SlideShare a Scribd company logo

Riskfactorypcitheessentials 151125164111-lva1-app6892

Download as PPTX, PDF
Risk Crew
Risk Crew

The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.

1 of 66
PCI: THE ESSENTIALS
A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
THE ESSENTIALS • What PCI compliance is and why its important • Understand how to identify potential risks to card data within your business • Foundation in data risk management • How to communicate the importance of PCI to stakeholders • The keys to achieving and maintaining compliance • How to avoid fines
The Standard
WHERE DID IT COME FROM? Restaurants sue POS vendor over data breach: Dec’09 Nearly 100 customers had their identities stolen as a result of "Aloha" POS software payments terminals that were not PCI-DSS compliant. They have to pay for forensic audits to trace the problems, reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected individuals.
Security Scans Self- Assessment Questionnaire On Site Audits Community Meeting Industry Best Practices Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) Proactive feedback from QSAs, ASVs and POs PCI Data Security Standard ADC Forensics Results Advisory Board
THE STANDARD
APPLIES TO:  Systems that store, process or transmit cardholder data  Systems that connect to them Compliance is mandatory  Enforced through merchant services agreements
6 GOALS, 12 REQUIREMENTS The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
264 CONTROLS Requirement 1: Install and maintain a firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
THE STRUCTURE
CARDHOLDER DATA? Card (PAN) number Magnetic stripe Expiry date Chip Card account number
CONTROLS-2-DATA
SCOPING
DE-SCOPING • Network segmentation is not a PCI DSS control requirement • De-scoping is where you set the cost baseline for the project. • Take your time. • The more you can take out of scope – the less it will cost to implement the controls.
QUIZ 1 1. The PCI DSS applies to all systems that ________, __________, or _________ card data. 2. The PCI DSS is comprised of _________ principles, ___________ requirements and 264 controls. 3. The PCI DSS is a checklist of controls. True/False? 4. Controls only apply to systems “in scope”. True/False? 5. We can store sensitive card holder data. True/False?
The Players
THE PLAYERS  Card Brands  PCI Council  Acquirers  QSA  ASV  Merchants  Service Providers
RELATIONSHIPS MATRIX Cardholder Data Targeted Cardholder Victimized Regulatory Enforcement Government Intervention Media Scrutiny
CONCERNS & CONSQUENCES Service Provider CardholderMerchant Acquirer
CARDHOLDER DATA EXPOSURE Payment Application Service Provider Service Provider
SERVICE PROVIDERS  Businesses that facilitate: process, storage or transmission of card data on behalf of Merchant or Acquirer.  Any business requiring connectivity to a card holder network or application.
QUIZ 2 1. The __________ issue fines for non-compliance. 2. A service provider is defined as either ______________ or __________________. 3. Merchant Levels are determined by the _________ of ___________ per __________. 4. QSAs are monitored by _______________ 5. The Acquirers set the compliance deadlines for the Merchants. True/False?
Compliance Process
PROCESS Gap Analysis Remediation QSA Validation Report of Compliance Attestation of Compliance Acquirer Card Brands
KEY DOCUMENTATION  Card Data Security Policy  Comprehensive Network Diagram  Evidence  3rd Party Agreements  End User Agreements  Security Vulnerability Scan Reports  Security Penetration Reports
KEY ACTIONS  Gap Analysis  Remediation  Monthly Acquirer Reports  Audit-ready (Evidence in place)  Pass ASV scan  Network Security Penetration Test  Application Security Penetration Test  Validation  RoC to Acquirer / Card Brands  Annual Revalidation
PROCESS – NOT A CHECKLIST
 Identify  Minimise  Manage
QUIZ 3 1. RoC is an acronym for ____________ on ____________. 2. AoC is an acronym for ____________ of ____________. 3. SaQ is an acronym fro _________ ________ ________. 4. I need to pass both an ASV scan and penetration test prior to validation. True/False. 5. These quizzes are getting on my nerves. True/False
Exercise
Situation: You have a bank owned terminal (BOT) taking credit card payments at your site. It is connected directly to the bank and is not connected to your local systems. Problem: Is it “in scope” of PCI DSS? Design a process for determining your answer. Dilemma: What problem do you still have?
The Policies
FRAMEWORK Annex C • Hosting Provider Security Annex B • 3rd Party Connectivity Annex A • Appropriate Use Corporate Policy
POLICIES 1. INTRODUCTION • Required for the protection of client card data. 2. APPLICABILITY • All employees, contractors and 3rd party suppliers. 3. COMPLIANCE • Compliance Manager monitors & enforces • Collaborative effort • Non-compliance = disciplinary action 4. REVIEW, UPDATES & MAINTENANCE • Annual • 30 days after significant changes 5. EXCEPTIONS • Require Compliance Manager’s prior approval 6. PROGRAM MANAGEMENT
POLICIES 6.1 ANNUAL DOCUMENTATION  Current network diagram  Card data asset register  Card data flow diagram clearly indicating all credit card dependant business processes  List of all roles having access to card data  3rd Party Statements of Compliance 6.2 INFORMATION SECURITY RISK ASSESSMENTS  Annually  Prior to significant changes 6.3 MINIMISE HOLDINGS 6.4 CARD DATA ASSET REGISTER  Maintain current list of all devices hosting card data 6.5 ASSET CLASSIFICATION  Hardware & software marked “Company Confidential”
POLICIES 6.6 EMPLOYEE CHECKS • Staff with access to card data = criminal & credit checks 6.7 SECURITY TRAINING • Initial • Annual update 6.8 3rd PARTY CONNECTIVITY AGREEMENTS • Condition of connectivity 6.9 3rd PARTY COMPLIANCE 6.103rd PARTY AUDITS • Initial • Annual verification
POLICIES 6.11 NETWORK SECURITY VULNERABILITY SCANNING  Done quarterly – Pass – submitted to Acquirer 6.12 NETWORK SECURITY PENETRATION TESTING  Annually  After significant changes 6.13 APPLICATION SECURITY PENETRATION TESTING  Applies to all application process/store/transmit  Conducted prior to launch  After significant changes  Annually 7. SYSTEM SECURITY 7.1 FIREWALL & ROUTER CONFIGURATIONS  As stated in Annex
