PCI PIN Security Requirements provide guidelines on protecting PIN during offline and online transactions in ATM’s and POS terminals. This standard has serious overlaps with PCI DSS, POS Management and HSM utilization in a secure card environment.
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
This document discusses ControlCase, a company that provides IT compliance certification and continuous compliance services. It aims to help clients go beyond checklists to more efficiently achieve and maintain compliance certifications. The webinar agenda includes introductions to PCI PIN security standards and certification processes. Common challenges with PIN security compliance are also reviewed, such as system compliance, key management, policies and training. ControlCase claims it can help clients cut audit preparation time by 70% through its expertise, automation tools, and continuous compliance monitoring services.
This document summarizes updates to CompTIA A+, Network+, and Security+ certification exams. It discusses the addition of performance-based questions to these exams starting in late 2012/early 2013. These will involve simulated environments to test hands-on troubleshooting skills, and will reduce the number of multiple choice questions. The goal is for the exams to better measure practical skills required for IT jobs.
ISO 27001 is an information security standard that specifies requirements for an information security management system (ISMS). It contains 11 domains that describe 133 controls/countermeasures to manage vulnerabilities and threats to information. An organization implements an ISMS based on the Plan-Do-Check-Act cycle to establish, operate, monitor, maintain, and improve their information security system over time.
Privacy is a growing concern in today’s compliance environment.
Existing and new requirements continue to push for organizations to properly address their privacy risk.
As a cloud provider, there is no better way to help ensure that an organization is serious about their customers and their customers’ data than to include the control requirements from ISO 27018 into their compliance stack.
This document provides a quick reference guide to understanding the Payment Card Industry Data Security Standard version 3.1. It contains an overview of PCI requirements including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access controls, regularly monitoring networks, and maintaining an information security policy. It also provides security controls and processes for each PCI DSS requirement to help entities protect payment card data.
This talk was presented in NULL Delhi chapter meet in 2014, as an insight into the world of PCI (Payment Card Industry) and the 12 requirements of PCI DSS
Topics Covered In Webinar
Basics of PCI DSS
Lifecycle changes to PCI DSS
Evolution of PCI DSS Version 1.1 to version 3.21
Introduction of PCI DSS 4.0
PCI DSS 4.0 Implementation Timeline
Upgrading from PCI DSS 3.21 to PCI DSS 4.0
Key changes anticipated in the latest pci dss 4.0
This document discusses ControlCase, a company that provides IT compliance certification and continuous compliance services. It aims to help clients go beyond checklists to more efficiently achieve and maintain compliance certifications. The webinar agenda includes introductions to PCI PIN security standards and certification processes. Common challenges with PIN security compliance are also reviewed, such as system compliance, key management, policies and training. ControlCase claims it can help clients cut audit preparation time by 70% through its expertise, automation tools, and continuous compliance monitoring services.
This document summarizes updates to CompTIA A+, Network+, and Security+ certification exams. It discusses the addition of performance-based questions to these exams starting in late 2012/early 2013. These will involve simulated environments to test hands-on troubleshooting skills, and will reduce the number of multiple choice questions. The goal is for the exams to better measure practical skills required for IT jobs.
ISO 27001 is an information security standard that specifies requirements for an information security management system (ISMS). It contains 11 domains that describe 133 controls/countermeasures to manage vulnerabilities and threats to information. An organization implements an ISMS based on the Plan-Do-Check-Act cycle to establish, operate, monitor, maintain, and improve their information security system over time.
Privacy is a growing concern in today’s compliance environment.
Existing and new requirements continue to push for organizations to properly address their privacy risk.
As a cloud provider, there is no better way to help ensure that an organization is serious about their customers and their customers’ data than to include the control requirements from ISO 27018 into their compliance stack.
This document provides a quick reference guide to understanding the Payment Card Industry Data Security Standard version 3.1. It contains an overview of PCI requirements including building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access controls, regularly monitoring networks, and maintaining an information security policy. It also provides security controls and processes for each PCI DSS requirement to help entities protect payment card data.
This document discusses different methods for key management in cryptography:
1. Fixed key - A single key is physically loaded onto a client device and used for all encryptions. The key must be replaced if compromised.
2. Master/session key - A master key is shared between host and client beforehand. The host generates session keys and encrypts them with the master key before each transaction.
3. DUKPT - The host has a base derivation key (BDK) to generate an initial pin encryption key (IPEK) inserted into the client. The client then generates future keys for encrypting data and replaces used keys. The host decrypts by calculating keys from transmitted identifiers.
The document discusses the Payment Card Industry Data Security Standard (PCI-DSS). It provides a brief history of credit cards and the PCI oversight council. It then explains what constitutes cardholder data and outlines the payment transaction cycle. Finally, it summarizes the key sections and requirements of the PCI-DSS, including installing firewalls, defining the scope of assessments, transitioning away from SSL/TLS, enforcing multi-factor authentication, implementing change management controls, and oversight of service providers.
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
, hosted by Alan Calder CEO and founder of Vigilant Software and acknowledged information security risk assessment and management thought leader, explains and discusses what is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?
Rahul Khengare gave a presentation on the CIS Security Benchmark to the DevOps-Pune Meetup Group. The agenda included an introduction to the CIS Benchmark, a discussion of the need for compliance, and a demonstration of automation tools. The CIS Benchmark provides consensus-based security configuration guides for technologies including cloud platforms, operating systems, containers, and SaaS products. It defines policies across categories such as identity and access management, logging, and networking. Open source tools like Prowler and Cloudneeti can be used to automate compliance checks against the CIS Benchmark.
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.
Este documento presenta un seminario web sobre la actualización de PCI DSS v4.0. Incluye una introducción del orador Andrés Gutiérrez de ControlCase, seguida de una agenda que cubre PCI DSS, su historia y cambios notables en la versión 4.0 como actualizaciones a los títulos de los 12 requerimientos y nuevos requerimientos sobre contraseñas y autenticación multifactor.
This document provides a checklist of 42 documents needed for ISO 27001:2013 certification. It lists each document name, the relevant ISO 27001 clauses, and whether the document is mandatory. Key mandatory documents include the information security policy, risk assessment and treatment documents, statement of applicability, and procedures for internal auditing, management review, corrective action, and incident management. The order of creating documents is defined by the risk treatment plan.
