The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
With version 3.0 of PCI DSS now available, it’s time to review your compliance strategy and make a plan for adapting to the revised requirements. While the 12 main requirements remain the same, there are significant changes related to malware defenses, vulnerability assessments and penetration testing. During this 1-hour session, you’ll learn:
*What’s new in PCI DSS version 3.0
*Key considerations for adapting your compliance strategy
*Technology recommendations for addressing new compliance requirements
*How other companies have simplified PCI DSS compliance
To View a Recording of this presentation and interactive Q&A visit. https://www.alienvault.com/resource-center/webcasts/pci-dss-v3-how-to-adapt-your-compliance-strategy?utm_medium=Social&utm_source=SlideShare
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
In this 45 minute webinar ControlCase will discuss the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
- Q&A
A detailed analysis on the Security Standard goals and requirements. Examples of companies that failed to comply, with emphasis on which part of the security standards they violated and the fines that resulted as a result of their non-compliance.
• Overview of changes and clarification
• Additional requirements for service providers
• Additional requirements for change control processes
• Multifactor authentication
• Penetration testing changes
• SSL/TLS changes and implications
• Timing of changes
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
With version 3.0 of PCI DSS now available, it’s time to review your compliance strategy and make a plan for adapting to the revised requirements. While the 12 main requirements remain the same, there are significant changes related to malware defenses, vulnerability assessments and penetration testing. During this 1-hour session, you’ll learn:
*What’s new in PCI DSS version 3.0
*Key considerations for adapting your compliance strategy
*Technology recommendations for addressing new compliance requirements
*How other companies have simplified PCI DSS compliance
To View a Recording of this presentation and interactive Q&A visit. https://www.alienvault.com/resource-center/webcasts/pci-dss-v3-how-to-adapt-your-compliance-strategy?utm_medium=Social&utm_source=SlideShare
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
Spirit of PCI DSS by Dr. Anton Chuvakin
PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.
Making PCI Compliance Business as Usual. Contact ksimon@controlcase.com if you would like additional information on our "Compliance as a Service" offering which includes just about everything you need to achieve and maintain compliance. CaaS also automates the evidence collection process and includes a mix of hardware, software, onsite and offsite services.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
Here is a detailed analysis of Requirements and Security Assessment Procedures for PCI Data Security. This guide will help in eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For more information, visit: https://www.c7.com/data-center/compliance-security/
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
ControlCase discusses the following:
- Requirements for PCI DSS, EI3PA, HIPAA, Business Associates, FFIEC and Banking Service Providers
- What is Vendor Management
- Why is Continual Compliance a challenge in Vendor Management
- How to mix technology and manual processes for effective Vendor Management
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
PCI DSS Simplified: What You Need to KnowAlienVault
Maintaining, verifying, and demonstrating PCI DSS compliance is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks – chasing down discrepancies in asset inventory spreadsheets, removing false positives from network vulnerability assessment reports, and weeding through log data trying to make sense of it all. In fact, you may need to consult at least a dozen different tools for those dozen requirements.
Thankfully, there’s a simpler alternative. AlienVault Unified Security Management (USM) consolidates the five essential capabilities you need for PCI DSS compliance. As a nearly complete PCI compliance solution, AlienVault’s USM delivers the security visibility you need in a single pane-of-glass. And it solves more than the single purpose PCI DSS compliance software alternatives do. During this webcast, you will learn how to:
Achieve, demonstrate and maintain PCI DSS compliance
Consolidate and simplify SIEM, log management, vulnerability assessment, IDS, and file integrity monitoring in a single platform
Implement effective incident response with emerging threat intelligence
Plus, you'll see how quickly and easily you can simplify and accelerate PCI DSS compliance. Register Now to secure your spot.
