Automation of accounts payable process using AI technology,
Digital Invoice Application helps you digitize end to end processing of vendor invoices through automation, workflows with best practices. The solution enables businesses to meet critical payment and compliance deadlines, reduce the time it takes to process invoices. Streamline Accounts Payable Operations with Optimized Invoice Processing
E-invoicing or ‘electronic invoicing’ is a process in which B2B invoice are authenticated electronically by GSTN for further use on the common GST portal
The e-Way bill is an electronically generated document which is required for the movement of goods of value more than INR 50000, from one location to another.
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...emagia
Digital Invoicing & Digital Payments
2021 Big Year for Digital Invoicing and Digital Payments
The movement toward working from home has exposed the inefficiencies associated with paper invoices and paper checks in the B2B space. Banks were closed. Paper invoices and checks delivered to offices sat in unopened envelopes. Thus, the pivot to digital B2B invoicing and digital payments became an immediate priority for businesses.
Digital Invoicing (aka E-invoicing and E-billing) is electronic delivery of an invoice to a customer (vs paper invoice sent via Postal Service) by email, SMS, portal, EDI and other electronics channels.
Most Digital Invoicing applications include added functionality: (a) pull in data required for invoice from ERP for automated production of invoice, (b) include Credit/Debit adjustments, (c) electronic distribution and tracking (d) reminders and dunning
Digital Payments, aka Real Time Payments (RTP), and “Frictionless Digital Payments” are electronic payments that transfer funds and remit advice
Digital Payments are made directly between buyer and seller through a direct, secure, payment gateways using credit card, direct ACH debit or credit, wire, direct transfer on an Account to Account (A2A) basis.
Digital Invoicing & Digital Payments Synergy
Digital Invoicing, Digital Payments, and a Customer Care Portal are most powerful when offered together
The combination is appealing to small and medium size B2B customers & B2C customers to deal with the invoice review & pay. Stripe claims 75% of invoices it delivers on behalf of its clients are paid same day!
A Customer EIPP Portal facilitates the end-to-end transaction: (a) enabling the payment and (b) providing access to the invoices and statement of account (c) providing digital assistant for 24x7 account enquiry
Payments can be made via a wide range of mobile devices
All Invoicing and payment data is captured
Digital Invoicing
The Imperatives of Invoicing:
a. Accuracy (99+%)
b. Delivery in prescribed method (email, SMS, portal)
c. Meet customer’s invoicing requirements: information & format
d. Many European & LatAM govts require e-invoicing
Digital Invoicing achieves high accuracy by extracting invoice data from ERP, eliminating human error, deliver invoices electronically in multiple ways
The document is an attempt to give insights into digital payments space on the whole. It describes the different payment scenarios or methods and how the underlying technology works. Topics covered - NFC;;contacless payments;Mobile Payments;smart cards chips technology;apple pay;Card operating system
Automation of accounts payable process using AI technology,
Digital Invoice Application helps you digitize end to end processing of vendor invoices through automation, workflows with best practices. The solution enables businesses to meet critical payment and compliance deadlines, reduce the time it takes to process invoices. Streamline Accounts Payable Operations with Optimized Invoice Processing
E-invoicing or ‘electronic invoicing’ is a process in which B2B invoice are authenticated electronically by GSTN for further use on the common GST portal
The e-Way bill is an electronically generated document which is required for the movement of goods of value more than INR 50000, from one location to another.
Digital Invoicing & Digital Payments | Emagia Digital Invoicing Software | Di...emagia
Digital Invoicing & Digital Payments
2021 Big Year for Digital Invoicing and Digital Payments
The movement toward working from home has exposed the inefficiencies associated with paper invoices and paper checks in the B2B space. Banks were closed. Paper invoices and checks delivered to offices sat in unopened envelopes. Thus, the pivot to digital B2B invoicing and digital payments became an immediate priority for businesses.
Digital Invoicing (aka E-invoicing and E-billing) is electronic delivery of an invoice to a customer (vs paper invoice sent via Postal Service) by email, SMS, portal, EDI and other electronics channels.
