This document outlines the key points of a presentation on the Payment Card Industry Data Security Standard (PCI DSS). It introduces PCI DSS and its history, provides definitions of important terminology, describes the 12 requirements of the standard across 6 goals for securing payment card data, and discusses roles and responsibilities for compliance. The presentation covers building a secure network, protecting stored card data, maintaining vulnerability management, access controls, monitoring systems, and security policies.
This document summarizes a presentation on cybersecurity in the cloud. The presentation covered cloud computing definitions and models including SaaS, PaaS, IaaS, and public, private and hybrid clouds. It discussed major cloud vendors like Amazon Web Services, Microsoft Azure, and OpenStack. The presentation addressed security issues in the cloud like outages, data breaches, and regulatory compliance. It emphasized the importance of service level agreements, testing disaster recovery plans, and monitoring metrics when adopting cloud services.
The document discusses security challenges for the Internet of Things (IoT). It notes that IoT involves connecting physical devices to information systems through networks. However, IoT presents security risks like privacy issues, malicious use of devices, ransomware attacks and physical damage. The document outlines various initiatives for improving IoT security from groups like ISO, CSA, OWASP, and governments. It provides 13 steps for developing secure IoT products and discusses principles for vehicle cybersecurity. In summary, the document covers security challenges with IoT, ongoing work to address them, and recommendations for building secure IoT systems.
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupCohesive Networks
OCIE will be conducting examinations of over 50 registered broker-dealers and investment advisers, focusing on cybersecurity preparedness. It provides a sample cybersecurity document request for firms to assess their preparedness. The VNS3 security appliance protects cloud applications from exploitation by creating unique encrypted overlays for each application, reducing east-west risk even if initial penetration occurs. It allows customers to secure applications deployed to public, private or hybrid clouds.
The document discusses security issues with IoT devices. It defines IoT as interconnected devices that transfer data over a network without human interaction. It outlines risks like a lack of authentication, encryption, and vulnerabilities that could allow unauthorized access to personal data or critical infrastructure. The document also notes that IoT devices are increasingly being used in cyber attacks and that security standards need to evolve as more things become connected.
An Internet of Things Reference Architecture Symantec
The Internet of Things (IoT) already helps billions of people. Thousands of smart, connected devices deliver new experiences to people throughout the world, lowering costs, sometimes by billions of dollars. Examples include connected cars, robotic manufacturing, smarter medical equipment, smart grid, and countless industrial control systems. Unfortunately, this growth in connected devices brings increased security risks. Threats quickly evolve to target this rich and vulnerable landscape. Serious risks include physical harm to people, prolonged downtime, and damage to equipment such as pipelines, blast furnaces, and power generation facilities. As several such facilities and IoT systems have already been attacked and materially damaged, security must now be an essential consideration for anyone making or operating IoT devices or systems, particularly for the industrial Internet.
This document summarizes a presentation on cybersecurity in the cloud. The presentation covered cloud computing definitions and models including SaaS, PaaS, IaaS, and public, private and hybrid clouds. It discussed major cloud vendors like Amazon Web Services, Microsoft Azure, and OpenStack. The presentation addressed security issues in the cloud like outages, data breaches, and regulatory compliance. It emphasized the importance of service level agreements, testing disaster recovery plans, and monitoring metrics when adopting cloud services.
The document discusses security challenges for the Internet of Things (IoT). It notes that IoT involves connecting physical devices to information systems through networks. However, IoT presents security risks like privacy issues, malicious use of devices, ransomware attacks and physical damage. The document outlines various initiatives for improving IoT security from groups like ISO, CSA, OWASP, and governments. It provides 13 steps for developing secure IoT products and discusses principles for vehicle cybersecurity. In summary, the document covers security challenges with IoT, ongoing work to address them, and recommendations for building secure IoT systems.
Chris Swan's presentation from the London Tech Entrepreneurs' MeetupCohesive Networks
OCIE will be conducting examinations of over 50 registered broker-dealers and investment advisers, focusing on cybersecurity preparedness. It provides a sample cybersecurity document request for firms to assess their preparedness. The VNS3 security appliance protects cloud applications from exploitation by creating unique encrypted overlays for each application, reducing east-west risk even if initial penetration occurs. It allows customers to secure applications deployed to public, private or hybrid clouds.
The document discusses security issues with IoT devices. It defines IoT as interconnected devices that transfer data over a network without human interaction. It outlines risks like a lack of authentication, encryption, and vulnerabilities that could allow unauthorized access to personal data or critical infrastructure. The document also notes that IoT devices are increasingly being used in cyber attacks and that security standards need to evolve as more things become connected.
An Internet of Things Reference Architecture Symantec
The Internet of Things (IoT) already helps billions of people. Thousands of smart, connected devices deliver new experiences to people throughout the world, lowering costs, sometimes by billions of dollars. Examples include connected cars, robotic manufacturing, smarter medical equipment, smart grid, and countless industrial control systems. Unfortunately, this growth in connected devices brings increased security risks. Threats quickly evolve to target this rich and vulnerable landscape. Serious risks include physical harm to people, prolonged downtime, and damage to equipment such as pipelines, blast furnaces, and power generation facilities. As several such facilities and IoT systems have already been attacked and materially damaged, security must now be an essential consideration for anyone making or operating IoT devices or systems, particularly for the industrial Internet.