The document discusses two-factor authentication (2FA) as a more secure alternative to single-factor authentication using just a username and password. 2FA provides an additional layer of security beyond just one credential by requiring two separate factors, such as something you know (a password) plus something you have (a token, smart card, or biometrics). While 2FA is more secure, it can also be slower and require the user to have their second authentication factor available at all times. Popular services like Facebook and Dropbox have implemented 2FA options to better protect user accounts and data.
This webinar discusses PCI DSS compliance and how ControlCase can help organizations achieve and maintain compliance. It covers the basics of PCI DSS including the six principles and twelve requirements. It then outlines how ControlCase uses automation, continuous compliance management, and their One Audit approach to assess multiple standards at once to help clients comply in a cost-effective way. The webinar emphasizes that ControlCase can significantly reduce the effort and resources needed for PCI compliance.
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern
Das Zero-Trust-Modell ist ein Sicherheitskonzept, das auf dem Grundsatz basiert, keinem Gerät, Nutzer oder Dienst innerhalb oder ausserhalb des eigenen Netzwerks zu vertrauen. Dieses Konzept wird im EJPD schon seit 2003 – Einführung des SSO-Portals – aktiv umgesetzt.
The document outlines a cybersecurity reference architecture that provides:
1. Active threat detection across identity, apps, infrastructure, and devices using tools like Azure Security Center, Windows Defender ATP, and Enterprise Threat Detection.
2. Protection of sensitive data through information protection, classification, and data loss prevention tools.
3. Management of identity and access to securely embrace identity as the primary security perimeter.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
This document summarizes a presentation on two-factor authentication (2FA). It discusses the different types of authentication factors including something you know (e.g. passwords), something you have (e.g. security tokens), and something you are (e.g. biometrics). Software token apps like Google Authenticator and Authy that generate one-time passwords for 2FA are also covered. The document outlines the security issues with passwords and why 2FA is needed based on recent data breaches. It provides an overview of standards like FIDO and implementation recommendations for adding a second authentication factor.
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
The document provides an overview and introduction to ISO/IEC 27001:2013, which is the leading international standard for Information Security Management Systems (ISMS). It establishes requirements for establishing, implementing, maintaining and improving an ISMS to ensure the confidentiality, integrity and availability of information. The standard helps organizations comply with information security laws and regulations. It provides a framework but not technical details for the ISMS. The presentation then continues by covering topics like the benefits of ISO 27001, its requirements and controls.
Introduction to Integration TechnologiesBizTalk360
In this presentation, Arunkumar Kumaresan highlights how the Integration Technologies have emerged over the last few years and cites few interesting examples.
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
This document discusses different methods for key management in cryptography:
1. Fixed key - A single key is physically loaded onto a client device and used for all encryptions. The key must be replaced if compromised.
2. Master/session key - A master key is shared between host and client beforehand. The host generates session keys and encrypts them with the master key before each transaction.
3. DUKPT - The host has a base derivation key (BDK) to generate an initial pin encryption key (IPEK) inserted into the client. The client then generates future keys for encrypting data and replaces used keys. The host decrypts by calculating keys from transmitted identifiers.
The document discusses the Payment Card Industry Data Security Standard (PCI-DSS). It provides a brief history of credit cards and the PCI oversight council. It then explains what constitutes cardholder data and outlines the payment transaction cycle. Finally, it summarizes the key sections and requirements of the PCI-DSS, including installing firewalls, defining the scope of assessments, transitioning away from SSL/TLS, enforcing multi-factor authentication, implementing change management controls, and oversight of service providers.
BATbern48_How Zero Trust can help your organisation keep safe.pdfBATbern
This presentation will bring insights into how the Zero Trust framework can help organizations improve their cybersecurity posture and resilience and what the organizational challenges are.
, hosted by Alan Calder CEO and founder of Vigilant Software and acknowledged information security risk assessment and management thought leader, explains and discusses what is information security? What is an information security management system (ISMS)? What is ISO 27001? Why should I and my organisation care about ISO 27001?
Rahul Khengare gave a presentation on the CIS Security Benchmark to the DevOps-Pune Meetup Group. The agenda included an introduction to the CIS Benchmark, a discussion of the need for compliance, and a demonstration of automation tools. The CIS Benchmark provides consensus-based security configuration guides for technologies including cloud platforms, operating systems, containers, and SaaS products. It defines policies across categories such as identity and access management, logging, and networking. Open source tools like Prowler and Cloudneeti can be used to automate compliance checks against the CIS Benchmark.
Privacy Trends: Key practical steps on ISO/IEC 27701:2019 implementationPECB
In this session, we will go through ISO/IEC 27701 and ISO/IEC 27001 key practical implementation steps and how they can help you to be compliant with the GDPR.
Our presenters, Peter Geelen and Stefan Mathuvis, will guide you through the implementer tasks with practical hints and tips and show you how an auditor will look at your implementation, searching for evidence and compliance.
In addition, we will match the ISO/IEC 27(7)01 requirements to complete the GDPR obligations as far as possible.
Starting from executive management to privacy policies, handling notifications, setting up awareness programs, controlling user access requests, over vendor management to incident management (data breaches) and continuous updates.
The webinar will cover:
• Quick recap on general ISO components and approach
• Implementing ISO/IEC 27001 with the ISO/IEC 27701 extension for GDPR compliance
• Do's and don’ts for implementation and audit
• The importance of evidence in the audit
• Managing audit expectations and the never ending audit cycle
Recorded webinar: https://youtu.be/HL-VUiCj4Ew
This document provides an introduction to PCI-DSS (Payment Card Industry Data Security Standard). It defines key terms like PCI, cardholder data, and sensitive authentication data. It explains why PCI security standards are important to protect payment card data and prevent fraud. The document outlines the six goals and twelve requirements of PCI-DSS, as well as introducing PA-DSS which focuses on developing secure payment applications. It provides instructions on determining an organization's PCI compliance level and selecting the appropriate Self Assessment Questionnaire.