Most Digital Invoicing applications include added functionality: (a) pull in data required for invoice from ERP for automated production of invoice, (b) include Credit/Debit adjustments, (c) electronic distribution and tracking (d) reminders and dunning
Digital Payments, aka Real Time Payments (RTP), and “Frictionless Digital Payments” are electronic payments that transfer funds and remit advice
Digital Payments are made directly between buyer and seller through a direct, secure, payment gateways using credit card, direct ACH debit or credit, wire, direct transfer on an Account to Account (A2A) basis.
Digital Invoicing & Digital Payments Synergy
Digital Invoicing, Digital Payments, and a Customer Care Portal are most powerful when offered together
The combination is appealing to small and medium size B2B customers & B2C customers to deal with the invoice review & pay. Stripe claims 75% of invoices it delivers on behalf of its clients are paid same day!
A Customer EIPP Portal facilitates the end-to-end transaction: (a) enabling the payment and (b) providing access to the invoices and statement of account (c) providing digital assistant for 24x7 account enquiry
Payments can be made via a wide range of mobile devices
All Invoicing and payment data is captured
Digital Invoicing
The Imperatives of Invoicing:
a. Accuracy (99+%)
b. Delivery in prescribed method (email, SMS, portal)
c. Meet customer’s invoicing requirements: information & format
d. Many European & LatAM govts require e-invoicing
Digital Invoicing achieves high accuracy by extracting invoice data from ERP, eliminating human error, deliver invoices electronically in multiple ways
The document is an attempt to give insights into digital payments space on the whole. It describes the different payment scenarios or methods and how the underlying technology works. Topics covered - NFC;;contacless payments;Mobile Payments;smart cards chips technology;apple pay;Card operating system
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Aggregage
The order-to-cash (O2C) process is often considered the lifeblood of an organization. It’s why so many business leaders are looking to next generation of O2C solutions to unlock value across their enterprise — value that’s necessary to remain competitive.
Tune in to this educational webinar with guest speaker, Sarah Gibson of Parts Town, as she takes us through her company’s digital transformation journey.
Watch the recorded webinar here: https://www.supplychainbrief.com/frs/9632933/parts-town--an-o2c-journey-from-manual-processing-to-digital-transformation
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Emily Millard Murphy
The order-to-cash (O2C) process is often considered the lifeblood of an organization. It’s why so many business leaders are looking to next generation of O2C solutions to unlock value across their enterprise — value that’s necessary to remain competitive.
Join us for an educational webinar with guest speaker, Sarah Gibson of Parts Town, as she takes attendees through her company’s digital transformation journey.
Mobile payment-security-risk-and-responseDESMOND YUEN
Presentation from 2018 RSA Conference
Mobile Payment Ecosystem
Mobile Payment Risk Analysis
How to build secured mobile system
QR Code, NFC, Smart card, RFID
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Aggregage
The order-to-cash (O2C) process is often considered the lifeblood of an organization. It’s why so many business leaders are looking to next generation of O2C solutions to unlock value across their enterprise — value that’s necessary to remain competitive.
Tune in to this educational webinar with guest speaker, Sarah Gibson of Parts Town, as she takes us through her company’s digital transformation journey.
Watch the recorded webinar here: https://www.supplychainbrief.com/frs/9632933/parts-town--an-o2c-journey-from-manual-processing-to-digital-transformation
Supply Chain Visibility: Parts Town - An O2C Journey from Manual Processing t...Emily Millard Murphy
The order-to-cash (O2C) process is often considered the lifeblood of an organization. It’s why so many business leaders are looking to next generation of O2C solutions to unlock value across their enterprise — value that’s necessary to remain competitive.
Join us for an educational webinar with guest speaker, Sarah Gibson of Parts Town, as she takes attendees through her company’s digital transformation journey.
Mobile payment-security-risk-and-responseDESMOND YUEN
Presentation from 2018 RSA Conference
Mobile Payment Ecosystem
Mobile Payment Risk Analysis
How to build secured mobile system
QR Code, NFC, Smart card, RFID
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in D...Stephanie Gutowski
Data Security, Fraud Prevention and PCI for Nonprofit Payment Processors in Drupal -
Stephen Bestbier (iATS), Aaron Crosman (Message Agency), Erik Mathy (Pantheon)
Are you trying to wrap your head around PCI security requirements, how to securely manage payment card data and what types of credit card fraud to watch out for? This session is for you!