ControlCase discusses the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
– What is Data Discovery
– Why Data Discovery
– PCI DSS requirements
– Need for Data Discovery in the context of PCI DSS
– Challenges in the Data Discovery space
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
ControlCase discusses the following:
- PCI DSS, HIPAA, FERC/ NERC, EI3PA and ISO 27001 requirements
- Why is continual compliance a challenge
- PCI DSS, HIPAA, FERC/ NERC, EI3PA and ISO 27001 recurring activity calendar
Making PCI Compliance Business as Usual. Contact ksimon@controlcase.com if you would like additional information on our "Compliance as a Service" offering which includes just about everything you need to achieve and maintain compliance. CaaS also automates the evidence collection process and includes a mix of hardware, software, onsite and offsite services.
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
Here is a detailed analysis of Requirements and Security Assessment Procedures for PCI Data Security. This guide will help in eliminating redundancy between documents, and make both general and specific changes from PCI DSS Security Audit Procedures v1.1. For more information, visit: https://www.c7.com/data-center/compliance-security/
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
ControlCase discusses the following:
- Requirements for PCI DSS, EI3PA, HIPAA, Business Associates, FFIEC and Banking Service Providers
- What is Vendor Management
- Why is Continual Compliance a challenge in Vendor Management
- How to mix technology and manual processes for effective Vendor Management
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
PCI DSS Simplified: What You Need to KnowAlienVault
Maintaining, verifying, and demonstrating PCI DSS compliance is far from a trivial exercise. Those 12 requirements often translate into a lot of manual and labor-intensive tasks – chasing down discrepancies in asset inventory spreadsheets, removing false positives from network vulnerability assessment reports, and weeding through log data trying to make sense of it all. In fact, you may need to consult at least a dozen different tools for those dozen requirements.
Thankfully, there’s a simpler alternative. AlienVault Unified Security Management (USM) consolidates the five essential capabilities you need for PCI DSS compliance. As a nearly complete PCI compliance solution, AlienVault’s USM delivers the security visibility you need in a single pane-of-glass. And it solves more than the single purpose PCI DSS compliance software alternatives do. During this webcast, you will learn how to:
Achieve, demonstrate and maintain PCI DSS compliance
Consolidate and simplify SIEM, log management, vulnerability assessment, IDS, and file integrity monitoring in a single platform
Implement effective incident response with emerging threat intelligence
Plus, you'll see how quickly and easily you can simplify and accelerate PCI DSS compliance. Register Now to secure your spot.
ControlCase discusses the following in the context of PCI DSS and PA DSS
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
– What is Data Discovery
– Why Data Discovery
– PCI DSS requirements
– Need for Data Discovery in the context of PCI DSS
– Challenges in the Data Discovery space
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
ControlCase discusses the following:
- PCI DSS, HIPAA, FERC/ NERC, EI3PA and ISO 27001 requirements
- Why is continual compliance a challenge
- PCI DSS, HIPAA, FERC/ NERC, EI3PA and ISO 27001 recurring activity calendar
Solutions administratives, au service des entreprises.
- Formalités liées aux opérations d'exportation: certificats sanitaires, d'origine,...
- Organisation et gestion logistique à l'international
- Dossiers d'assurance crédit, risques de change...
- Vérification des crédits documentaires,
- Organisation de déplacements et d'événements : salons, visites clients...
- Traduction et adaptation des supports de communication : site, plaquette, notice, étiquetage..
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
PCI Compliance Fundamentals The CircuitThe Circuit
Brian Herman of StillSecure presented on PCI Compliance Fundamentals for The Circuit. He offered information on what is it, why is it important, and suggestions to implement.
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
ControlCase covers the following:
•What is PCI DSS?
•What does PCI DSS stand for?
•What is the purpose of PCI DSS?
•Who does PCI DSS apply to?
•What are the 12 requirements of PCI DSS?
•What are the 6 Principles of PCI DSS?
•What are the potential liabilities for not complying with PCI DSS?
•How can we achieve compliance in a cost effective manner?
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
- PCI DSS Requirements & Secure Remote Working
- Assessments In Work From Home (WFH) Scenario
- Remote Security Testing
- Key Aspects For Remote Assessments
Similar to Riskfactorypcitheessentials 151125164111-lva1-app6892 (20)
PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data.
To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses.
The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.
A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data.
