings
In general: all systems in all countries
• Most backend systems in the bank stored card data
• All frontend systems had potential access to card data
• A lot of local applications (including spreadsheets) with card
data
• Much integration with 3. parties
• ATMs and the ATM network
• Callcenter
• Servicedesk
And in general some variance from country to country
15. Who is doing what? – an example of
the complexity
Application developer
Application updater
Daily maintenance Hardware vendor
Hardware service
Installation
Who has contracted with who, and where
are the resposibility?
18. Scope definition
All systems which:
Transmit
Process
Store
..carddata
And all other systems on same network.
If systems are in scope all the PCI requirements apply to the
systems.
Note: Its not a carddata if:
The PAN is encrypted and there is no access to encryption
keys
The PAN truncated – 6+4 digits are shown
The Pan is hashed (one-way encryption)
19. The content of the standard
Secure systems
secure logning
for forensic
Psysical
security
Procedures
documentation
Technical security
Awar
eness
Banks
EDB
REQUIREMENTSRespons.
20. News from PCI council
New version 2.0 of the PCI-DSS effective from
1. january 2011 (obligatory from 1. janurary
2012). 3 years of lifetime.
New clarification documents for:
Bluetooth
Virtulisation
Tokenisation
Scoping
P2p encryption
EMV
21. Security – reduction of risk
This is what is all about
Keep that in mind, when you discuss PCI
22. Bank security
Many part of the PCI standard are covered by
other security standards, like ISO / BS
The largest problems here are that the carddata
has not been seen as confidential data
+ the security is designed primary to protect
from outside attacks
Most security are applied to backend systems,
not to data leaving the backend system.
23. 3. party / outsourcing
Does the cleaning company
needs to be PCI compliant?
24. Outsourcing / 3. party
The bank must make sure that all outsourcing
providers (service providers) are compliant and
that all 3. party are working towards compliance.
• It’s the banks responsibility to be PCI compliant –
if some part of the it are outsourced, it is still the
banks responsibility.
• This typically require a close cooperation
between the bank & the outsourcing company.
26. 3. party / outsourcing
Bank
Cardsystems
(EDB)
CRM Processing
IT service
Mass printing
Fraud control Callcenter
27. 3 types of 3. parties
3. parties with no direct or indirect access to
carddata
PCI compliance not needed
3. parties with indirect access to carddata
PCI compliance needed, part of the banks
control
3. parties with direct access to carddata
PCI compliance needed, 3. partys own
compliance program
28. How to split PCI responsibility
At the end of the day its the banks responsibility that
all are PCI compliant.
Backend
system
Bank system
Carddata
Data
3. Party
Data owner
Access management
Etc.
Is this a standard
service?
29. Branches, scope issues
HQ / Backend systems
Branch 1 Branch 2 Branch 3
Internal
functions
Several requirements
for each branch
30. Findings – where is the real problems
(and who takes care of them)
Security
personnel's
point of view
The business
side
Likelihood of compromise
Mainframe Lack of
encryption
Access control
No interest Low – its in the center, and traditionally
protected very well
Network Segmentation No interest Large – since many people possible get access
to card data
Data Not their
business
All employees has
acces to card data
Large – all employees has access or can
request access.
Card data are traditionally not treated as
confidential data, with only need to know
acccess
Data are present in spreadsheet
Workstation No important
data there
Access to card
data, local
databases
Large – computers are also used to surf the
web, and some are used from wireless and at
home
31. Main issues for a bank
Project management
• No final plan can be setup before the project begins (scope missing)
• Information needed are spread between many employees
• Efficient interview process must be in place
• Available resources for specialists are limited
• Partners needs to be involved
Branches
• PCI becomes a challenge when its applied on 100's of branches
• Correct design is essential
Encryption
• Encryption on mainframe has a lot of challenges – should it be done?
Risk management
• How should PCI compliance integrate with security
3. partier
• Which approach should the bank use
towards 3. party
32. Forbidden data
It is not permitted to store trackdata, cvc and PIN after
authorization.
• That data is typically present in processing/acquiring
systems as well as in issuer systems – and it must be
removed.
• There are different exemptions for issuers & acquirers,
but the challenge is where the bank are acting as both
issuers & acquirer on the systems.
33. Encryption
Encryption is mandatory when storing carddata or
sending them outside the banks secure PCI zone.
• Encryption will apply to different systems on different
platforms. This means that a single solution probably
not going to work everywhere.
• Encryption will reduce the performance in systems
• Encryption can be difficult on mainframe
34. Internal procedures & awareness
The bank must have procedures, that makes sure that it-
systems are managed in a PCI compliant manner and that
all manual processes where card data are handled in
secure.
• Most of the IT procedures are following IT security best
practice, but
• There are a lot of things in the normal employee day-to-
day work, which are affected
• Failure to address these will put a large risk to the bank,
and spoil the PCI compliance work in all other areas
– Examples:
Handling of paper
Sending carddata on e-mail/messenger
Using private PDA, Laptop, etc.
Making own excelsheet with customer info incl. carddata
Sending data to marketing or print
department, which include cardnumber
35. Example of areas managed by banks
E-mails – carddata sent by mail
Datawarehouse and other datamanipulation systems (also “homebuilt”)
Spreadsheets
Papers with carddata including mass printout
Wireless scans
Marketing databases
Old data / systems
Control of access to systems
Section 9
Physical access
Surveliance
Networkplugs
Visitor badges
Shredding of paper and media like CD, HDD
36. Examples of areas managed by banks
Section 12
Security Policy
Employees awareness
Usage of technologies
Incident response plan
Etc.
12.8 If cardholder data is shared with service providers,
maintain and implement policies and procedures to
manage service providers
37. Inhouse development 1
Requirement 3: Protect stored cardholder data
3.1 Keep cardholder data storage to a minimum. Develop a data
retention and disposal policy.
3.2 Do not store sensitive authentication data after authorization
(even if encrypted).
3.3 Mask PAN when displayed (the first six and last four digits are
the maximum number of digits to be displayed).
3.4 Render PAN, at minimum, unreadable anywhere it is stored
(including on portable digital media, backup media, in logs)
(+key management)
39. Inhouse development 3
Requirement 6: Develop and maintain secure systems and
applications
6.2 Establish a process to identify newly discovered security vulnerabilities
6.3 Develop software applications in accordance with PCI DSS (for example, secure
authentication and logging) and based on industry best practices, and
incorporate information security throughout the software development life cycle.
These processes must include the following (patch, input validation, error
handling, encryption, role base access control, development/test enviorement,
seperation of duties, no real card and accounts in test enviorement, etc)
6.4 Follow change control procedures for all changes to system components.
6.5 Develop all web applications (internal and external, and including web
administrative access to application) based on secure coding guidelines such as the
Open Web Application Security Project Guide
6.6 Public facing web-applications must be be protected by a web application firewall
or checked for vulnerabilities yearly and after any change
41. When should you remember PCI
If you install your own server
When you develop you own applications (+ externally)
Your own network
3. party access to your network
Policies, procedures
42. The way ahead
PCI its a way of working
Examine the gaps
Implement policies
Identify new projects and align them with PCI