Learn more about the implications of PCI-DSS requirements, best practices around securely storing credit card data and how to put tools in place to prevent costly (and frustrating) credit card fraud at your organization. Be prepared, get informed and don’t let the bad guys win!
PRESENTER
Patricia O'Connor – Partner Account Manager
iATS Payments (@iATSPayments) provides payment processing products and services to over 10,000 nonprofit organizations around the world. It 's not one of the things we do - it's the only thing we do
PCI DSS can be one of the most infuriating set of standards on the compliance landscape. While it seems simple--six domains and twelve requirements--the art of interpreting PCI can lead to full blown war in an organization--with the security team at the center. In this session we’ll demystify some of the more difficult and misunderstood aspects of PCI DSS. We’ll cover the important changes from recently announced PCI DSS 3.0. We’ll also discuss the best practices for starting (and maintaining) a PCI DSS initiative in an organization and how to avoid battles with the QSA.
apidays New York 2023 - Embedded Payments in B2B and B2C use cases, Adrita Bh...apidays
apidays New York 2023
APIs for Embedded Business Models: Finance, Healthcare, Retail, and Media
May 16 & 17, 2023
Embedded Payments in B2B and B2C use cases
Adrita Bhor, Senior Director of Product Management, Paypal
------
Check out our conferences at https://www.apidays.global/
Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8
Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io
Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/
PayU's Digital Transformation: Transparency from Dev to Prod, Monitoring Micr...AppDynamics
PayU is a leading payment services provider with presence in 16 growth markets across the world. Its mantra within IT is "fail early, fail often and never roll back," but this is a challenge in a global environment, with cross-located development and operations teams, multiple time zones, cultures, languages, and skill sets.
To solve this challenge and provide transparency to development and production teams, PayU chose the AppDynamics Application Intelligence platform. Today AppDynamics gives PayU the ability to get immediate feedback of code changes regardless of the environment or the origin of change. The solution fits perfectly with the microservice architecture and has helped with DevOps adoption in all locations.
Key takeaways:
o Challenges faced in monitoring microservice-based applications in a globally dispersed operation
o How AppDynamics provides a single pane of glass to monitor application changes
o Best practices for utilizing AppDynamics in a DevOps culture
For more information, go to: www.appdynamics.com
This graphic explains what PCI compliance is, that is required for all companies that accept credit card transactions, and outlines the PCI Compliance Process.
Self-Checkout for Restaurants / AI Restaurants (2024-02)byteLAKE
• Restaurants / Retail: Simplify and expedite the checkout process with our solution for self-checkout stations. Our AI module can recognize meals and groceries effortlessly, sending the list directly to the cashier's machine for efficient self-checkout. Shorten queues and wait times, elevating customer satisfaction. Learn more at www.byteLAKE.com/en/AI4Restaurants.
ECMTA 2009 PCI Compliance and the Ecommerce MerchantMelanie Beam
Since the deadline for level 4 merchants to be in compliance is July 2010, I thought I\'d share this presentation I did in July of 2009 at the Ecommerce Summit.
From the eCommerce Summit in Atlanta June 3-4, 2009 where Mountain Media explains the topic of PC Compliance for online merchants. Visit http://www.ecmta.org to find out more.
PayNet Mobile Banking Introduction 2017Tushar Belwal
Overview of the mobile banking services provided by PayNet Systems Pvt Ltd www.paynet.pro. The presentation highlights our technology offerings and SAAS architecture that banks can use to create multiple services.
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
Top mailing list providers in the USA.pptxJeremyPeirce1
Discover the top mailing list providers in the USA, offering targeted lists, segmentation, and analytics to optimize your marketing campaigns and drive engagement.
buy old yahoo accounts buy yahoo accountsSusan Laney
As a business owner, I understand the importance of having a strong online presence and leveraging various digital platforms to reach and engage with your target audience. One often overlooked yet highly valuable asset in this regard is the humble Yahoo account. While many may perceive Yahoo as a relic of the past, the truth is that these accounts still hold immense potential for businesses of all sizes.
Digital Transformation and IT Strategy Toolkit and TemplatesAurelien Domont, MBA
This Digital Transformation and IT Strategy Toolkit was created by ex-McKinsey, Deloitte and BCG Management Consultants, after more than 5,000 hours of work. It is considered the world's best & most comprehensive Digital Transformation and IT Strategy Toolkit. It includes all the Frameworks, Best Practices & Templates required to successfully undertake the Digital Transformation of your organization and define a robust IT Strategy.