This document discusses IoT security challenges and ForeScout's approach to addressing them. It begins with an overview of exponential IoT growth and the fragmented IoT landscape. It then discusses the major IoT security threats around lack of visibility and control of devices. The rest of the document focuses on ForeScout's agentless approach to continuous device discovery, classification, and policy-based segmentation and remediation to enhance IoT security.
CABA Whitepaper - Cybersecurity in Smart BuildingsIron Mountain
This document discusses cybersecurity considerations for smart building automation systems. It begins by explaining why cybersecurity is necessary as buildings become more connected and integrated. It then discusses that facilities managers should work with IT professionals to manage cybersecurity, as the building automation system now encompasses both facilities and IT aspects. The document provides an overview of cybersecurity layers including identity validation, endpoint device security, and network security. It gives recommendations in each area to help secure smart building systems from potential cyber threats.
The session with highlight Intel’s vision for IoT Security and the fundamental building blocks and capabilities Intel and the ecosystem are providing to organizations to build security in from design through deployment and maintenance.
Watch this previously recorded webinar event with special guest Karthik Sundaram of Frost & Sullivan as he expands on his recently published research, “Cybersecurity in the Era of Industrial IoT". Leveraging insights from actual use cases, new policy initiatives, and available solutions, the research explores cybersecurity approaches, including a deep dive into the concept of “defense-in-depth” and its implications for a converged IT-OT environment in the future.
In de huidige wereld zien we continue veranderingen. Het aantal remote gebruikers neemt toe en de eindgebruikers verwachten meer en sneller antwoord van de IT afdeling. Hoe gaat U daar vandaag de dag mee om?
Hoe kijkt Ivanti hiernaar en hoe tackelen wij de huidige uitdagingen met kijk op de toekomst?
Neem deel om kennis te maken met het MSP-aanbod van Ivanti, gebaseerd op bestaande use cases.
This is a talk which I gave to the Brighton IoT Forum on 23/03/2016. It looks at the challenges of scaling IoT security from the perspective of protection of critical national infrastructure from cyber-attack. It then campares this to the security scaling challenges of a small startup business with a great product idea. The presentation concludes that there are similarities between both 'micro' and 'macro' IoT scaling scenarios. In both cases it is essential to cultivate a 'security mindset'.
This blog presentation discusses the growing significance of IoT Security Testing in a world where billions of devices are getting connected via the Internet of Things.
Augmate is developing a device management platform called Augmate Connect that uses blockchain technology to securely manage IoT and wearable devices. The platform provides decentralized identity, access control, data security and software updates through blockchain and smart contracts. This improves on vulnerable centralized IoT architectures. Augmate is launching a token called MATE to power the platform and support an ecosystem of users, developers and partners. The goal is for Augmate Connect to become the leading solution for managing the billions of IoT devices that will be connected in the coming years.
IIoT solutions are providing operators with massive volumes of data while making it easier to apply them to improvements in quality and efficiency. However, the cybersecurity risk to IIoT solutions is often overlooked. Many IIoT devices reside on networks that use open connections such as Wi-Fi, cellular, or satellite. Those could inadvertently increase an ICS threat surface.
Participants in this session will learn how to configure new and existing IIoT devices in a manner that will continue providing the value of the IIoT solution while reducing the exposure to cyberattacks. Guidelines will also be provided in cases of IIoT devices, which do provide inherent security configuration options.
The document discusses six key steps that companies should take to secure their Internet of Things (IoT) initiatives and businesses. These include: 1) adopting a comprehensive security framework and strategy; 2) conducting a full audit of current and potential security risks within IoT projects; 3) building security into IoT devices and processes early in development; 4) mobilizing the entire workforce to support IoT security; 5) ensuring partners meet rigorous security standards; and 6) rethinking the role of IT to support security across the business in the context of IoT. Taking these steps with executive support is important to manage the security risks that accompany the large opportunities presented by IoT technologies.
The document discusses the size and growth of the Internet of Things market. It is projected to have a compound annual growth rate of 35% from 2013 to 2020. While consumer IoT devices will surpass commercial devices in the near term, commercial applications are expected to dominate the long-term IoT market. The document also outlines considerations for building an Internet of Everything system, including bridging information technology and operational technology, handling large volumes of data through edge computing, and providing analytics capabilities.
The document discusses cybersecurity challenges related to IoT. It outlines several security incidents involving IoT devices over time. It then discusses inherent security challenges for IoT, including threats from advanced persistent threats, cyber terrorism, and compromised supply chains. The document also summarizes statistics on IoT security concerns and vulnerabilities. It identifies top vulnerabilities according to OWASP and discusses how to secure IoT in different domains like smart cities and homes.
Ivanti security experts discuss the FireEye breach and how further investigation uncovered much larger SolarWinds breach.