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Crew
Coordinating information security golas and objectives across an enterprise can be difficult. Presentation identifies the challenges and best practices for overcomming them.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. A simple, easy to use, online, B2B procurement
portal for purchasing products and services to
identify, minimise and manage the security
threat to business data.
www.riskfactory.com
3. THE ESSENTIALS
• What PCI compliance is and why its important
• Understand how to identify potential risks to card
data within your business
• Foundation in data risk management
• How to communicate the importance of PCI to
stakeholders
• The keys to achieving and maintaining compliance
• How to avoid fines
5. WHERE DID IT COME FROM?
Restaurants sue POS vendor over data breach: Dec’09
Nearly 100 customers had their identities stolen as a result of "Aloha" POS software payments
terminals that were not PCI-DSS compliant. They have to pay for forensic audits to trace the problems,
reimburse fraud costs to the credit card companies and pay for re-issuance of credit cards to affected
individuals.
9. APPLIES TO:
Systems that store, process or transmit cardholder data
Systems that connect to them
Compliance is mandatory
Enforced through merchant services agreements
10. 6 GOALS, 12 REQUIREMENTS
The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 264 controls
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Assign a unique ID to each person with computer access.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
11. 264 CONTROLS
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
1.1 Establish firewall configuration standards that include the following:
1.1.1 A formal process for approving and testing all external network connections and changes to the firewall
configuration.
1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.
1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network zone
(intranet).
1.1.4 Description of groups, roles and responsibilities for logical management of network components.
1.1.5 Documented list of services/ports necessary for business.
1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP) and
secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).
1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol (FTP), which
includes reason for use of protocol and security features implemented.
1.1.8 Quarterly review of firewall and router rule sets.
1.1.9 Establish configuration standards for routers.
16. DE-SCOPING
• Network segmentation is not a PCI DSS control
requirement
• De-scoping is where you set the cost baseline for
the project.
• Take your time.
• The more you can take out of scope – the less it
will cost to implement the controls.
17. QUIZ 1
1. The PCI DSS applies to all systems that ________,
__________, or _________ card data.
2. The PCI DSS is comprised of _________ principles,
___________ requirements and 264 controls.
3. The PCI DSS is a checklist of controls. True/False?
4. Controls only apply to systems “in scope”.
True/False?
5. We can store sensitive card holder data.
True/False?
23. SERVICE PROVIDERS
Businesses that facilitate: process, storage or transmission of
card data on behalf of Merchant or Acquirer.
Any business requiring connectivity to a card holder network or
application.
24.
25. QUIZ 2
1. The __________ issue fines for non-compliance.
2. A service provider is defined as either
______________ or __________________.
3. Merchant Levels are determined by the _________
of ___________ per __________.
4. QSAs are monitored by _______________
5. The Acquirers set the compliance deadlines for the
Merchants. True/False?
32. QUIZ 3
1. RoC is an acronym for ____________ on ____________.
2. AoC is an acronym for ____________ of ____________.
3. SaQ is an acronym fro _________ ________ ________.
4. I need to pass both an ASV scan and penetration test
prior to validation. True/False.
5. These quizzes are getting on my nerves. True/False
34. Situation: You have a bank owned terminal (BOT)
taking credit card payments at your site. It
is connected directly to the bank and is not
connected to your local systems.
Problem: Is it “in scope” of PCI DSS? Design a process
for determining your answer.
Dilemma: What problem do you still have?
37. POLICIES
1. INTRODUCTION
• Required for the protection of client card data.
2. APPLICABILITY
• All employees, contractors and 3rd party suppliers.