POLICIES 7.2 PASSWORDS & SECURITY ADMINISTRATION • Vendor accounts & defaults removed • Admin access encrypted • Configuration security build standards 7.3 CARD DATA STORAGE • Minimise! • Data Retention Policy • Do not store authentication data 7.4 CARD DATA TRANSMISSION • Encrypted when sent over public networks (email, etc.) 7.5 ANTI-VIRUS MANAGEMENT • Software on all systems that process, store or transmit card data 7.6 SYSTEM MONITORING • Quarterly testing for wireless - Implement IDS - File integrity monitoring
POLICIES 8. APPLICATION SECURITY • Software security development lifecycle procedures • Change control procedures as detailed in Annex • Patches • Process to keep up to date with new application threats 9. LOGS & RECORDS • System logs as detailed in Annex 10. SYSTEM USER SECURITY • Need to know • Password • Screensaver, lock outs 11. PHYSICAL ACCESS CONTROLS • Facility access control, locks alarms • Visitor badging • Protection of hard copy card data
QUIZ 4 1. The Card Data Security Policy only applies to your employees. True/False? 2. __________ is responsible for 3rd party compliance verification. 3. Credit and criminal records checks need to be conducted for all employees. True/False? 4. Identification badges are required for access to any facility. True/False? 5. This guy uses way too much mousse in his hair. True/False.
The Controls
CONTROLS Requirement 1: Install and maintain firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
EVIDENCE  Types • Observation (configuration or process) • Documentation • Interview • Technical (monitoring of network traffic)  Required for each and every control !
CONTROLS EXAMPLE Requirement 1: Install and maintain firewall configuration to protect cardholder data. 1.1 Establish firewall configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  Observation (configuration)  Observation (process)  Documentation (firewall rule set)  Interview (systems administrator)  Technical (monitoring of network traffic)
COMPENSATING CONTROLS  Used only when a specific control cannot be implemented due to a business process  Implement “risk-based” supplementary control(s)  Designed for the business  Accepted by the business  Must be accompanied by supporting evidence  Accompanied by supporting processes
COMPENSATING CONTROLS Information Required Explanation 1. Constraints List constraints precluding compliance with the original requirement. Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user. 1. Objective Define the objective of the original control; identify the objective met by the compensating control. The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action. 1. Identified Risk Identify any additional risk posed by the lack of the original control. Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked. 1. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any. Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user to access the “root” account and perform actions under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account. 1. Validation of Compensating Controls Define how the compensating controls were validated and tested. Company XYZ demonstrates to assessor that the SU command being executed and that those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges 1. Maintenance Define process and controls in place to maintain compensating controls. Company XYZ documents processes and procedures to ensure SU configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged
QUIZ 5 1. Name the four types of evidence generally required. 2. If you cannot implement a control you will fail the audit. True/False? 3. Compensating controls are _________ based and must be accepted by ___________________. 4. When designing a compensating control you must always consider the ____________ objective. 5. If I just nod once and a while, this guys actually thinks I’m listening to him. True/False.
Project Management
MILESTONES • Risk based prioritisation of implementation of the controls established by card brands • Milestone 1 – identify what you have, where you have it and write policies to protect it. • Milestone 2 – Network integrity • Milestone 3 – Code integrity • Milestone 4 – Logs & records • Milestone 5 – Incidents • Miles 6 – Auditing & testing
TIMELINES • Missed deadline • Milestones 1-4 • Validation • SAQ • AoC to Acquirer • Annual Recertification
HOW WILL YOU GET THERE?  By starting and maintaining momentum!  Document everything  Monthly Acquirer reports  Quick resolution of questions  Compensating controls  Site visits – practice audits  Disseminating information
2 WORDS Due diligence
The Messages
INTENT Minimise risk to card holder data Give PCI a Chance!
BUSINESS MESSAGES Card brand service requirements Regulatory requirement Losses impact our clients Lost client confidence = Lost £ System down time = Lost £ Repair costs = Lost £ Data theft & fraud = Lost £ Reputation losses = Lost £ Fines = Lost £
EMPLOYEE  Security of our customer credit card data is critical to our mission.  We’ve implemented a detailed security program to protect this data.  Security is your responsibility.  Security is everyone’s responsibility.  Failure to meet this responsibility…  We need your help and suggestions.
PARTNER  Protection of our customer data is mission critical to us.  We have implemented a PCI DSS compliance program and are pending formal certification.  Regulatory compliance is a shared responsibility.  Connectivity to our systems require compliance to PCI DSS controls as a condition of contract.  How can we help you?
CUSTOMER  We are implementing a PCI DSS compliance program and are pending formal certification.  We require all of our partners and suppliers to meet PCI DSS controls  We have implemented a rigorous security testing program to ensure the security integrity of our systems.  Protection of your personnel data is critical to our business.  If you have any question regarding our policies – do not hesitate to contact us.
LAST QUIZ 1. Name a business message. 2. Name a employee message. 3. Name a client message. 4. Name a partner message. 5. Name all five members of the original Jackson 5.
The Close
IF NOTHING ELSE, REMEMBER  PCI DSS is a “risk management framework”  Implementation does not guarantee security  A framework only serves to identify, minimise and manage the risk of compromise.  At the day’s end - You still own the risk.
 Identify  Minimise  Manage
A DIFFERENT PERSPECTIVE FROM: www.riskfactory.com 0800 978 8139