Find Ivanti's official statement on the FireEye and SolarWinds security incidents here: https://www.ivanti.com/blog/official-statement-on-solarwinds-and-fireeye-security-incidents
Protect Your Organization with Multi-Layered Approach to Anti-PhishingIvanti
The document discusses implementing a multi-layered approach to anti-phishing protection for organizations. It recommends using both Unified Endpoint Management (UEM) and Mobile Threat Defense (MTD) together to secure mobile devices and protect against phishing attacks. UEM provides features like access controls and policy enforcement while MTD provides on-device detection and remediation for threats. It also recommends using Zero Sign-on (ZSO) to eliminate passwords and prevent credential theft. The key is implementing a multi-tier security strategy using UEM, MTD, and ZSO for complete mobile phishing protection.
As the need for digital transformation continues, IoT development and adoption for both enterprises and consumers are also on the rise. One of the main challenges in allowing multiple device connectivity is cybersecurity. Here are the challenges enterprises are facing when ensuring security for their IoT connections.
This document summarizes the State of the OpenCloud 2020 presentation by Dharmesh Thakker, Chiraag Deora, Danel Dayan, and Jason Mendel of Battery Ventures. It discusses how COVID-19 has accelerated cloud adoption and digital transformation. Cloud infrastructure markets are larger than expected, with cloud penetration still in early stages. Software performance is at historical highs due to increased cloud usage. Cloud-native infrastructure companies are creating value at an unprecedented pace compared to previous generations of infrastructure companies. Themes of interest discussed include opportunities around automation of testing and security in the development lifecycle, as well as unification of data platforms.
This document discusses Augmate's solution for managing IoT devices called Augmate Connect. It summarizes that (1) Augmate Connect uses a decentralized architecture and blockchain to securely manage the growing number of IoT devices in a way that addresses issues like single points of failure, (2) It allows for human-to-machine and machine-to-machine policies and governance of devices through features like identity management, data security, and software updates, and (3) Augmate plans to use its MATE token for access, transactions, and rewarding users on its platform.
Companies are developing their internal IoT security capabilities as they progress with IoT adoption in order to address lingering security concerns. While basic security issues like default passwords continue to put IoT devices at risk, more mature adopters are now enforcing stricter security specifications for devices and treating IoT security like corporate IT security through practices such as network segmentation, access controls and training users. Experts recommend that rather than fearing IoT, companies should find ways to benefit from it by developing internal expertise to ensure their IoT use is secure.
The document discusses cybersecurity issues related to critical infrastructure sectors. It notes that there are 16 critical infrastructure sectors designated by the US Department of Homeland Security that are vital to national security and safety. These sectors include chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation, and others. The document expresses concern about the lack of security for industrial control systems and SCADA systems that monitor and control critical infrastructure. It provides examples of past cyber attacks on these systems and notes that the majority of attacks in 2014 targeted advanced persistent threats. The document concludes that as industrial systems increasingly connect to the internet and migrate to web-based interfaces, they represent an growing security risk due to vulnerabilities.
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
This document discusses risk management practices for PCI DSS 2.0 and describes how tokenization can help organizations comply with PCI standards. It provides an overview of recent data breaches, reviews current data security methods and emerging technologies. Tokenization hides sensitive data by replacing it with surrogate values called tokens. When used properly, tokenization can reduce the scope of PCI audits and lower an organization's risk and costs of a data breach by protecting cardholder data throughout its lifecycle.
This document discusses IoT security challenges and ForeScout's approach to addressing them. It begins with an overview of exponential IoT growth and the fragmented IoT landscape. It then discusses the major IoT security threats around lack of visibility and control of devices. The rest of the document focuses on ForeScout's agentless approach to continuous device discovery, classification, and policy-based segmentation and remediation to enhance IoT security.
CABA Whitepaper - Cybersecurity in Smart BuildingsIron Mountain
This document discusses cybersecurity considerations for smart building automation systems. It begins by explaining why cybersecurity is necessary as buildings become more connected and integrated. It then discusses that facilities managers should work with IT professionals to manage cybersecurity, as the building automation system now encompasses both facilities and IT aspects. The document provides an overview of cybersecurity layers including identity validation, endpoint device security, and network security. It gives recommendations in each area to help secure smart building systems from potential cyber threats.
The session with highlight Intel’s vision for IoT Security and the fundamental building blocks and capabilities Intel and the ecosystem are providing to organizations to build security in from design through deployment and maintenance.
Watch this previously recorded webinar event with special guest Karthik Sundaram of Frost & Sullivan as he expands on his recently published research, “Cybersecurity in the Era of Industrial IoT". Leveraging insights from actual use cases, new policy initiatives, and available solutions, the research explores cybersecurity approaches, including a deep dive into the concept of “defense-in-depth” and its implications for a converged IT-OT environment in the future.
In de huidige wereld zien we continue veranderingen. Het aantal remote gebruikers neemt toe en de eindgebruikers verwachten meer en sneller antwoord van de IT afdeling. Hoe gaat U daar vandaag de dag mee om?
Hoe kijkt Ivanti hiernaar en hoe tackelen wij de huidige uitdagingen met kijk op de toekomst?
Neem deel om kennis te maken met het MSP-aanbod van Ivanti, gebaseerd op bestaande use cases.
This is a talk which I gave to the Brighton IoT Forum on 23/03/2016. It looks at the challenges of scaling IoT security from the perspective of protection of critical national infrastructure from cyber-attack. It then campares this to the security scaling challenges of a small startup business with a great product idea. The presentation concludes that there are similarities between both 'micro' and 'macro' IoT scaling scenarios. In both cases it is essential to cultivate a 'security mindset'.