Este documento presenta un seminario web sobre la actualización de PCI DSS v4.0. Incluye una introducción del orador Andrés Gutiérrez de ControlCase, seguida de una agenda que cubre PCI DSS, su historia y cambios notables en la versión 4.0 como actualizaciones a los títulos de los 12 requerimientos y nuevos requerimientos sobre contraseñas y autenticación multifactor.
This document provides a checklist of 42 documents needed for ISO 27001:2013 certification. It lists each document name, the relevant ISO 27001 clauses, and whether the document is mandatory. Key mandatory documents include the information security policy, risk assessment and treatment documents, statement of applicability, and procedures for internal auditing, management review, corrective action, and incident management. The order of creating documents is defined by the risk treatment plan.
The document discusses two-factor authentication (2FA) as a more secure alternative to single-factor authentication using just a username and password. 2FA provides an additional layer of security beyond just one credential by requiring two separate factors, such as something you know (a password) plus something you have (a token, smart card, or biometrics). While 2FA is more secure, it can also be slower and require the user to have their second authentication factor available at all times. Popular services like Facebook and Dropbox have implemented 2FA options to better protect user accounts and data.
This webinar discusses PCI DSS compliance and how ControlCase can help organizations achieve and maintain compliance. It covers the basics of PCI DSS including the six principles and twelve requirements. It then outlines how ControlCase uses automation, continuous compliance management, and their One Audit approach to assess multiple standards at once to help clients comply in a cost-effective way. The webinar emphasizes that ControlCase can significantly reduce the effort and resources needed for PCI compliance.
BATbern48_Zero Trust Architektur des ISC-EJPD.pdfBATbern
Das Zero-Trust-Modell ist ein Sicherheitskonzept, das auf dem Grundsatz basiert, keinem Gerät, Nutzer oder Dienst innerhalb oder ausserhalb des eigenen Netzwerks zu vertrauen. Dieses Konzept wird im EJPD schon seit 2003 – Einführung des SSO-Portals – aktiv umgesetzt.
The document outlines a cybersecurity reference architecture that provides:
1. Active threat detection across identity, apps, infrastructure, and devices using tools like Azure Security Center, Windows Defender ATP, and Enterprise Threat Detection.
2. Protection of sensitive data through information protection, classification, and data loss prevention tools.
3. Management of identity and access to securely embrace identity as the primary security perimeter.
ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?PECB
Due to an increase in the collection of consumer data, high-profile data breaches have become common.
Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.
The webinar covers:
Data protection, a global development
Introduction to the GDPR, ePrivacy & ISO/IEC 27701
GDPR & ISO/IEC 27701mapping
ePrivacy & ISO/IEC 27701 mapping
Recorded Webinar: https://youtu.be/oVhIoHAGGwk
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
This document summarizes a presentation on two-factor authentication (2FA). It discusses the different types of authentication factors including something you know (e.g. passwords), something you have (e.g. security tokens), and something you are (e.g. biometrics). Software token apps like Google Authenticator and Authy that generate one-time passwords for 2FA are also covered. The document outlines the security issues with passwords and why 2FA is needed based on recent data breaches. It provides an overview of standards like FIDO and implementation recommendations for adding a second authentication factor.
This document provides an overview of security fundamentals including the CIA triad of confidentiality, integrity and availability. It discusses common security threats and countermeasures for each component. Additional concepts covered include identification, authentication, authorization, auditing, accountability, non-repudiation, data classification, roles in security management, due care/diligence, security policies, standards/guidelines, threat modeling and prioritization. The document is intended as a high-level introduction to fundamental security concepts.
The document provides an overview and introduction to ISO/IEC 27001:2013, which is the leading international standard for Information Security Management Systems (ISMS). It establishes requirements for establishing, implementing, maintaining and improving an ISMS to ensure the confidentiality, integrity and availability of information. The standard helps organizations comply with information security laws and regulations. It provides a framework but not technical details for the ISMS. The presentation then continues by covering topics like the benefits of ISO 27001, its requirements and controls.
Introduction to Integration TechnologiesBizTalk360
In this presentation, Arunkumar Kumaresan highlights how the Integration Technologies have emerged over the last few years and cites few interesting examples.
“Understanding PCI DSS and PA DSS is crucial to the role of a penetration tester. Quoting the relevant PCI-DSS or PA-DSS control reference for your findings would help demonstrate the proper risk arising from common security findings such as support of older SSL versions, weak encryption when storing cardholder data, lack of proper logs from the application, and of course the entire gamut of web application security bugs”.
PCI DSS is a security standard for payment card data that provides requirements for technical and operational security. Compliance is important to avoid consequences of a data breach like regulatory fines and loss of customers. The standard applies to any entity that stores, processes, or transmits cardholder data. It aims to protect data through requirements around firewalls, encryption, access control, vulnerability management, and more. The PCI Security Standards Council maintains and enhances PCI DSS and other standards for payment security.
Pci standards, from participation to implementation and reviewisc2-hellenic
The document provides an overview of the PCI Data Security Standard (PCI DSS) including:
- The goals of PCI DSS which are to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy.
- The twelve requirements of PCI DSS which are organized under these six goals.
- An introduction to the PCI Council which developed and manages the PCI DSS standard.
This webinar discussed data protection by design and the Multi-cert approach to compliance. It defined data protection by design as an approach that considers data protection requirements at the design phase and throughout the lifecycle of any system. The Multi-cert approach recognizes that many organizations must comply with multiple certifications and regulations, and integrating these helps provide comprehensive data protection. Common challenges with the Multi-cert approach include redundant efforts and cost inefficiencies. ControlCase's One Audit solution aims to help organizations assess once and comply to many certifications by automating evidence collection and integrating compliance activities.
Learn how to get more out of your PCI investment with this presentation from SafeNet titled: "Life After Compliance". Derek Tumulak discusses current approaches to PCI DSS compliance, challenges to ensuring compliance, and how to achieve best practices while addressing compliance challenges.