Editable Toolkit to help you reuse our content: 700 Powerpoint slides | 35 Excel sheets | 84 minutes of Video training
This PowerPoint presentation is only a small preview of our Toolkits. For more details, visit www.domontconsulting.com
3.0 Project 2_ Developing My Brand Identity Kit.pptxtanyjahb
A personal brand exploration presentation summarizes an individual's unique qualities and goals, covering strengths, values, passions, and target audience. It helps individuals understand what makes them stand out, their desired image, and how they aim to achieve it.
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
An introduction to the cryptocurrency investment platform Binance Savings.Any kyc Account
Learn how to use Binance Savings to expand your bitcoin holdings. Discover how to maximize your earnings on one of the most reliable cryptocurrency exchange platforms, as well as how to earn interest on your cryptocurrency holdings and the various savings choices available.
FIA officials brutally tortured innocent and snatched 200 Bitcoins of worth 4...jamalseoexpert1978
Farman Ayaz Khattak and Ehtesham Matloob are government officials in CTW Counter terrorism wing Islamabad, in Federal Investigation Agency FIA Headquarters. CTW and FIA kidnapped crypto currency owner from Islamabad and snatched 200 Bitcoins those worth of 4 billion rupees in Pakistan currency. There is not Cryptocurrency Regulations in Pakistan & CTW is official dacoit and stealing digital assets from the innocent crypto holders and making fake cases of terrorism to keep them silent.
The 10 Most Influential Leaders Guiding Corporate Evolution, 2024.pdfthesiliconleaders
In the recent edition, The 10 Most Influential Leaders Guiding Corporate Evolution, 2024, The Silicon Leaders magazine gladly features Dejan Štancer, President of the Global Chamber of Business Leaders (GCBL), along with other leaders.
Call 8867766396 Satta Matka Dpboss Matka Guessing Satta batta Matka 420 Satta...
PCI Version Three and Thee
1.
2. Why PCI!
• In August 2012 an employee of the South
Carolina Department of Revenue opened an
email enabling a malware attack.!
– Employee’s credentials were lifted.!
– Miscreants used credentials in remote login!
• 75GB of backups exfiltrated in September!
• Income tax returns of every SC citizen
exposing SSNs, bank account numbers, etc.!
• CC numbers exfiltrated but not exposed.!
4. The Acronyms!
• Payment Card Industry—the brands!
• Data Security Standard has requirements!
– Self Assessment Questionnaires have fewer!
• Approved Scanning Vendor—external scans!
• Qualified Security Assessor—test and report!
– Internal Security Assessor—home grown!
• Report On Compliance—requirements met?!
– Attestation Of Compliance—cross my heart!
• Payment Application-DSS—e.g. point of sale!
5. ATM
Security
Guidelines
Mobile
Payment
Acceptance
Security
Guidelines
for
Developers
v1.0
Mobile
Payment
Acceptance
Security
Guidelines
for
Merchants
v1.0
PCI
DSS
2.0
Cloud
CompuBng
Guidelines
PCI
DSS
2.0
eCommerce
Guidelines
PCI
DSS
2.0
Risk
Assessment
Guidelines
PCI
DSS
Applicability
in
an
EMV
Environment
Guidance
v1.0
PCI
DSS
TokenizaBon
Guidelines
PCI
DSS
v2.0
Wireless
Guidelines
PCI
DSS
VirtualizaBon
Guidelines
v2.0
ProtecBng
Telephone-‐based
Payment
Card
Data
Requirement
11.3
PenetraBon
TesBng
v1.2
Requirement
6.6
ApplicaBon
Reviews
and
Web
ApplicaBon
Firewalls
Clarified
v1.2
Skimming
PrevenBon—Best
PracBces
for
Merchants
Understanding
the
SAQs
for
PCI
DSS
v3.0
Information Suppliments!
6. What’s on the card
Cardholder data (CHD) and SAD!
• Primary account number—PAN!
• Sensitive authentication data—SAD!
– Encoded into the magnetic track!
• Card Verification Code 1—CVV1!
– Encoded into “chip and PIN” cards—PIN!