Recommended

Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
Victor Oluwajuwon Badejo
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 

Recommended

Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
Victor Oluwajuwon Badejo
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
AlienVault
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
Anton Chuvakin
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Olivia Grey
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
Calyptix Security
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Crew
 
TICS
TICSTICS
TICS
marta gonzález reiriz
 

More Related Content

What's hot

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
Kimberly Simon MBA
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
Christian Heinrich
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Olivia Grey
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
Kimberly Simon MBA
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
Calyptix Security
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
SecurityMetrics
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
Terra Verde
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
Kim Jensen
 

What's hot (20)

PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providers
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to Know
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential Guide
 

Viewers also liked

Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Crew
 
TICS
TICSTICS
TICS
marta gonzález reiriz
 
Présentation OPTIM assistance - export et projet d'optimisation de processus
Présentation OPTIM assistance - export et projet d'optimisation de processusPrésentation OPTIM assistance - export et projet d'optimisation de processus
Présentation OPTIM assistance - export et projet d'optimisation de processus
Claudie LEPRESTRE ☼ OPTIM assistance®
 
Oc 6440 developing and assisting members
Oc 6440 developing and assisting membersOc 6440 developing and assisting members
Oc 6440 developing and assisting members
lindseygibsonphd
 
Correcion 170409mod
Correcion 170409modCorrecion 170409mod
Correcion 170409modagora4
 
Jak przechowywana jest żywność w moim domu
Jak przechowywana jest żywność w moim domuJak przechowywana jest żywność w moim domu
Jak przechowywana jest żywność w moim domu
Lucyna Zienkiewicz-Kurek
 
SISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESA
SISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESASISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESA
SISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESA
mariagbonilla19
 
Breve descripción de la Unidad 5
Breve descripción de la Unidad 5Breve descripción de la Unidad 5
Breve descripción de la Unidad 5
lopez_s
 
Las apps
Las appsLas apps
Las apps
Victor Bartolo
 
Seemant_Shekhar_portfolio
Seemant_Shekhar_portfolioSeemant_Shekhar_portfolio
Seemant_Shekhar_portfolioSeemant Shekhar
 

Viewers also liked (15)

Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013
 
TICS
TICSTICS
TICS
 
Tavsiye Evi
Tavsiye EviTavsiye Evi
Tavsiye Evi
 
AdnowPPT
AdnowPPTAdnowPPT
AdnowPPT
 
Présentation OPTIM assistance - export et projet d'optimisation de processus
Présentation OPTIM assistance - export et projet d'optimisation de processusPrésentation OPTIM assistance - export et projet d'optimisation de processus
Présentation OPTIM assistance - export et projet d'optimisation de processus
 
Unidad 2
Unidad 2Unidad 2
Unidad 2
 
Oc 6440 developing and assisting members
Oc 6440 developing and assisting membersOc 6440 developing and assisting members
Oc 6440 developing and assisting members
 
Correcion 170409mod
Correcion 170409modCorrecion 170409mod
Correcion 170409mod
 
Jak przechowywana jest żywność w moim domu
Jak przechowywana jest żywność w moim domuJak przechowywana jest żywność w moim domu
Jak przechowywana jest żywność w moim domu
 
SISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESA
SISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESASISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESA
SISTEMA DE TELECOMUNICACIONES II UNIVERSIDAD FERMIN TORO. PORTUGUESA
 
Las apps
Las appsLas apps
Las apps
 
Breve descripción de la Unidad 5
Breve descripción de la Unidad 5Breve descripción de la Unidad 5
Breve descripción de la Unidad 5
 
jonna
jonnajonna
jonna
 
Las apps
Las appsLas apps
Las apps
 
Seemant_Shekhar_portfolio
Seemant_Shekhar_portfolioSeemant_Shekhar_portfolio
Seemant_Shekhar_portfolio
 

Similar to Riskfactorypcitheessentials 151125164111-lva1-app6892

PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
Tariq Juneja
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
gealehegn
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The Circuit
The Circuit
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
Shanmugavel Sankaran
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
gealehegn
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
ControlCase
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
n|u - The Open Security Community
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
Network Intelligence India
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
John Bedrick
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
ControlCase
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Erik Ginalick
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
ControlCase
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
Maksim Djackov
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
Keyur Thakore
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 

Similar to Riskfactorypcitheessentials 151125164111-lva1-app6892 (20)

PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Educause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptxEducause+PCI+briefing+4-19-20162345.pptx
Educause+PCI+briefing+4-19-20162345.pptx
 
PCI Compliance The Circuit
PCI Compliance The Circuit PCI Compliance The Circuit
PCI Compliance The Circuit
 
PCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The CircuitPCI Compliance Fundamentals The Circuit
PCI Compliance Fundamentals The Circuit
 
PCI-DSS for IDRBT
PCI-DSS for IDRBTPCI-DSS for IDRBT
PCI-DSS for IDRBT
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
pci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.pptpci-comp pci requirements and controls.ppt
pci-comp pci requirements and controls.ppt
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Managing Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust PrinciplesManaging Multiple Assessments Using Zero Trust Principles
Managing Multiple Assessments Using Zero Trust Principles
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI DSS Compliance Checklist
PCI DSS Compliance ChecklistPCI DSS Compliance Checklist
PCI DSS Compliance Checklist
 
Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010Protecting Payment Card Data Wp091010
Protecting Payment Card Data Wp091010
 
PCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes WebinarPCI DSS & PA DSS Version 3.0 Changes Webinar
PCI DSS & PA DSS Version 3.0 Changes Webinar
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 

More from Risk Crew

Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
Risk Crew
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891
Risk Crew
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a Hacker
Risk Crew
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 Numbers
Risk Crew
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Crew
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big Data
Risk Crew
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
Risk Crew
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Crew
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Crew
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
Risk Crew
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
Risk Crew
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
Risk Crew
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron?
Risk Crew
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back Door
Risk Crew
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an Identity
Risk Crew
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
Risk Crew
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
Risk Crew
 