Visit - https://www.controlcase.com/certifications/
ControlCase discusses the following in the context of PCI DSS and PA DSS:
- Network Segmentation
- Card Data Discovery
- Vulnerability Scanning and Penetration Testing
- Card Data Storage in Memory
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
This document summarizes a live webinar about point-to-point encryption best practices and PCI compliance updates. The webinar covered current security threats to payment card data, industry responses like EMV and PCI P2PE requirements, and examples of point-to-point encryption solutions and their implementation best practices. It also discussed internal threats, botnet attacks, combating threats with PCI and EMV standards, misconceptions about EMV, PCI domains and requirements for P2PE, types of P2PE solutions, considerations for P2PE solutions, and Merchant Link's P2PE product.
PCI Certification and remediation servicesTariq Juneja
The document discusses the Payment Card Industry Data Security Standard (PCI DSS), which establishes security standards for businesses that accept payment cards. It aims to protect cardholder data and ensure privacy. The PCI DSS includes 12 requirements around data security best practices that cover managing, monitoring and securing cardholder information. It also introduces CompliancePoint, a company that assists other businesses in achieving and maintaining PCI compliance through services like security assessments, policy development and IT consulting.
Payment Card Security: 12-Steps to Meeting PCI-DSS Compliance with SafeNetSafeNet
To ensure their compliance with the PCI Data Security Standard, many businesses have turned to SafeNet technology for a solution. To meet these demands, SafeNet offers a range
of products, proprietary and through partner alliance. SafeNet, a global leader in information security, provides the industry’s most comprehensive range of solutions to help companies achieve compliance with the PCI Data Security Standard. Through its own proven set of products, along with an extensive partner network, SafeNet can provide merchants with the assurance that sensitive and valuable cardholder information is protected from all types of threats, and that regulatory compliance is not only being met, but
exceeded.
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
PCI DSS mandates organizations to make compliance a business as usual activity instead of an annual audit. ControlCase covers the following in this presentation:
- PCI DSS requirements that can be made business as usual
- PCI DSS processes that can be made business as usual
- Techniques and methodologies
- Evidence to be provided to QSA for compliance
- Key success factors
- Challenges
All You Wanted To Know About Top Online Payment Security Methods.pptxITIO Innovex
As online transactions become an integral part of our daily lives, the importance of robust online payment security methods cannot be overstated, especially when you want to start your own payment gateway business. Visit us at: https://itio.in/
IRJET- Data Security with Multifactor AuthenticationIRJET Journal
This document discusses a multi-factor authentication system for improving data security. It proposes using passwords, one-time passwords via QR codes, and encryption/decryption of stored data. The system uses three stages of verification: login with username and password, verification with a randomly generated OTP QR code, and encrypting uploaded data and decrypting downloaded data with keys. By adding multiple layers of authentication and encrypting data, the system aims to minimize unauthorized access to secure systems and stored information.
Data protection on premises, and in public and private cloudsUlf Mattsson
With sensitive data residing everywhere, organizations becoming more mobile, and the breach epidemic growing, the need for advanced identity and data protection solutions has become even more critical.
Learn about the Identity and Data Protection solutions for enterprise security organizations can take a data-centric approach to their security posture.
Learn about the new trends in Data Masking, Tokenization and Encryption.
Learn about the guidance and standards from FFIEC, PCI DSS, ISO and NIST.
Learn about the new API Economy and eCommerce trends and how to control sensitive data — both on-premises, and in public and private clouds.
This session is for worldwide directors and managers in Fin services, healthcare, energy, government and more
Credit Card Processing and Information Security: What You Need to Know
Do you take payments by credit card, or do any of your clients? SofTECH member and information security consultant Hugh Deura discusses the security regulations (called PCI) surrounding credit card processing. He’ll explain the objectives of the existing regulations, and the practical steps businesses must take in order to comply.
His discussion covers the 12 Myths of PCI compliance, along with the 12 Facts that set those myths straight.
Hugh Deura has over 10 years of experience in information security and compliance. Hugh's blogs at DeuraInfoSec and helps clients comply with industry standards and regulations to succeed in information security with due diligence.
Deura Information Security (DISC) was established in North Bay (Petaluma) California in 2002 and provides services in security risk assessment, designing new controls, and remediation processes to help businesses comply with industry regulations and standards.
Similar to Webinar - PCI PIN, PCI cryptography & key management (20)
How to Choose Right PCI SAQ for Your Business.pdfVISTA InfoSec
Confused about PCI SAQ options? This guide unravels the selection process to find the perfect fit for your business's payment processing and cardholder data handling.
Future of Data Privacy Examining the Impact of GDPR and CPRA on Business Prac...VISTA InfoSec
VISTA InfoSec is conducted live webinar on the “Future of Data Privacy: Examining the Impact of GDPR and CPRA on Business Practices”. So, if your organization is looking to achieve GDPR or CPRA compliance, then this webinar is sure to benefit your organization in many ways.
The California Consumer Privacy Act (CCPA) is a law that was signed on June 28, 2018, that established and promoted the consumer privacy rights and business obligations concerning the collection and sales of personal information of citizens of California. The CCPA came into effect on January 1st, 2020. Soon after in November 2020, Proposition 24, known as the California Privacy Rights Act of 2020 (CPRA) was introduced which is soon to replace the CCPA Compliance. CPRA is the updated version that expands the CCPA Compliance. The latest version can be more accurately described as an improvisation of the existing compliance framework with amendments and additions introduced in the provision. Explaining the amendments and new additions introduced, we have shared all the details of CCPA Compliance Vs CPRA Compliance in the article today. But before that let us learn and understand what exactly CPRA Compliance is.
The Health Insurance Portability and Accountability Act, also widely known as HIPAA is an essential data protection standard that is crucial to the healthcare industry. It is important that organizations understand the HIPAA requirements to comply with the regulation. So, the HIPAA Compliance checklist is a compiled list of HIPAA Requirements that organizations are expected to implement to ensure compliance with the regulation.