– Printed on the front or back on the card!
• CVV2!
• Expiration date!
• Cardholder name!
7. Chiseled in STONE!
✽
—
Even
if
encrypted
✽
SensiBve
AuthenBcaBon
Data
—
Even
if
it’s
sound
1 2 3 4
9. Call Centers!
• No PCI standard calls for a clean desk.!
– Control physical media, e.g. paper, flash drive.!
– Restrict access to handheld devices.!
• Recordings of calls may hold CHD—encrypt.!
• But what about sensitive authentication data?!
– Avoid it by not collecting CVV2 et al, or pause
recording, or connect caller to Interactive Voice
Response (IVR) system; or,!
– Deploy a compensating control.!
• Protecting Telephone-based Payment Card Data!
10. What is a compensating control?
1 of 2!
• Described when the deployed controls are
not those specified in the requirement.!
• For each compensating control one must:!
– state the technical or business reason
compliance to the requirement as written is
not possible;!
– describe what the original control was
supposed to do and what the compensating
control does;!
– Identify risk cause by lack of original control;!
11. What is a compensating control?
2 of 2!
– Describe the control and how it addresses the
requirement and any increased risk;!
– The QSA must describe how the control was
tested to validate; and,!
– Describe how will the control be maintained.!
• A compensating control cannot be one that
is already mandated for the asset.!
– e.g. integrity checking on the server which
doesn’t have anti-malware software installed.!
12. Electronic Commerce!
• No physical presence so you don’t worry
about point-of-sale systems, skimmers, or
track data.!
• Instead, you’re on the friendly Internet
using hardy web browsers and servers.!
13. Store, process, and transmit!
• Your web server talks to your customer to
take order and collect CHD for payment.!
• To make purchases “easier” for your
customer, you save the CHD, but not SAD,
for subsequent purchases.!
• You communicate with your processor to
authenticate account and then make the
charge.!
• You have a lot of explaining to do.!
14. Your applications!
• May be bespoke—customized to your
business by you or third party.!
– This application must be evaluated by the QSA.!
• May be purchased commodity software.!
– Purchase PCI-certified Payment Applications
and follow Implementation Guide.!
– If not, QSA must evaluate.!
• May be a mélange, e.g. your web services
fronting purchased shopping cart software.!
15. Over there for payment please!
What if I get
someone else to
accept the CHD and
process the charge?!
I never see CHD.!
Do I still have to be
PCI compliant? !
16. That depends!
• The PCI DSS 2.0 eCommerce Guidelines
describes several scenarios.!
– Shared Management!
• Direct Post!
• iFrame!
• Redirect!
– Wholly outsourced!
• A new SAQ, A-EP, is available for version 3!
17. Embedded APIs with Direct Post!
• Use processor-provided
APIs to plug code into
customer’s browser
window.!
• When data is entered into
payment fields, it is sent
directly to the processor,
not to the merchant.!
• Merchant must ensure
that that its website is not
compromised.!
18. Inline iFrames!
• Processor’s web page is
embedded within the web
page of the merchant.!
• Data entered into iFrame
is sent directly to the
processor and not seen
by the merchant.!
• Compromise of merchant
website may result in a
compromise of iFrame.!
19. Hosted-payment page!
• Merchant’s page contains
link to payment processor
website.!
• Customer is redirected to
that site to enter payment
information.!
• If the merchant webpage
is compromised, the
customer could be
redirected to a bad-guy
site to enter CHD.!
20. Wholly outsourced!
• Customer connects directly to third-party
site for all functions, including payment.!
– Merchant can login to manage store content.!
• This is also a good solution for those
businesses who collect payment
information over the phone.!
– The CSR connects directly to the customer or
to the card processor to enter CHD and
amount to be charged.!
22. Version 3.0 !
• Three year development cycle!
• Available for compliance in 2014!
• Mandatory for compliance beginning 2015!
23. What did they want to fix!
• Divergent interpretations of the standard!
• Weak or default passwords!
• Slow detection of compromise!
• Security problems introduced by 3rd
parties!
• and various other areas!
24. Highlights!
• The twelve steps…errr…requirements remain!
• Some sub-requirements added!
• Policy and procedure requirements proximate
to items each policy and procedure addresses!
• Descriptions of tests are more precise!