More from Risk Crew (18)

Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891Pcishrinktofitpresentation 151125162550-lva1-app6891
Pcishrinktofitpresentation 151125162550-lva1-app6891
 
Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a Hacker
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 Numbers
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best Practice
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big Data
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data Leakage
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron?
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back Door
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an Identity
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
 

Recently uploaded

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 

Recently uploaded (20)

Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 

Riskfactorypcitheessentials 151125164111-lva1-app6892

  • 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
  • 3. THE ESSENTIALS • What PCI compliance is and why its important • Understand how to identify potential risks to card data within your business • Foundation in data risk management • How to communicate the importance of PCI to stakeholders • The keys to achieving and maintaining compliance • How to avoid fines
  • 5. WHERE DID IT COME FROM? Restaurants sue POS vendor over data breach: Dec’09 Nearly 100 customers had their identities stolen as a result of "Aloha" POS software payments terminals that were not PCI-DSS compliant. They have to pay for forensic audits to trace the problems, reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected individuals.
  • 6.
  • 7. Security Scans Self- Assessment Questionnaire On Site Audits Community Meeting Industry Best Practices Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QSAs) Proactive feedback from QSAs, ASVs and POs PCI Data Security Standard ADC Forensics Results Advisory Board
  • 9. APPLIES TO:  Systems that store, process or transmit cardholder data  Systems that connect to them Compliance is mandatory  Enforced through merchant services agreements
  • 10. 6 GOALS, 12 REQUIREMENTS The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  • 11. 264 CONTROLS Requirement 1: Install and maintain a firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
  • 13. CARDHOLDER DATA? Card (PAN) number Magnetic stripe Expiry date Chip Card account number
  • 16. DE-SCOPING • Network segmentation is not a PCI DSS control requirement • De-scoping is where you set the cost baseline for the project. • Take your time. • The more you can take out of scope – the less it will cost to implement the controls.
  • 17. QUIZ 1 1. The PCI DSS applies to all systems that ________, __________, or _________ card data. 2. The PCI DSS is comprised of _________ principles, ___________ requirements and 264 controls. 3. The PCI DSS is a checklist of controls. True/False? 4. Controls only apply to systems “in scope”. True/False? 5. We can store sensitive card holder data. True/False?
  • 19. THE PLAYERS  Card Brands  PCI Council  Acquirers  QSA  ASV  Merchants  Service Providers
  • 21. CONCERNS & CONSQUENCES Service Provider CardholderMerchant Acquirer
  • 23. SERVICE PROVIDERS  Businesses that facilitate: process, storage or transmission of card data on behalf of Merchant or Acquirer.  Any business requiring connectivity to a card holder network or application.
  • 24.
  • 25. QUIZ 2 1. The __________ issue fines for non-compliance. 2. A service provider is defined as either ______________ or __________________. 3. Merchant Levels are determined by the _________ of ___________ per __________. 4. QSAs are monitored by _______________ 5. The Acquirers set the compliance deadlines for the Merchants. True/False?
  • 27. PROCESS Gap Analysis Remediation QSA Validation Report of Compliance Attestation of Compliance Acquirer Card Brands
  • 28. KEY DOCUMENTATION  Card Data Security Policy  Comprehensive Network Diagram  Evidence  3rd Party Agreements  End User Agreements  Security Vulnerability Scan Reports  Security Penetration Reports
  • 29. KEY ACTIONS  Gap Analysis  Remediation  Monthly Acquirer Reports  Audit-ready (Evidence in place)  Pass ASV scan  Network Security Penetration Test  Application Security Penetration Test  Validation  RoC to Acquirer / Card Brands  Annual Revalidation
  • 30. PROCESS – NOT A CHECKLIST
  • 32. QUIZ 3 1. RoC is an acronym for ____________ on ____________. 2. AoC is an acronym for ____________ of ____________. 3. SaQ is an acronym fro _________ ________ ________. 4. I need to pass both an ASV scan and penetration test prior to validation. True/False. 5. These quizzes are getting on my nerves. True/False
  • 34. Situation: You have a bank owned terminal (BOT) taking credit card payments at your site. It is connected directly to the bank and is not connected to your local systems. Problem: Is it “in scope” of PCI DSS? Design a process for determining your answer. Dilemma: What problem do you still have?