SOC2 Audit is a report that comprises details of evaluation on the service organization’s internal controls, policies, and procedures related to AICPA’S Trust Service Criteria. It is a report that assures the suitability and effectiveness of the service organization’s controls in context to security, availability, processing integrity, confidentiality, and privacy. It is an audit report that typically aids the client’s decision making in selecting a service organization to work in collaboration
What is expected from an organization under NCA ECC Compliance?VISTA InfoSec
Cybersecurity initiatives are today essential in a digitally-driven business world. This is to ensure the safety of the organization’s systems and sensitive data from accidental or deliberate incidents of breach. The growing number of cyber crimes and their operational and financial impact on business in terms of legal liability, reputational damage, and
financial loss has pushed regulators to establish strong security measures and frameworks in place.
The urgent need to address cybersecurity threats has resulted in the adoption of industry best practices by regulators around the world. In 2018, Saudi Arabia’s National Cybersecurity Authority (NCA) issued Essential Cybersecurity Controls (ECC) which is a minimum cybersecurity requirement for Saudi government organizations. The NCA encourages organizations in Saudi Arabia to adopt the ECC framework to improve their cybersecurity resilience.
for more visit:
https://www.vistainfosec.com/service/nca-ecc-compliancce/
Webinar - PCI DSS Merchant Levels validations and applicableVISTA InfoSec
For a better understanding of PCI DSS Merchant levels and to know how it affects your compliance efforts, we conducted a very informative webinar that works as a comprehensive guide for merchants.
The informative webinar also provides details on applicable PCI SAQ for small merchants and service providers who are not required to submit a compliance report, but rather use the Self-Assessment Questionnaire (SAQ) which is designed as a self-validation tool to assess security for cardholder data.
Reducing cardholder data footprint with tokenization and other techniquesVISTA InfoSec
This webinar discusses techniques for reducing an organization's cardholder data footprint to simplify PCI DSS compliance. It covers tokenization, which replaces sensitive card data with random tokens that have no value. Tokenization stores the original data in a secure vault and allows transactions to use tokens instead of real card numbers, reducing the scope of systems and data in scope for PCI compliance. Other techniques discussed include network segmentation, point-to-point encryption, and outsourcing services to PCI-compliant vendors. Reducing an organization's cardholder data footprint lowers the cost and effort of compliance while also preventing data breaches and theft.
What to expect from the New York Privacy ActVISTA InfoSec
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
ISO 27001 or ISO/IEC 27001:2013 is an international standard created to help organizations manage the security processes of their information assets. This standard provides a solid framework for implementing an Information Security Management System also known as an ISMS.
Mobile phones are a quintessential part of our lives; they keep us connected with friends and family and make our lives more convenient every day. As the global Covid-19 pandemic encouraged people to remain safely indoors, there was a large increase in the number of Mobile Banking users. From depositing checks remotely to having 24*7 access to your bank account, the convenience and the utility of Mobile Banking are the reasons behind this popularity. And yet many people still wonder if Mobile Banking is Safe. If you are someone who is undecided about adopting Mobile Banking because of concerns about the security of Mobile Banking then here is the answer to your question ‘Are Mobile Banking Apps really safe?’ covered in this article. The best way to do this is to look at the risks involved with Mobile Banking and what organizations and customers can do about it.
Interesting question and rightly so… it’s expensive and painful to achieve with more than 400 control requirements which encompass the length and breadth of your company’s operations.
Achieving a SOC2 certification for your organization gives your company an edge over your competitors by assuring your clients, customers or prospects that your organization is taking all the necessary steps to ensure the data is safe and thereby protecting if from data breaches. Most importantly, it gives the assurance to your clients that you are delivering services as per commitments made either through SLAs or branding or through your marketing efforts. A SOC 2 report details the controls of the systems that your company uses to process data and also describes the security and privacy of that data. SOC 2 compliance can help businesses such as software-as-a-service, banking, or healthcare companies strengthen their reputations, financial statements, and stability by documenting, evaluating, and improving their internal controls.
Data Privacy laws around the world have levied stringent obligations on the way businesses are required to handle sensitive data. Non-compliance to these obligations will have severe consequences and penalties, especially in case of a security breach. Organizations looking to achieve GDPR compliance need to map their data flow to assess privacy risks. GDPR Data Mapping is the process of determining the type of data processed and the way they are processed. This helps determine the risk exposure of your company and systems or applications that are highly exposed to threats.
A firewall risk assessment is a detailed assessment approach of a firewall topology and configuration that has been implemented to protect your information, systems, applications, and overall business operations.
As a service organization, you are familiar with audit requests from clients who are required to meet specific compliance and audit requirements. You have most likely been asked whether your organization is SOC 1 Compliant or SOC 2 Compliant.
Clients frequently ask questions as to what is the differences between a SOC 1 and SOC 2? Which SOC report should they get? Do they need both? In this article today we have discussed the differences between SOC1 and SOC2, and which one’s do organizations need to be compliant with.
Question is: What are the differences between a SOC 1 and SOC 2? Which SOC report should I get? Do I need both? These are questions we, as auditors, are frequently asked. Let’s take a look at the differences between the two, and why you could be asked for either, or both, as you continue to grow your business.
Key additions and amendments introduced under the CPRAVISTA InfoSec
On November 3rd, 2020, the California Privacy Right Act was passed as the latest version of the California Consumer Privacy Act which recently came into effect on the 1st of July, 2020. CPRA brings significant amendments and additions to the rules of Data Privacy outlined in the CCPA Compliance. Declaring its enforcement in 2023, the CPRA introduced some new concepts to Data Privacy in California. With new additions and amendments, the CPRA bridges certain potential loopholes in the previous version of CCPA, making the law stringent. Further, introducing the amendments and new additions to the provision has taken this Data Privacy law closer to the EU’s GDPR standard. Let us today through this article take a look at the new provisions introduced and understand the amendments in the Data Privacy Standard.
6 Amazing Key Elements To Consider The PCI DSS Card Data Discovery ProcessVISTA InfoSec
Over the past few years, the industry has witnessed several incidents of high profile data breaches. Incidents like these serve as a reminder for businesses to prioritize data security and strengthen their business environment. Addressing the concern of data security, the Payment Card Industry Security Standard Council (PCI SSC) issued guidelines under Payment Card Industry Data Security Standard (PCI DSS) for securely processing, storing, transmitting payment card data. As per the PCI DSS Standard requirement, organizations in question need to determine the scope of their PCI DSS assessment accurately and secure card data. Determining the scope essentially involves discovering of unencrypted card data and securing the source to prevent breach/data theft. It is interesting to note that most of the incidents of data breach/theft in the industry today is due to the lack of securing data stored in undiscovered locations. This potentially exposes most organizations to the high-level risk of a data breach. It is therefore essential for organizations to conduct a thorough assessment of Data Card Discovery, to identify and if required securely delete cardholder data that is no longer required or has exceeded the retention period.