– Aligned language of requirement and test !
– Clarified what to do to verify compliance!
• More rigor in determining scope of
assessment!
• More guidance on log reviews!
• More rigorous penetration testing!
25. No hiding documentation sins!
• Version 2 aggregates all policy and
procedure requirements in one location.!
– 12.1.1 Verify that the [security] policy
addresses all PCI DSS requirements. !
– 12.2 Verify that [daily operational security
procedures] are consistent with this
specification, and include administrative and
technical procedures for each of the
requirements.!
• Difficult to detect requirements not covered.!
26. Moved to relevant locations!
– 1.5
managing firewalls are
. !
– 2.5 managing vendor defaults and other
security parameters are !
– 3.7 protecting stored cardholder data are
– 8.8 identification and authentication are !
– 10.8 monitoring all access to network
resources and cardholder data are !
27. Eschew Ambiguity!
• Too much variance in interpretation among
QSAs!
– Clients get different interpretations.!
– PCI Counsel’s Quality Control sees too much
variance in the Reports on Compliance (ROC).!
• Version 3 removes ambiguities in the
specification that result in inconsistent
interpretations of a requirement.!
31. Version 3 SAQs!
• Format and content changes!
– Expected Testing, a new column !
– the Special column has been replaced with
Yes with CCW (compensating control
worksheet) and N/A!
– sections reorganized to ensure that an entity’s
attestation encompasses all elements of the
SAQ and AOC!
• eligibility for, and requirements within,
each SAQ have been revised!
32. There’s some new SAQs in town!
• A-EP!
e-commerce merchants who outsource all
payment processing to 3rd parties, using a
website that doesn’t directly receive cardholder
data but that can impact the security of the
payment transaction!
• A-IP!
merchants using only standalone,
PTS-approved payment terminals with an IP
connection to the payment processor, with no
electronic cardholder data storage !
35. New authentication requirement!
• If you use identical credentials to
authenticate yourself to all your customers…!
• …a compromise of one of those customers
exposes all the other customers.!
• New Requirement 8.5.1!
Service providers with remote access to
customer premises (for example, for support of
POS systems or servers) must use a unique
authentication credential for each customer. !
36. Division of labor with 3rd party!
• New requirement, 12.8.5, mandates that
the assessed entity is aware of which DSS
requirements are managed by the service
provider and which are managed by the
entity.!
• How this division is documented and
agreed between the assessed entity and
the service provider is not specified.!
37. Service Provider Responsibility1 of 2!
New requirement,12.9, mandates that Service
providers acknowledge in writing to customers
that they are responsible for the security of
cardholder data the service provider
possesses or otherwise stores, processes, or
transmits on behalf of
the customer, or to the
extent that they could
impact the security
of the customer’s CDE.!
38. Service Provider Responsibility2 of 2!
• The exact wording of that acknowledgement
will depend on:!
– the agreement between the two parties;!
– the details of the service being provided; and,!
– the responsibilities assigned to each party.!
• The acknowledgement does not have to
include the exact wording provided in this
requirement.!
• Get your lawyers involved!
39. Service Provider Responsibility2 of 2!
• The exact wording of that acknowledgement
will depend on:!
– the agreement between the two parties;!
– the details of the service being provided; and,!
– the responsibilities assigned to each party.!
• The acknowledgement does not have to
include the exact wording provided in this
requirement.!
• Get your lawyers involved!
40.
41. They’re getting serious about the CDE!
Clause 3.1.1 of the ROC requires documentation of how the assessor
validated the accuracy of the PCI DSS scope by describing:!
– The methods or processes (for example, tools, observations, feedback,
scans, data flow analysis) used to identify and document all existences
of cardholder data.!
– The methods or processes (for example, tools, observations, feedback,
scans, data flow analysis) used to verify that no cardholder data exists
outside of the CDE scope defined for this assessment.!
– How the results of the methods/processes were evaluated to verify that
PCI DSS scope is appropriate.!
– How the results of the methods/processes were documented (e.g. the
results may be a diagram or an inventory of cardholder data locations).!
– Why the methods used for scope verification are considered by the
assessor to be effective and accurate.!
– Provide the name of the assessor who attests that the scope of the
assessment has been verified to be accurate and appropriate.!