  • 36. FRAMEWORK Annex C • Hosting Provider Security Annex B • 3rd Party Connectivity Annex A • Appropriate Use Corporate Policy
  • 37. POLICIES 1. INTRODUCTION • Required for the protection of client card data. 2. APPLICABILITY • All employees, contractors and 3rd party suppliers. 3. COMPLIANCE • Compliance Manager monitors & enforces • Collaborative effort • Non-compliance = disciplinary action 4. REVIEW, UPDATES & MAINTENANCE • Annual • 30 days after significant changes 5. EXCEPTIONS • Require Compliance Manager’s prior approval 6. PROGRAM MANAGEMENT
  • 38. POLICIES 6.1 ANNUAL DOCUMENTATION  Current network diagram  Card data asset register  Card data flow diagram clearly indicating all credit card dependant business processes  List of all roles having access to card data  3rd Party Statements of Compliance 6.2 INFORMATION SECURITY RISK ASSESSMENTS  Annually  Prior to significant changes 6.3 MINIMISE HOLDINGS 6.4 CARD DATA ASSET REGISTER  Maintain current list of all devices hosting card data 6.5 ASSET CLASSIFICATION  Hardware & software marked “Company Confidential”
  • 39. POLICIES 6.6 EMPLOYEE CHECKS • Staff with access to card data = criminal & credit checks 6.7 SECURITY TRAINING • Initial • Annual update 6.8 3rd PARTY CONNECTIVITY AGREEMENTS • Condition of connectivity 6.9 3rd PARTY COMPLIANCE 6.103rd PARTY AUDITS • Initial • Annual verification
  • 40. POLICIES 6.11 NETWORK SECURITY VULNERABILITY SCANNING  Done quarterly – Pass – submitted to Acquirer 6.12 NETWORK SECURITY PENETRATION TESTING  Annually  After significant changes 6.13 APPLICATION SECURITY PENETRATION TESTING  Applies to all application process/store/transmit  Conducted prior to launch  After significant changes  Annually 7. SYSTEM SECURITY 7.1 FIREWALL & ROUTER CONFIGURATIONS  As stated in Annex
  • 41. POLICIES 7.2 PASSWORDS & SECURITY ADMINISTRATION • Vendor accounts & defaults removed • Admin access encrypted • Configuration security build standards 7.3 CARD DATA STORAGE • Minimise! • Data Retention Policy • Do not store authentication data 7.4 CARD DATA TRANSMISSION • Encrypted when sent over public networks (email, etc.) 7.5 ANTI-VIRUS MANAGEMENT • Software on all systems that process, store or transmit card data 7.6 SYSTEM MONITORING • Quarterly testing for wireless - Implement IDS - File integrity monitoring
  • 42. POLICIES 8. APPLICATION SECURITY • Software security development lifecycle procedures • Change control procedures as detailed in Annex • Patches • Process to keep up to date with new application threats 9. LOGS & RECORDS • System logs as detailed in Annex 10. SYSTEM USER SECURITY • Need to know • Password • Screensaver, lock outs 11. PHYSICAL ACCESS CONTROLS • Facility access control, locks alarms • Visitor badging • Protection of hard copy card data
  • 43. QUIZ 4 1. The Card Data Security Policy only applies to your employees. True/False? 2. __________ is responsible for 3rd party compliance verification. 3. Credit and criminal records checks need to be conducted for all employees. True/False? 4. Identification badges are required for access to any facility. True/False? 5. This guy uses way too much mousse in his hair. True/False.
  • 45. CONTROLS Requirement 1: Install and maintain firewall configuration to protect cardholder data.  1.1 Establish firewall configuration standards that include the following:  1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.  1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone (intranet).  1.1.4 Description of groups, roles and responsibilities for logical management of network components.  1.1.5 Documented list of services/ports necessary for business.  1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).  1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented.  1.1.8 Quarterly review of firewall and router rule sets.  1.1.9 Establish configuration standards for routers.
  • 46. EVIDENCE  Types • Observation (configuration or process) • Documentation • Interview • Technical (monitoring of network traffic)  Required for each and every control !
  • 47. CONTROLS EXAMPLE Requirement 1: Install and maintain firewall configuration to protect cardholder data. 1.1 Establish firewall configuration standards that include the following: 1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.  Observation (configuration)  Observation (process)  Documentation (firewall rule set)  Interview (systems administrator)  Technical (monitoring of network traffic)
  • 48. COMPENSATING CONTROLS  Used only when a specific control cannot be implemented due to a business process  Implement “risk-based” supplementary control(s)  Designed for the business  Accepted by the business  Must be accompanied by supporting evidence  Accompanied by supporting processes