In this article today, we have outlined key elements to consider while conducting the PCI DSS Card Data Discovery Assessment. Consideration of these elements will ensure accurate scoping and data discovery across the environment. However, before proceeding towards learning about the key elements, let us first understand the term Card Data Discovery (CDD). This will facilitate better learning and understanding of the Card Data Discovery process
SOC 2 Type 1 Vs. Type 2: Do You Really Need It? This Will Help You Decide! VISTA InfoSec
The prevalence of cyber security attacks and data breach in the recent years have brought to light how vulnerable organizations are to a cyber-attack. The financial losses and the tarnish of reputation caused by such attacks cannot be underestimated by any organization handling confidential data. Data breach still continues to be a pressing concern for companies across the globe. Indeed, information security has now become a major concern for organizations handling sensitive data and including those who outsource their business requirements to third-party organizations such as SaaS providers, data analytic companies and Cloud computing providers.
Needless to say, all IT managers and security stakeholders have been scrambling to find ways to tackle the situation and gain control over their network and data security. One way to ensure the security and privacy of data is by obtaining a SOC 2 Type1 & Type 2 report from a CPA. So, let us today understand in detail about the SOC 2 audit and its application to your organization.
Why is gdpr essential for small businesses with linksVISTA InfoSec
The document discusses why GDPR compliance is important for small businesses. It explains that GDPR applies to any organization that processes personal data of EU citizens, regardless of size or location. GDPR aims to give citizens control over their personal data and prevent misuse. For small businesses, GDPR compliance means appointing a data protection officer, reporting data breaches within 72 hours, and giving individuals rights over their data. Non-compliance can result in fines of up to 20 million euros. While small businesses have some exemptions, following GDPR principles is recommended to build customer trust.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. Webinar
Objectives
Introduction to PCI PIN
Scope and Applicability of PCI PIN
Basics of cryptography
Best practices in Key Management
PCI PIN certification process.
QnA
4. •It is not the answer that enlightens,
but the question.
Decouvertes
5. ABOUT M E
Mr.Sahoo carries over 25 years of experience in the IT industry, out of which the last 15 years
has been dedicated to VISTA InfoSec. His professional qualifications include PCI QSA, CISA,
CISSP, CRISC, ISO 27001 Lead Assessor. Starting off as an assembly language programmer,
with the advent of networking and the Internet in India, he moved on into networking and IT
management of which InfoSec was a natural progression.
A very well versed professional with proficiency in globally recognized standards such as
ISO27001, PCI DSS, ITIL/ISO 20000, COBIT and many international regulations such as
HIPAA, CSV, SOX, SSAE16, SOC, etc., Mr.Sahoo has conducted IT consulting and assessments
for large Banks, Software development organizations, Banks, Research & Development
companies and BPOs in India and overseas. Well versed with strategy development and an
astute Technical background, he has audited, designed and strategized for a wide variety of
Information security and networking technologies. He has provided consulting services for
premier organizations such as Tata Group, Shell Oil, Cipla, numerous payment processing
organisations and a host of banks including the Reserve Bank of India and the Indian armed
forces.
He has recently been awarded the “Crest of Honor” by the Indian Navy for his contributions. He
was inducted into the CSI – Hall of Fame for his significant contributions to the fraternity.
Sectors: Worked in all vertical ranging from Government/PSU, BFSI, Pharma, Manufacturing,
ITES etc.
NARENDRA SAHOO
Designation Director
Certifications PCI QPA,
PCI QSA, CISSP, CISA,
CRISC, ISO27001 LA
Experience 25 Years
12. PCI SSC - The Standards
PC I PED PC I PA-DS S PC I DS S
PCI PED addresses device
characteristics impacting
security of PIN Entry Device
(PED) during financ ial
transactions
PA- DSS applies to software vendors and others
who develop payment applications that store,
process, or transmit cardholder data as part of
authorization or settlement, where those
applications are sold, distributed, or licensed to
third parties.
PCI DSS applies to any entity that stores,
proc es s es, and/ or trans mits c ardholder
data, and specifically to those system
components included in or connected to
the cardholder data environment (the part
of the network with cardholder data)
PEDs Integrated with
payment applications
(POS , ATM)
Stand
Alone PED
Device
PCI PED
applies - PED
device only
PA DSS may
apply*
PCI DSS applies –
systems &
networks
Payment
A pplic ations (e.g.
Shopping cart,
POS)
Payment
Applications in
merchants/ service
providers
environment**
Merchants’ and
Service Providers’
cardholder data
environment
15. Objective
of PCI PIN
Identifies minimum security requirements for PIN-
based interchange transactions.
Outlines the minimum acceptable requirements for
securing PINs and encryption keys.
Assists all retail electronic payment system
participants in establishing assurances that
cardholder PINs will not be compromised.
16. Applicability
of PCI PIN
Secure management, processing, and transmission
of personal identification number (PIN) data during
online and offline payment card transaction
processing at ATMs and attended and unattended
point- of- sale (POS) terminals.
17. S tandard
layout
Transaction Processing Operations
- 7 Control Objectives
Normative Annex A – Symmetric Key Distribution using
Asymmetric Keys
Ac quiring entities involved in the implementation of s ymmetric
key distribution using asymmetric keys (remote key
dis tribution) or thos e entities involved in the operation of
Certification Authorities for such purposes
- A1 – 6 C ontrol Objec tives. Remote Key Dis tribution Us ing
Asymmetric Techniques Operations
- A2 – 7 C ontrol Objec tives. C ertific ation and Regis tration
Authority Operations
Normative Annex B – Key- Injection Facilities
- Entities that operate key- injection facilities for the
injec tion of keys ⎯ key-enc ipherment keys (KEKs ), PIN-
encipherment keys (PEKs), etc. ⎯that are used for the
acquisition of PIN data
- 7 Control Objectives
Normative Annex C – Minimum and Equivalent Key Sizes and
Strengths for Approved Algorithms
19. Transaction
Processing Operations
Control Objective 1: PINs used in transactions governed by these requirements are processed
using equipment and methodologies that ensure they are kept secure.
Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related key
management are created using processes that ensure that it is not possible to predict any
key or determine that certain keys are more probable than other keys.
Control Objective 3: Keys are conveyed or transmitted in a secure manner
Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in a
secure manner.
Control Objective 5: Keys are used in a manner that prevents or detects their unauthorized
usage.
Control Objective 6: Keys are administered in a secure manner.
Control Objective 7: Equipment used to process PINs and keys is managed in a secure
manner
20. Normative Annex A – Symmetric Key Distribution
using Asymmetric Techniques
A1 – Remote Key Distribution Using Asymmetric Techniques Operations Control
Objective 1: PINs used in transactions governed by these requirements are processed
using equipment and methodologies that ensure they are kept secure.
Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related
key management are created using processes that ensure that it is not possible to
predict any key or determine that certain keys are more probable than other keys.
Control Objective 3: Keys are conveyed or transmitted in a secure manner
Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in
a secure manner.
Control Objective 5: Keys are used in a manner that prevents or detects their
unauthorized usage
Control Objective 6: Keys are administered in a secure manner
21. Normative Annex A – Symmetric Key Distribution
using Asymmetric Techniques
A2 – Certification and Registration Authority Operations
Control Objective 3: Keys are conveyed or transmitted in a secure manner
Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in
a secure manner.
Control Objective 5: Keys are used in a manner that prevents or detects their
unauthorized usage.
Control Objective 6: Keys are administered in a secure manner.
Control Objective 7: Equipment used to process PINs and keys is managed in a secure
manner
22. Normative Annex B –
Key Injection Facilities
Control Objective 1: PINs used in transactions governed by these requirements are
processed using equipment and methodologies that ensure they are kept secure.
Control Objective 2: Cryptographic keys used for PIN encryption/decryption and related
key management are created using processes that ensure that it is not possible to
predict any key or determine that certain keys are more probable than other keys.
Control Objective 3: Keys are conveyed or transmitted in a secure manner
Control Objective 4: Key-loading to HSMs and POI PIN-acceptance devices is handled in
a secure manner.
Control Objective 5: Keys are used in a manner that prevents or detects their
unauthorized usage.
Control Objective 6: Keys are administered in a secure manner.
Control Objective 7: Equipment used to process PINs and keys is managed in a secure
manner
23. Minimum and Equivalent Key Sizes and Strengths for Approved Algorithms
The following are the minimum key sizes and parameters for the algorithm(s) in question
that must be used in connection with key transport, exchange, or establishment and for
key or data protection:
Normative Annex C
25. I ndex
Introduction
What is Cryptography?
Purpose Of cryptography
Architecture of cryptography
Types of Cryptography
Process of cryptography
Types Of cryptography Algorithms Attacks
of cryptography
Conclusion
References
26. I NTRODUCTI ON
The Internet is a global connection of computer network with its various addresses
administered by the IANA (Internet address and Naming Authority).
There are many aspects to internet security which involves a range of applications,
including secure commerce and payments to private communications and protecting
passwords.
Cryptography is one critical aspect for secure communications.
27. What is
Cryptography?
Cryptography is a term derived from a Greek word
called “Krypto” which means “Hidden Secrets”.
Cryptography is a technique of hiding information.
The method involves securing of
communication/data by encrypting readable data
into a coded format, using special characters in
replacement of simple letters.
This process or technique facilitates Confidentiality,
Integrity, and Accuracy.
28. PURPOSE OF
CRYPTOGRAPHY
Authentication: Proves one's identity. (The primary forms
of host-to-host authentication on the Internet today are
name-based or address-based, both of which are
notoriously weak.)
Privacy/confidentiality: Ensures confidentiality of data, for
the text is encrypted and can only be read by the intended
person.
Integrity: It assure the data received by the receiver is not
compromised or altered in any way from the original.
Non-repudiation: A mechanism to prove that the
data/message was originally sent by sender himself.
29. Architecture of cryptography
Public
Key Crypto
Hash
Function
Secret
Key Crypto
Public
Key Crypto
Alice's
Private Key
Alice's
Message
Random
Session Key
Bob's
Public Key
Digital
Signature
Digital
Envelope
Encrypted
Message
Encrypted
Session Key
Sent to
Bob
30. Types of
Cryptography Both the sender and receiver needs to
be aware of the key.
Assuming we live in a hostile
environment (otherwise - why the need
for cryptography?), it may be hard to
share a secret key.
Secret Key Cryptography
Single key used to encrypt and decrypt
data.
31. Public Key
Cryptography
One of the keys allocated to each
person is called the "public key",
It is published in an open directory
where it is visible/accessible to
everyone. ( example by email address)
Each entity has 2 keys:
- Private Key (a secret)
- Public key (well known).
35. PUBLIC/PRIVATE KEY
CRYPTOGRAPHY
Asymmetric key cryptography which involves using of different encryption and
decryption key pair helps overcome key management problem.
Knowing just a single key, say the encryption key, is not sufficient to determine the
other decryption key.
The mathematical relationship between the public/private key pair has a standard
rule.
The rule suggests that any message encrypted with one key of the pair can only be
decrypted with its counterpart key.
36. Hash
Functions It is a one-way function, fundamental to most parts of
cryptography.
A one way function simply means it is easy to calculate, but hard to
invert.
Calculation of the input to the function maybe difficult, given its
output.
Meanings of "easy" and "hard" can be precisely defined
mathematically.
With rare exceptions, almost the entire field of public key
cryptography rests on the existence of one-way functions.
37. Attacks of
cryptography
Cipher text only attack
- The only data available is a target cipher text
Known plaintext attack
- A target cipher text
- Pairs of other cipher text and plaintext (say, previously broken or
guessing)
38. Attacks of
cryptography
Chosen plaintext attacks
- A target cipher text
- I t can obtain the matching cipher text by feeding on encryption
algorithm using plaintexts.