42. A Penetration Test Methodology!
• Based on industry-accepted approaches,
e.g. NIST SP800-115!
• A new clause 11.3!
– Test entire perimeter of CDE & all critical systems!
– Validate all scope-reduction controls—segmentation!
– Test from inside and from outside of the network!
– Test network-function components and OSs!
– As a minimum, perform application tests for the
vulnerabilities listed in Requirement 6.5!
44. If you develop!
• Requirement 6.5 mandates that programmers of
internally-developed and bespoke applications must
be trained in secure coding techniques, including how
to avoid common coding vulnerabilities, and
understanding how sensitive data is handled in
memory. !
• The QSA must identify the records of training that
were examined to verify that software developers
received training on secure coding techniques,
including how to avoid common coding vulnerabilities,
and understanding how sensitive data is handled in
memory. !
45. Authentication!
• Requirement 8.2–6 text recognizes methods
other than password, e.g. passphrases or
certificates!
– Authentication credentials!
• Minimum password length is still 7 characters!
– “Alternatively, the passwords/phrases must have
complexity and strength at least equivalent to the
parameters specified above.”!
• A service provider must use a different
password for each of its clients.!
46. Quicker detection of compromise!
• Deploy a integrity change-detection
mechanism to alert personnel to
unauthorized modification of critical
system files, configuration files, or content
files !
– configure the software to perform critical file
comparisons at least weekly. !
47. Quicker detection of compromise!
• Deploy a integrity change-detection
mechanism to alert personnel to
unauthorized modification of critical system
files, configuration files, or content files !
– configure the software to perform critical file
coparison at least weekly. !
• New requirement, 11.5.1, mandates the
implementation of a process to respond to
any alerts generated by that mechanism. !
48. How much work is this?!
• Greater effort to move from 2.0 to 3.0 than
from 1.2 to 2.0!
• PCI compliance should be continuous!
– No frantic preparation before the arrival of the
auditors and a round of drinks after they
leave.!
• More stringent testing procedures may find
that previously compliant elements are
now non-compliant.!
49. Some new requirements need not be in place until
30 June 2015!
– 6.5.11 Broken Authentication and Session
Management !
– 8.5.1 Use of unique authentication credentials for each
client of a service provider.!
– 9.9 Protect POS from physical tampering!
– 11.3 Penetration test methodology!
– 12.9 Written acknowledgement of 3rd party
responsibilities and compliance!
Some breathing room!
50. If your organization…!
• practices good information governance such
that it is aware of what types of data it has
and where it stores, processes, and sends
that data;!
• properly protects access to its information
and its processes; and,!
• defines appropriate policies implemented by
self-documenting processes that not only
comply with PCI requirements but also create
easily discoverable evidence that compliance
was continuous throughout the year; then!
51. Not only do you have…!
A good security and
risk posture!
You should be compliant
with little additional effort.!
52. One more thing!
• Organizations often spend much effort to reduce the
portion of the enterprise that will be subject to PCI
DSS audit.!
• The effort to protect CHD and SAD within the CDE
should also be applied to PII throughout the entire
enterprise.!
• Had South Carolina done so, it’s likely no PII would
have been exposed. !
• A tugboat may lead us to the answer. !
53. The T. J. Hooper!
• Towed barges and cargo lost in storm!
• Cargo owners sue claiming negligence!
– Radio was a readily available technology!
– Couldn’t receive broadcasts warning of storm!
• No other tugboat operators had radios—
!the standard of care for the industry!
• In a landmark decision Judge Learned
Hand found the tugboat owners liable!
54. “Indeed
in
most
cases
reasonable
prudence
is
in
fact
common
prudence,
but
strictly
it
is
never
its
measure.
A
whole
calling
may
have
unduly
lagged
in
the
adopBon
of
new
and
available
devices…Courts
must
in
the
end
say
what
is
required.
There
are
precauBons
so
imperaBve
that
even
their
universal
disregard
will
not
excuse
their
omission.”
—Judge
Learned
Hand,
1932
55. Custom is not based merely on old
standards. It also must be based
on adapting to new technology. The
duty of care is a relative concept
that changes.
56. ?Hoyt
L.
Kesterson
II
Senior
Security
Architect
hoyt.kesterson@tvrms.com
602
316
1985
Scobsdale,
Arizona