This blog presentation discusses the growing significance of IoT Security Testing in a world where billions of devices are getting connected via the Internet of Things.
Augmate is developing a device management platform called Augmate Connect that uses blockchain technology to securely manage IoT and wearable devices. The platform provides decentralized identity, access control, data security and software updates through blockchain and smart contracts. This improves on vulnerable centralized IoT architectures. Augmate is launching a token called MATE to power the platform and support an ecosystem of users, developers and partners. The goal is for Augmate Connect to become the leading solution for managing the billions of IoT devices that will be connected in the coming years.
IIoT solutions are providing operators with massive volumes of data while making it easier to apply them to improvements in quality and efficiency. However, the cybersecurity risk to IIoT solutions is often overlooked. Many IIoT devices reside on networks that use open connections such as Wi-Fi, cellular, or satellite. Those could inadvertently increase an ICS threat surface.
Participants in this session will learn how to configure new and existing IIoT devices in a manner that will continue providing the value of the IIoT solution while reducing the exposure to cyberattacks. Guidelines will also be provided in cases of IIoT devices, which do provide inherent security configuration options.
The document discusses six key steps that companies should take to secure their Internet of Things (IoT) initiatives and businesses. These include: 1) adopting a comprehensive security framework and strategy; 2) conducting a full audit of current and potential security risks within IoT projects; 3) building security into IoT devices and processes early in development; 4) mobilizing the entire workforce to support IoT security; 5) ensuring partners meet rigorous security standards; and 6) rethinking the role of IT to support security across the business in the context of IoT. Taking these steps with executive support is important to manage the security risks that accompany the large opportunities presented by IoT technologies.
The document discusses the size and growth of the Internet of Things market. It is projected to have a compound annual growth rate of 35% from 2013 to 2020. While consumer IoT devices will surpass commercial devices in the near term, commercial applications are expected to dominate the long-term IoT market. The document also outlines considerations for building an Internet of Everything system, including bridging information technology and operational technology, handling large volumes of data through edge computing, and providing analytics capabilities.
The document discusses cybersecurity challenges related to IoT. It outlines several security incidents involving IoT devices over time. It then discusses inherent security challenges for IoT, including threats from advanced persistent threats, cyber terrorism, and compromised supply chains. The document also summarizes statistics on IoT security concerns and vulnerabilities. It identifies top vulnerabilities according to OWASP and discusses how to secure IoT in different domains like smart cities and homes.
Ivanti security experts discuss the FireEye breach and how further investigation uncovered much larger SolarWinds breach.
Find Ivanti's official statement on the FireEye and SolarWinds security incidents here: https://www.ivanti.com/blog/official-statement-on-solarwinds-and-fireeye-security-incidents
Protect Your Organization with Multi-Layered Approach to Anti-PhishingIvanti
The document discusses implementing a multi-layered approach to anti-phishing protection for organizations. It recommends using both Unified Endpoint Management (UEM) and Mobile Threat Defense (MTD) together to secure mobile devices and protect against phishing attacks. UEM provides features like access controls and policy enforcement while MTD provides on-device detection and remediation for threats. It also recommends using Zero Sign-on (ZSO) to eliminate passwords and prevent credential theft. The key is implementing a multi-tier security strategy using UEM, MTD, and ZSO for complete mobile phishing protection.
As the need for digital transformation continues, IoT development and adoption for both enterprises and consumers are also on the rise. One of the main challenges in allowing multiple device connectivity is cybersecurity. Here are the challenges enterprises are facing when ensuring security for their IoT connections.
This document summarizes the State of the OpenCloud 2020 presentation by Dharmesh Thakker, Chiraag Deora, Danel Dayan, and Jason Mendel of Battery Ventures. It discusses how COVID-19 has accelerated cloud adoption and digital transformation. Cloud infrastructure markets are larger than expected, with cloud penetration still in early stages. Software performance is at historical highs due to increased cloud usage. Cloud-native infrastructure companies are creating value at an unprecedented pace compared to previous generations of infrastructure companies. Themes of interest discussed include opportunities around automation of testing and security in the development lifecycle, as well as unification of data platforms.
This document discusses Augmate's solution for managing IoT devices called Augmate Connect. It summarizes that (1) Augmate Connect uses a decentralized architecture and blockchain to securely manage the growing number of IoT devices in a way that addresses issues like single points of failure, (2) It allows for human-to-machine and machine-to-machine policies and governance of devices through features like identity management, data security, and software updates, and (3) Augmate plans to use its MATE token for access, transactions, and rewarding users on its platform.
Companies are developing their internal IoT security capabilities as they progress with IoT adoption in order to address lingering security concerns. While basic security issues like default passwords continue to put IoT devices at risk, more mature adopters are now enforcing stricter security specifications for devices and treating IoT security like corporate IT security through practices such as network segmentation, access controls and training users. Experts recommend that rather than fearing IoT, companies should find ways to benefit from it by developing internal expertise to ensure their IoT use is secure.