Chosen cipher text attack
- A target cipher text
- I t can obtain the matching plaintext and matching cipher text by
feeding on decryption algorithm.
41. Key M anag ement
in Cryptography
What is Key Management?
Why is Key Management a topic of disc ussion?
Different Key Management Techniques
About Key Management Life Cycle
42. Key M anag ement
in Cryptography
Definition: Key Management is a set of technique and
procedure that supports the establishment and
maintenance of keying relationships between
authorized parties.
A keying relationship is a process wherein two
entities who share a common data (Keying material)
enable the technique of cryptography.
The data shared between both the parties may
include public or sec ret keys, initialization values,
and additional non- secret parameters.
43. Key M anag ement
in Cryptography
( cont.) ?
Key Management techniques and procedures support:
Initialization of systems users within a domain;
Generation, dis tribution, and ins tallation of keying
material;
Controlling the use of keying material;
U pdate, revocation, and des truction of keying material;
S torag e, backup/recovery, and archival of keying
material.
44. WHY IS KEY MANAGEMENT
A TOPIC OF DICUSSION ?
Most attacks are aimed at Key Management level rather than
Cryptographic Algorithm itself.
Key Management objectives, threats, and policy.
Objectives of Key Management-
Maintain keying relationships and keying material in a manner that counters relevant threats.
Practically in conformance to relevant Security Policy
45. WHY IS KEY MANAGEMENT
A TOPIC OF DICUSSION ?
Threats
Compromise the confidentiality of secret keys.
Compromise the authenticity of secret or public keys.
Unauthorized use of public or secret keys.
46. WHY IS KEY MANAGEMENT
A TOPIC OF DICUSSION ?
Security policy
Explicitly or implicitly defines the potential threat a system is intended to
address.
Possibly affect the stringency of cryptographic requirements, depending
on the susceptibility of the environment in questions to various types of
attack.
47. WHY IS KEY MANAGEMENT
A TOPIC OF DICUSSION ?
Security Policies specify:
Practices and procedures to be followed while carrying out technical and
administrative aspects of Key Management, both automated and manual;
The responsibilities and accountability of each party involved;
The types of records to be kept, support subsequent reports or review
security-related events.
48. PUBLIC/PRIVATE KEY
CRYPTOGRAPHY
O N E - O N -
O N E
M E E T I N G
P r e s e n t a t i o n s a r e
c o m m u n i c a t i o n
t o o l s t h a t c a n b e
u s e d a s l e c t u r e s .
T E A M
B U I L D I N G
E X E R C I S E S
P r e s e n t a t i o n s a r e
c o m m u n i c a t i o n
t o o l s t h a t c a n b e
u s e d a s l e c t u r e s .
F I R S T
W E E K
C H E C K L I S T
P r e s e n t a t i o n s a r e
c o m m u n i c a t i o n
t o o l s t h a t c a n b e
u s e d a s l e c t u r e s .
I N T E R
D E P A R T
M E N T A L
P r e s e n t a t i o n s a r e
c o m m u n i c a t i o n
t o o l s t h a t c a n b e
u s e d a s l e c t u r e s .
49. Public-Key vs. Symmetric-Key Techniques
Primary advantage of Public-Key (vs. symmetric-key) techniques for applications
related to key management include:
Key Management
Techniques
Simplified
Key
Management
Online
Trusted Serve
Not Required
Enhanced
Functionality.
52. Techniques for distributing confidential keys
Key layering and symmetric-key certificates
Key layering:
Master keys at the highest level in the hierarchy.
Key-encrypting keys are symmetric keys or encryption public keys used for key
transport or storage of other keys.
Data keys are provides cryptographic operations on user data.
Key Management
Techniques
53. Key Management Life Cycle
Key Management is simplest when all cryptographic keys are fixed for all time.
Cryptoperiods necessitate the update of keys.
It further necessitates additional procedures and protocols which include
communications with third parties in public-key systems.
The sequence of states in which keying material progresses through over its
lifetime is called the key management life cycle.
Key Management Life
Cycle
54. Life Cycle Stages may include-
User registration
User initialization
Key generation
Key installation
Key registration
Normal use
Key backup
Key update
Archival
Key de-registration and destruction
Key recovery
Key revocation
Key Management Life
Cycle
55. Thank You
Please do complete our brief survey at the end and leave your
comments
56. Past Webinars
PCI DSS - Managing your outsourced vendor.
Log Management and reporting for the PCI environment.
Best practices in Ecommerce security.
PCI DSS and the Cloud – Top risks and Mitigations
Wireless in the PCI environment – Top risks and Mitigations
PCI DSS in the virtualized environment – Top risks and Mitigations
Targeted attacks: Spear Phishing and Social Engineering.
PCI DSS Scoping and Segmentation.
Managing Data Leakage in your PCI environment.
Strategies for migration from early TLS and SSL.
Using PCI DSS for GDPR Compliance
Using ISO27001 for PCI DSS
SOC2 and YOU
GDPR – Are you ready
SOC2 – Beyond the myth
GDPR – Steps to a successful DPIA
Blockchain – A crash course – What is it, potential uses and pitfalls
57. Past Webinars
Tackling Security in the Cloud:
CASB to the rescue
HIPAA – Basics and Beyond…
Using SOC2 for HIPAA Compliance
Developing a Cyber Security
framework using NIST
SOC for CyberSecurity
Rights of Data Subjects – GDPR and
PDPA
SOC2 Compliance and the Cloud
Debunking Top 10 myths of PCI DSS
Achieving PCI DSS in 90 days
FDA CFR Part 11 - Whats the hype all about
Achieving SOC2 Compliance in 90
days – Is it possible?
Step by step approach to PDPA
compliance
steps for Compliance with NIST
800-171 compliance
PCI DSS - 5 Simple Techniques to
reduce scope
SOC2 and CCM
Intalks with Nitin Bhatnagar (PCI
Council) - Meeting Payment Security Needs Now and for the Future
58. Past Webinars
Covid 19 and Business Continuity
PA DSS and PCI SSF – How they match up and how they map
PCI PIN, PCI Cryptography & Key
Management