3. COMPLIANCE
• Compliance Manager monitors & enforces
• Collaborative effort
• Non-compliance = disciplinary action
4. REVIEW, UPDATES & MAINTENANCE
• Annual
• 30 days after significant changes
5. EXCEPTIONS
• Require Compliance Manager’s prior approval
6. PROGRAM MANAGEMENT
38. POLICIES
6.1 ANNUAL DOCUMENTATION
Current network diagram
Card data asset register
Card data flow diagram clearly indicating all credit card dependant business processes
List of all roles having access to card data
3rd Party Statements of Compliance
6.2 INFORMATION SECURITY RISK ASSESSMENTS
Annually
Prior to significant changes
6.3 MINIMISE HOLDINGS
6.4 CARD DATA ASSET REGISTER
Maintain current list of all devices hosting card data
6.5 ASSET CLASSIFICATION
Hardware & software marked “Company Confidential”
39. POLICIES
6.6 EMPLOYEE CHECKS
• Staff with access to card data = criminal & credit checks
6.7 SECURITY TRAINING
• Initial
• Annual update
6.8 3rd PARTY CONNECTIVITY AGREEMENTS
• Condition of connectivity
6.9 3rd PARTY COMPLIANCE
6.103rd PARTY AUDITS
• Initial
• Annual verification
40. POLICIES
6.11 NETWORK SECURITY VULNERABILITY SCANNING
Done quarterly – Pass – submitted to Acquirer
6.12 NETWORK SECURITY PENETRATION TESTING
Annually
After significant changes
6.13 APPLICATION SECURITY PENETRATION TESTING
Applies to all application process/store/transmit
Conducted prior to launch
After significant changes
Annually
7. SYSTEM SECURITY
7.1 FIREWALL & ROUTER CONFIGURATIONS
As stated in Annex
41. POLICIES
7.2 PASSWORDS & SECURITY ADMINISTRATION
• Vendor accounts & defaults removed
• Admin access encrypted
• Configuration security build standards
7.3 CARD DATA STORAGE
• Minimise!
• Data Retention Policy
• Do not store authentication data
7.4 CARD DATA TRANSMISSION
• Encrypted when sent over public networks (email, etc.)
7.5 ANTI-VIRUS MANAGEMENT
• Software on all systems that process, store or transmit card data
7.6 SYSTEM MONITORING
• Quarterly testing for wireless - Implement IDS - File integrity monitoring
42. POLICIES
8. APPLICATION SECURITY
• Software security development lifecycle procedures
• Change control procedures as detailed in Annex
• Patches
• Process to keep up to date with new application threats
9. LOGS & RECORDS
• System logs as detailed in Annex
10. SYSTEM USER SECURITY
• Need to know
• Password
• Screensaver, lock outs
11. PHYSICAL ACCESS CONTROLS
• Facility access control, locks alarms
• Visitor badging
• Protection of hard copy card data
43. QUIZ 4
1. The Card Data Security Policy only applies to your
employees. True/False?
2. __________ is responsible for 3rd party compliance
verification.
3. Credit and criminal records checks need to be
conducted for all employees. True/False?
4. Identification badges are required for access to any
facility. True/False?
5. This guy uses way too much mousse in his hair.
True/False.
45. CONTROLS
Requirement 1: Install and maintain firewall configuration to protect cardholder data.
1.1 Establish firewall configuration standards that include the following:
1.1.1 A formal process for approving and testing all external network connections and changes to the firewall
configuration.
1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.
1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the internal network
zone (intranet).
1.1.4 Description of groups, roles and responsibilities for logical management of network components.
1.1.5 Documented list of services/ports necessary for business.
1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP)
and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN).
1.1.7 Justification and documentation for any risky protocols allowed - for example, file transfer protocol
(FTP), which includes reason for use of protocol and security features implemented.
1.1.8 Quarterly review of firewall and router rule sets.
1.1.9 Establish configuration standards for routers.
46. EVIDENCE
Types
• Observation (configuration or process)
• Documentation
• Interview
• Technical (monitoring of network traffic)
Required for each and every control !
47. CONTROLS EXAMPLE
Requirement 1: Install and maintain firewall configuration to protect cardholder data.
1.1 Establish firewall configuration standards that include the following:
1.1.1 A formal process for approving and testing all external network connections and changes to the firewall
configuration.
Observation (configuration)
Observation (process)
Documentation (firewall rule set)
Interview (systems administrator)
Technical (monitoring of network traffic)
48. COMPENSATING CONTROLS
Used only when a specific control cannot be implemented due to a business process
Implement “risk-based” supplementary control(s)
Designed for the business
Accepted by the business
Must be accompanied by supporting evidence
Accompanied by supporting processes
49. COMPENSATING CONTROLS
Information Required Explanation
1. Constraints List constraints precluding compliance
with the original requirement.