The document discusses cybersecurity issues related to critical infrastructure sectors. It notes that there are 16 critical infrastructure sectors designated by the US Department of Homeland Security that are vital to national security and safety. These sectors include chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation, and others. The document expresses concern about the lack of security for industrial control systems and SCADA systems that monitor and control critical infrastructure. It provides examples of past cyber attacks on these systems and notes that the majority of attacks in 2014 targeted advanced persistent threats. The document concludes that as industrial systems increasingly connect to the internet and migrate to web-based interfaces, they represent an growing security risk due to vulnerabilities.
Risk Management Practices for PCI DSS 2.0Ulf Mattsson
This document discusses risk management practices for PCI DSS 2.0 and describes how tokenization can help organizations comply with PCI standards. It provides an overview of recent data breaches, reviews current data security methods and emerging technologies. Tokenization hides sensitive data by replacing it with surrogate values called tokens. When used properly, tokenization can reduce the scope of PCI audits and lower an organization's risk and costs of a data breach by protecting cardholder data throughout its lifecycle.
This document outlines the benefits of outsourcing cybersecurity services to Syrinx Technologies through their Virtual CSO program. It discusses common security roadblocks organizations face related to cost, policy implementation, and risk perception. The Virtual CSO program provides business benefits like flexibility and no payroll costs, and technical benefits such as policy development, penetration testing, security awareness training, and compliance consulting. Clients can customize their solutions to fit their budgets. The summary encourages organizations to assess their security needs and work with Syrinx Technologies to develop an action plan and yearly program.
This document summarizes a presentation on regulations updates and penetration testing. The presentation covered recent changes to regulations like the ID Theft Red Flags Rule and PCI standards. It discussed why organizations should perform penetration tests, including to satisfy legal requirements and improve security. Potential vulnerabilities to check for were provided, like default passwords. The presentation included case studies of penetration tests performed and how access was gained through issues like unpatched systems. It emphasized that many security issues can be addressed through better password management, policies and procedures, and patch management.
The document provides an overview of the Payment Card Industry Data Security Standard (PCI DSS). It discusses what PCI compliance is and why it is important. It outlines the goals and 12 requirements of the PCI DSS, including building a secure network, protecting cardholder data, maintaining vulnerability management, access control measures, monitoring networks, and maintaining an information security policy. It also discusses how to achieve and maintain compliance to avoid fines. The document provides information on PCI compliance requirements, processes, policies, controls, project management, and key messages around PCI.
This document discusses IBM DataPower PCI solutions. It provides an overview of the Payment Card Industry Data Security Standard (PCI DSS) and its requirements. It then describes how IBM DataPower appliances can help organizations meet many of the PCI DSS requirements by providing functions like firewalling, encryption, access control, logging, and security policy management. The document also highlights some of DataPower's key products and capabilities for PCI compliance, and provides contact information for the IBM sales representative.
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
This webinar discusses PCI DSS compliance and how ControlCase can help organizations achieve and maintain compliance. It covers the basics of PCI DSS including the six principles and twelve requirements. It then outlines how ControlCase uses automation, continuous compliance management, and their One Audit approach to assess multiple standards at once to help clients comply in a cost-effective way. The webinar emphasizes that ControlCase can significantly reduce the effort and resources needed for PCI compliance.
PCI DSS is a security standard for payment card data that provides requirements for technical and operational security. Compliance is important to avoid consequences of a data breach like regulatory fines and loss of customers. The standard applies to any entity that stores, processes, or transmits cardholder data. It aims to protect data through requirements around firewalls, encryption, access control, vulnerability management, and more. The PCI Security Standards Council maintains and enhances PCI DSS and other standards for payment security.
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
This document provides an overview of PCI DSS and PA DSS compliance standards. It discusses key requirements around network segmentation, penetration testing, and protecting stored cardholder data. It also covers topics like card data discovery, assessing data in memory, and the importance of regularly updating the scope of assessments to identify any cardholder data that is not within the defined environment. The presenter provides examples of how to pass segmentation testing and discusses various methods for conducting card data discovery across files, databases, and other systems.
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
- PCI DSS Requirements & Secure Remote Working
- Assessments In Work From Home (WFH) Scenario
- Remote Security Testing
- Key Aspects For Remote Assessments
ControlCase discusses the following in the context of PCI DSS and PA DSS:
Network Segmentation
Card Data Discovery
Vulnerability Scanning and Penetration Testing
Card Data Storage in Memory
ControlCase discusses the following in the context of PCI DSS and PA DSS:
– Network Segmentation
– Card Data Discovery
– Vulnerability Scanning and Penetration Testing
– Card Data Storage in Memory
The Payment Card Industry Data Security Standard leaves IT service providers with more questions than answers. Get an overview of PCI DSS, what it means for MSPs and VARs, and get a list of resources to learn more and achieve compliance for your own organization and clients.
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
PCI compliance is important for businesses that handle credit card data to protect against data breaches and fines. The webinar discusses PCI compliance requirements and controls, including understanding what PCI is, identifying risks to card data, and how to achieve and maintain compliance. It also explains how PCI was established in response to lawsuits against businesses that experienced data breaches, and details the six goals and twelve requirements that make up the PCI Data Security Standard.