  • 49. COMPENSATING CONTROLS Information Required Explanation 1. Constraints List constraints precluding compliance with the original requirement. Company XYZ employs stand-alone Unix Servers without LDAP. As such, they each require a “root” login. It is not possible for Company XYZ to manage the “root” login nor is it feasible to log all “root” activity by each user. 1. Objective Define the objective of the original control; identify the objective met by the compensating control. The objective of requiring unique logins is twofold. First, it is not considered acceptable from a security perspective to share login credentials. Secondly, having shared logins makes it impossible to state definitively that a person is responsible for a particular action. 1. Identified Risk Identify any additional risk posed by the lack of the original control. Additional risk is introduced to the access control system by not ensuring all users have a unique ID and are able to be tracked. 1. Definition of Compensating Controls Define the compensating controls and explain how they address the objectives of the original control and the increased risk, if any. Company XYZ is going to require all users to log into the servers from their desktops using the SU command. SU allows a user to access the “root” account and perform actions under the “root” account but is able to be logged in the SU-log directory. In this way, each user’s actions can be tracked through the SU account. 1. Validation of Compensating Controls Define how the compensating controls were validated and tested. Company XYZ demonstrates to assessor that the SU command being executed and that those individuals utilizing the command are logged to identify that the individual is performing actions under root privileges 1. Maintenance Define process and controls in place to maintain compensating controls. Company XYZ documents processes and procedures to ensure SU configurations are not changed, altered, or removed to allow individual users to execute root commands without being individually tracked or logged
  • 50. QUIZ 5 1. Name the four types of evidence generally required. 2. If you cannot implement a control you will fail the audit. True/False? 3. Compensating controls are _________ based and must be accepted by ___________________. 4. When designing a compensating control you must always consider the ____________ objective. 5. If I just nod once and a while, this guys actually thinks I’m listening to him. True/False.
  • 52. MILESTONES • Risk based prioritisation of implementation of the controls established by card brands • Milestone 1 – identify what you have, where you have it and write policies to protect it. • Milestone 2 – Network integrity • Milestone 3 – Code integrity • Milestone 4 – Logs & records • Milestone 5 – Incidents • Miles 6 – Auditing & testing
  • 53. TIMELINES • Missed deadline • Milestones 1-4 • Validation • SAQ • AoC to Acquirer • Annual Recertification
  • 54. HOW WILL YOU GET THERE?  By starting and maintaining momentum!  Document everything  Monthly Acquirer reports  Quick resolution of questions  Compensating controls  Site visits – practice audits  Disseminating information
  • 57. INTENT Minimise risk to card holder data Give PCI a Chance!
  • 58. BUSINESS MESSAGES Card brand service requirements Regulatory requirement Losses impact our clients Lost client confidence = Lost £ System down time = Lost £ Repair costs = Lost £ Data theft & fraud = Lost £ Reputation losses = Lost £ Fines = Lost £
  • 59. EMPLOYEE  Security of our customer credit card data is critical to our mission.  We’ve implemented a detailed security program to protect this data.  Security is your responsibility.  Security is everyone’s responsibility.  Failure to meet this responsibility…  We need your help and suggestions.
  • 60. PARTNER  Protection of our customer data is mission critical to us.  We have implemented a PCI DSS compliance program and are pending formal certification.  Regulatory compliance is a shared responsibility.  Connectivity to our systems require compliance to PCI DSS controls as a condition of contract.  How can we help you?
  • 61. CUSTOMER  We are implementing a PCI DSS compliance program and are pending formal certification.  We require all of our partners and suppliers to meet PCI DSS controls  We have implemented a rigorous security testing program to ensure the security integrity of our systems.  Protection of your personnel data is critical to our business.  If you have any question regarding our policies – do not hesitate to contact us.
  • 62. LAST QUIZ 1. Name a business message. 2. Name a employee message. 3. Name a client message. 4. Name a partner message. 5. Name all five members of the original Jackson 5.
  • 64. IF NOTHING ELSE, REMEMBER  PCI DSS is a “risk management framework”  Implementation does not guarantee security  A framework only serves to identify, minimise and manage the risk of compromise.  At the day’s end - You still own the risk.
  • 66. A DIFFERENT PERSPECTIVE FROM: www.riskfactory.com 0800 978 8139