Company XYZ employs stand-alone Unix Servers without LDAP.
As such, they each require a “root” login. It is not possible for
Company XYZ to manage the “root” login nor is it feasible to log
all “root” activity by each user.
1. Objective Define the objective of the original
control; identify the objective met by
the compensating control.
The objective of requiring unique logins is twofold. First, it is not
considered acceptable from a security perspective to share login
credentials. Secondly, having shared logins makes it impossible
to state definitively that a person is responsible for a particular
action.
1. Identified Risk Identify any additional risk posed by the
lack of the original control.
Additional risk is introduced to the access control system by not
ensuring all users have a unique ID and are able to be tracked.
1. Definition of
Compensating Controls
Define the compensating controls and
explain how they address the objectives
of the original control and the increased
risk, if any.
Company XYZ is going to require all users to log into the servers
from their desktops using the SU command. SU allows a user to
access the “root” account and perform actions under the “root”
account but is able to be logged in the SU-log directory. In this
way, each user’s actions can be tracked through the SU account.
1. Validation of
Compensating Controls
Define how the compensating controls
were validated and tested.
Company XYZ demonstrates to assessor that the SU command
being executed and that those individuals utilizing the command
are logged to identify that the individual is performing actions
under root privileges
1. Maintenance Define process and controls in place to
maintain compensating controls.
Company XYZ documents processes and procedures to ensure
SU configurations are not changed, altered, or removed to allow
individual users to execute root commands without being
individually tracked or logged
50. QUIZ 5
1. Name the four types of evidence generally required.
2. If you cannot implement a control you will fail the
audit. True/False?
3. Compensating controls are _________ based and
must be accepted by ___________________.
4. When designing a compensating control you must
always consider the ____________ objective.
5. If I just nod once and a while, this guys actually
thinks I’m listening to him. True/False.
52. MILESTONES
• Risk based prioritisation of
implementation of the controls
established by card brands
• Milestone 1 – identify what you
have, where you have it and write
policies to protect it.
• Milestone 2 – Network integrity
• Milestone 3 – Code integrity
• Milestone 4 – Logs & records
• Milestone 5 – Incidents
• Miles 6 – Auditing & testing
54. HOW WILL YOU GET THERE?
By starting and maintaining momentum!
Document everything
Monthly Acquirer reports
Quick resolution of questions
Compensating controls
Site visits – practice audits
Disseminating information
58. BUSINESS MESSAGES
Card brand service requirements
Regulatory requirement
Losses impact our clients
Lost client confidence = Lost £
System down time = Lost £
Repair costs = Lost £
Data theft & fraud = Lost £
Reputation losses = Lost £
Fines = Lost £
59. EMPLOYEE
Security of our customer credit card data is critical
to our mission.
We’ve implemented a detailed security program to
protect this data.
Security is your responsibility.
Security is everyone’s responsibility.
Failure to meet this responsibility…
We need your help and suggestions.
60. PARTNER
Protection of our customer data is mission critical to us.
We have implemented a PCI DSS compliance program and are
pending formal certification.
Regulatory compliance is a shared responsibility.
Connectivity to our systems require compliance to PCI DSS controls as
a condition of contract.
How can we help you?
61. CUSTOMER
We are implementing a PCI DSS compliance program and are pending
formal certification.
We require all of our partners and suppliers to meet PCI DSS controls
We have implemented a rigorous security testing program to ensure the
security integrity of our systems.
Protection of your personnel data is critical to our business.
If you have any question regarding our policies – do not hesitate to
contact us.
62. LAST QUIZ
1. Name a business message.
2. Name a employee message.
3. Name a client message.
4. Name a partner message.
5. Name all five members of the original Jackson 5.
64. IF NOTHING ELSE, REMEMBER
PCI DSS is a “risk management framework”
Implementation does not guarantee security
A framework only serves to identify, minimise and
manage the risk of compromise.
At the day’s end - You still own the risk.