Cisco Connect Toronto 2018 DNA assuranceCisco Canada
The document discusses Cisco's DNA Assurance solution. It provides an agenda that covers business requirements, context, learning, user requirements, technology requirements, and the various components of DNA Assurance including client assurance, network assurance, application assurance, and machine learning. It discusses challenges around network operations including time spent troubleshooting and replicating issues. It also covers how DNA Assurance uses concepts like context, learning, and design thinking to provide insights and automate remediation.
Pci standards, from participation to implementation and reviewisc2-hellenic
The document provides an overview of the PCI Data Security Standard (PCI DSS) including:
- The goals of PCI DSS which are to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
- The twelve requirements of PCI DSS which are organized under these six goals.
- An introduction to the PCI Council which developed and manages the PCI DSS standard.
The document discusses PCI DSS compliance and maintaining ongoing compliance. It describes PCI DSS as a security standard developed by payment brands to ensure payment data security. Achieving and maintaining PCI compliance can be challenging due to evolving threats, technologies, and requirements. Outsourcing compliance tasks to an expert partner can help organizations adapt to changes and maintain ongoing compliance in a cost-effective manner.
This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.
This presentation covers PCI DSS-related myths and misconceptions that are common among some merchants and other organizations dealing with PCI DSS challenges. Mistakes related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all merchants dealing with credit card information and thus struggling with PCI DSS mandates.
Not Just a necessary evil, it’s good for business: implementing PCI DSS contr...DataWorks Summit
For firms in the financial industry, especially within regulated organizations such as credit card processors and banks, PCI DSS compliance has become a business and operational necessity. Although the blueprint of a PCI-compliant architecture varies from organization to organization, the mixture of modern Hadoop-based data lakes and legacy systems are a common theme.
In this talk, we will discuss recent updates to PCI DSS and how significant portions of PCI DSS compliance controls can be achieved using open source Hadoop security stack and technologies for the Hadoop ecosystem. We will provide a broad overview of implementing key aspects of PCI DSS standards at WorldPay such as encryption management, data protection with anonymization, separation of duties, and deployment considerations regarding securing the Hadoop clusters at the network layer from a practitioner’s perspective. The talk will provide patterns and practices map current Hadoop security capabilities to security controls that a PCI-compliant environment requires.
Speaker
David Walker, Enterprise Data Platform Programme Director, Worldpay
Srikanth Venkat, Senior Director Product Management, Hortonworks
Data Works Berlin 2018 - Worldpay - PCI ComplianceDavid Walker
A presentation from the Data Works conference in 2018 that looks how Worldpay, a major payments provider, deployed a secure Hadoop cluster in order to meet business requirements and in the process became on e of the few fully certified PCI compliance clusters in the world
Similar to PCI Compliance - What does it mean to me? (20)
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
2. Introduction
Why the Need
History of PCI
Terminology
The Current Standard
Who Must Be Compliant and When
What Makes this Standard Different
Roadmap to Compliance
So Why Care
Product Offerings
Final Thoughts
Additional Information
Questions
Copyright 2008 Syrinx Technologies 2
3. Biography
B.S. - Information Systems – VCU
M.S. – Computer Science - VCU
CCIE, CISSP
Former CCNA Instructor at John Tyler & J.
Sargeant Reynolds Community Colleges
Current President, Syrinx Technologies LLC
Copyright 2008 Syrinx Technologies 3
4. Some famous companies in the news:
Bank of America LexisNexis
BJ’s Wholesale Club Polo Ralph Lauren
CardSystems Solutions Wachovia
Choicepoint Forever 21
Citigroup Home Depot
DSW TJX
Hotels.com
Copyright 2008 Syrinx Technologies 4
7. Sometime after 2000 the various credit card companies
began thinking of ways to better protect cardholder
data
In June of 2001, VISA implemented the Cardholder
Information Security Program (CISP)
This program became known as the VISA Digital
Dozen, since it had 12 areas of compliance
In typical fashion, other credit card companies also
introduced their own standards
Copyright 2008 Syrinx Technologies 7
8. In 2004, the CISP requirements were incorporated into
an industry standard known as Payment Card Industry
(PCI) Data Security Standard (DSS) resulting from a
cooperative effort between Visa and MasterCard to
create common industry security requirements
Effective September 7, 2006, the PCI Security Standards
Council (SSC) owns, maintains and distributes the PCI
DSS and all its supporting documents
Copyright 2008 Syrinx Technologies 8
9. A horse by any other name:
American Express
Data Security Operating Policy
Discover
Discover Information Security & Compliance
JCB
JCB Data Security Program
MasterCard
Site Data Protection
VISA
Cardholder Information Security Plan
Copyright 2008 Syrinx Technologies 9
10. Revision History of DSS Standard
Published January 2005
Version 1.1 released Sept 7, 2006
Version 1.2 release October 1, 2008
Self Assessment Questionnaire (SAQ)
Version 1.1 released on February 6, 2008 and became effective
on April 30, 2008
Copyright 2008 Syrinx Technologies 10
11. Acquirer - Bankcard association member that initiates and
maintains relationships with merchants that accept payment
cards. Examples include Bank of America and WAMU.
Approved Scanning Vendor (ASV) – Company authorized
to provide quarterly scans.
Cardholder - Customer to whom a card is issued or
individual authorized to use the card
Cardholder data - Full magnetic stripe or the PAN plus any
of the following:
Cardholder name
Expiration date
Service Code
Copyright 2008 Syrinx Technologies 11
12. Card Validation Value or Code
Data element on a card's magnetic stripe that uses secure
cryptographic process to protect data integrity on the stripe.
The three-digit value printed to the right of the credit card
number in the signature panel area on the back of the card.
Hosting Provider - Offers various services to
merchants and other service providers.
Services range from shared space on a server to
a whole range of “shopping cart” options.
Copyright 2008 Syrinx Technologies 12
13. Magnetic Stripe Data (Track Data) - Data encoded in
the magnetic stripe used for authorization during
transactions when the card is presented.
Merchant - Sell goods and maintain systems that store,
process or transmit cardholder data.
PAN - Primary Account Number is the payment card
number (credit or debit) that identifies the issuer and
the particular cardholder account.
Copyright 2008 Syrinx Technologies 13
14. Qualified Security Assessor (QSA) – Company
authorized to perform yearly audits.
Service Provider - Business entity that is not a payment
card brand member or a merchant directly involved in
the processing, storage or transmission of cardholder
data. Examples include managed service providers
that provide managed firewalls, IDS and other services
as well as hosting providers.
Copyright 2008 Syrinx Technologies 14
15. Key Point – PCI is a standard, not a regulation.
The rule is simple, if you process, store or
transmit cardholder data you must be compliant.
6 goals, 12 requirements
Build and Maintain a Secure Network
1.
Protect Cardholder Data
2.
Maintain a Vulnerability Management Program
3.
Implement Strong Access Control Measures
4.
Regularly Monitor and Test Networks
5.
Maintain an Information Security Policy
6.
Copyright 2008 Syrinx Technologies 15
16. Build and Maintain a Secure Network
1.
Requirement 1: Install and maintain a firewall
configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults
for system passwords and other security parameters.
Copyright 2008 Syrinx Technologies 16
17. Build and Maintain a Secure Network
1.
1.1.1 – Formal process to test and approve all
changes to router and firewall configurations.
1.1.2 – Current network diagram with all
connections to cardholder data.
1.1.6 – Review firewall and router rule sets every six
months.
1.2.3 – Install perimeter firewalls between wireless
networks and cardholder data networks.
Copyright 2008 Syrinx Technologies 17
18. Build and Maintain a Secure Network
1.
2.1 – Always change vendor-supplied defaults
before installing a system on the network.
2.2 – Develop configuration standards for all system
components.
2.2.1 – Implement only one primary function per
server.
2.3 – Encrypt all non-console administrative access.
Copyright 2008 Syrinx Technologies 18
19. Protect Cardholder Data
2.
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder
data across open, public networks.
Copyright 2008 Syrinx Technologies 19
20. Protect Cardholder Data
2.
3.2 – Do not store sensitive authentication data even
if encrypted.
3.2.2 – Do not store the CVV. Ever.
3.3 – Mask PAN when displayed (first 6/last 4).
3.4.1 – Disk encryption cannot be tied to local
operating system accounts.
Copyright 2008 Syrinx Technologies 20
21. Protect Cardholder Data
2.
4.1 – Use strong cryptography and protocols such as
SSL/IPSEC when transmitting data over open,
public networks.
Internet, wireless, GSM, GPRS
4.1.1 – For wireless networks, strong encryption
must be used.
For new wireless networks, WEP is prohibited after
March 31, 2009.
For current wireless networks, WEP is prohibited after
June 30, 2010.
Copyright 2008 Syrinx Technologies 21
22. Maintain a Vulnerability Management
3.
Program
Requirement 5: Use and regularly update anti-virus
software.
Requirement 6: Develop and maintain secure systems
and applications.
Copyright 2008 Syrinx Technologies 22
23. Maintain a Vulnerability Management
3.
Program
5.1 – Anti-virus software must be installed on all
systems affected by malicious software.
5.2 – Ensure that all virus signatures are current and
the software is capable of generating audit logs.
5.2.b – The master installation of the software must
be enabled for automatic updates and periodic
scans.
Copyright 2008 Syrinx Technologies 23
24. Maintain a Vulnerability Management Program
3.
6.1 – Ensure all systems have the latest vendor-
supplied security patches. Install critical security
patches within one month of release.
6.2 – Establish a process to identify newly
discovered vulnerabilities.
6.3.2 – Separate development/test and production.
Copyright 2008 Syrinx Technologies 24
25. Maintain a Vulnerability Management Program
3.
6.3.6 – Removal of custom application accounts, user IDs
and passwords before application becomes active.
6.5 – Develop web apps based on secure coding
guidelines such as OWASP.
6.6 – For public-facing web apps, one of the following:
Review web applications via manual or automated
application vulnerability security assessment tools.
Install a web-application firewall in front of the web server.
Copyright 2008 Syrinx Technologies 25
26. Implement Strong Access Control Measures
4.
Requirement 7: Restrict access to cardholder data by
business need-to-know.
Requirement 8: Assign a unique ID to each person
with computer access.
Requirement 9: Restrict physical access to cardholder
data.
Copyright 2008 Syrinx Technologies 26
27. Implement Strong Access Control Measures
4.
7.1.3 – Requirement for an authorization form signed by
management that specifies required privileges.
8.1 – Assign all users a unique ID.
8.3 – Use two-factor authentication for remote access to
the network.
8.4 – Render all passwords unreadable during
transmission and storage using strong cryptography.
Copyright 2008 Syrinx Technologies 27
28. Implement Strong Access Control Measures
4.
8.5.2 – Verify user identity before performing
password resets.
8.5.4 – Immediately revoke access for any
terminated users.
8.5.6 – Enable accounts used by vendors for remote
maintenance only during the time period needed.
8.5.16 – Authenticate all access to any database
containing cardholder data.
Copyright 2008 Syrinx Technologies 28
29. Implement Strong Access Control Measures
4.
9.1.1 – Use video cameras or other access control
mechanisms to monitor individual physical access.
Store for at least 3 months, unless otherwise
restricted by law.
9.1.2 – Restrict physical access to publicly accessible
network jacks.
Copyright 2008 Syrinx Technologies 29
30. Regularly Monitor and Test Networks
5.
Requirement 10: Track and monitor all access to
network resources and cardholder data.
Requirement 11: Regularly test security systems and
processes.
Copyright 2008 Syrinx Technologies 30
31. Regularly Monitor and Test Networks
5.
10.1 – Establish a process for linking all access to
system components to each individual user.
10.2 – Implement automated audit trails for all
system components.
10.4 – Synchronize all critical system clocks and
times.
10.6 – Review logs for all system components at
least daily.
Copyright 2008 Syrinx Technologies 31
32. Regularly Monitor and Test Networks
5.
11.1 – Test for the presence of wireless access points
at least quarterly or deploy a wireless IDS/IPS.
11.2 – Run internal and external network
vulnerability scans at least quarterly.
Must be performed by an ASV.
11.3 – Perform external and internal penetration
testing at least once a year.
Network and application-layer testing.
Internal or external resources. ASV not required.
Copyright 2008 Syrinx Technologies 32
33. Regularly Monitor and Test Networks
5.
11.4 – Use IDS systems, and/or IPS systems to
monitor all traffic in the cardholder data
environment.
11.5 – Deploy file-integrity monitoring software to
alert personnel to unauthorized modification of
critical system files, configuration files or content
files. Perform file comparisons at least weekly.
Copyright 2008 Syrinx Technologies 33
34. Maintain an Information Security Policy
6.
Requirement 12: Maintain a policy that addresses
information security.
Copyright 2008 Syrinx Technologies 34
35. Maintain an Information Security Policy
6.
12.1 – Establish, publish, maintain and disseminate
a security policy.
12.1.3 – Includes a review at least once a year and
updates when the environment changes.
12.3.10 – When accessing cardholder data via
remote-access, prohibit copy, move and storage of
cardholder data onto local hard drives and
removable media.
Copyright 2008 Syrinx Technologies 35
36. Maintain an Information Security Policy
6.
12.6 – Implement a formal security awareness
program to make all employees aware of the
importance of cardholder data security.
12.8.2 – Maintain a written agreement that includes
an acknowledgement that the service providers are
responsible for the security of cardholder data.
12.9 – Implement an incident response plan. Be
prepared to respond immediately to a system
breach.
Copyright 2008 Syrinx Technologies 36
37. Card Vendor Merchant Level Compliance Date
American Express 1 10/31/2006
2 3/31/2007
3 N/A
Discover Use PCI DSS Levels Use PCI DSS dates
Copyright 2008 Syrinx Technologies 37
41. Not a lot of ambiguity.
Calls for specific Information Security
technologies.
The penalties are real and have been
applied, up to $25K/month.
Regularly scheduled checks to ensure
continued compliancy.
Copyright 2008 Syrinx Technologies 41
42. Obtain upper management support
Assign overall ownership of compliance efforts
Develop realistic expectations
Map data flows and identify critical devices
Perform a gap analysis
Select and implement security controls
Document everything
Understand that compliance is a process
Copyright 2008 Syrinx Technologies 42
43. So, as a technology geek why should you care?
$25K/month fines could severely reduce your toys
and training budget = less fun at work
You finally get to implement all the cool stuff you’ve
been begging for = better resume = more money at
your next job
It’s going to make your overall network and systems
more secure = fewer problems and late night pages
Copyright 2008 Syrinx Technologies 43
44. Lots of vendors offer products to fill one or
more of the requirements
There is no magic silver appliance
Full compliance usually requires a combination
of different vendors' products
Some requirements can be fulfilled by open
source products
Go simple when possible
Copyright 2008 Syrinx Technologies 44
46. PCI Compliance != Enterprise Security
Best Western – 8-13 million credit cards
Hannaford Groceries – 4.2 million credit cards
2 lawsuits
Forever 21 – 98,000 credit cards
Texas HB 3222 – Banks and credit unions can
recoup costs for re-issuing credit cards if
merchant isn’t PCI compliant. Other states will
inevitably follow.
Copyright 2008 Syrinx Technologies 46
47. PCI Security Standards
American Express Data Security
Discover Information Security & Compliance
JCB Global Site
MasterCard Site Data Protection Program
VISA Cardholder Information Security
Program (CISP)
Copyright 2008 Syrinx Technologies 47