SlideShare a Scribd company logo

Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 Transition

T
truvantis

In this presentation, Andy Cottrell, CEO and founder of Truvantis, reviews the changes between PCI 2.0 and 3.0 and provides practical tips on how to minimize the business impact of the transition. From these slides, you will learn the scope and timing of the new requirements, how they are likely to impact your business and ways to make implementation as painless as possible.

Technology
1 of 23
Download to read offline
Andy Cottrell 12/14/2013 1
 The PCI DSS refresh cycle  What has changed in general terms  Review of specific, significant changes   Requirement 0 Requirements 1-12  Reorganization  Final of documents notes 12/14/2013 2
The YouTube recording of this webcast is linked from the end of the presentation and available here: http://youtu.be/mwvx1q9aMDw 12/14/2013 3
 IT security consulting company: www.truvantis.com  Authorized PCI DSS Qualified Security Assessor (QSA) Company  Deep, comprehensive expertise in IT security testing (pen testing, vulnerability assessments, etc.), policy creation, audit, PCI assessments and governance We also understand that IT security can’t get in the way of doing business! 12/14/2013 4
12/14/2013 5
A great deal of clarification  Some additional requirements  More useful narrative before the requirements  Reorganization of the documents  Focus on goals, not technology  Today, look at a few of the more important changes 12/14/2013 6
 Scope   Cannot store SAD after authorization even without the PAN Determination of the scope of the CDE is the entity’s responsibility  Segmentation   If a control is used to de-scope, then that control is in-scope A system can only be out of scope if its compromise would not impact the security of the CDE 12/14/2013 7
 Wireless  Don’t  Service  providers It’s still your job to monitor the compliance of your service providers  The fact that they have an AOC does not change that, it just helps with validation “For example, providing the AOC and/or relevant sections of the service provider’s ROC (redacted to protect any confidential information) could help provide all or some of the information.” 12/14/2013 8
 Business-as-Usual   Totally new section Discusses how to build compliance into your daily routine This is not a new requirement Consider it guidance and advice that will help 12/14/2013 9
 Security policies and daily operational procedures moved into relevant sections  Just moving section 12 items into a more sensible place  NEW: Inventory of system components and the function/use    You probably did this anyway Just leave an audit trail to show you keep it current TIP: Create a task regularly to review it 12/14/2013 10
 Still at least 7 characters, alphanumeric  Can now use equivalent strength   Do the math to establish equivalence TIP: This is a low bar – do better 12/14/2013 11
 2.0 “Deploy anti-virus software on all systems commonly affected by malicious software”  Now your responsibility to make sure they continue to not need it  3.0 “perform periodic evaluations to identify and evaluate evolving malware threats” 12/14/2013 12
 These   Security patches indicate vulnerabilities All vulnerabilities must be ‘risk-ranked’   requirements have been coordinated At least HIGH risk (to you) Additionally flag CRITICAL if  “they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed”  CRITICAL  One month  Other  vendor-supplied security patches vendor-supplied security patches ‘Appropriate’ time frame (Three months) 12/14/2013 13
 NEW: Broken authentication and session management    Flagging session tokens … as “secure” Not exposing session IDs in the URL Incorporating appropriate time-outs and rotation of session IDs after a successful login  PCI is following OWASP Top 10  TIP: OWASP has a new Top 10 for 2013  TIP: Also see www.securecoding.cert.org 12/14/2013 14
 NEW:     Protect devices that capture payment Mandatory after July 1st 2015 Maintain a list of devices Periodically inspect device surfaces to detect tampering Training for personnel to detect tampering or replacement 12/14/2013 15
 Scanning    for rogue devices Must test for all routes to get wireless devices in Just looking for add IP addresses is not enough USB etc. specifically called out  TIP: Focus on intent, not the language 12/14/2013 16
 Can now combine multiple scans to get a passing grade    Recognizes that new issues can arise during a remediation phase Re-test would show new failing items Avoid the never ending cycle of not passing 12/14/2013 17
 Greatly     enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015 Test de-scoping controls Review last 12mo threats and vulnerabilities The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment  TIP: Don’t be sold a vulnerability assessment as a pen test  TIP: Ask your penetration tester when they will be working with the new rules 12/14/2013 18
 “at least annually and after significant changes to the environment”  Many requirements now reference your risk assessment  TIP: Use the new prevalence of “Risk Assessment” in the standard to help you work out what your risk assessment should look like 12/14/2013 19
 Plan   not just for a major breach It should drill down into more alerts from monitoring systems like firewalls Larger mandate to choose what to monitor and where alerts should come from  TIP: Again - focus on intent, not language 12/14/2013 20
 Guidance regarding intent moved into the standard  Reporting instructions moved to a template  SAQs  will be updated - not released yet Expect:   Multiple SAQ submission will be permitted New SAQs such as hosted payment pages 12/14/2013 21
 Download and review the ‘Summary of Changes’ document now   Review every item and measure the impact Comply with the language, but focus on the intent  Review your ‘risk assessment’ in the light of 3.0  By understanding your risk, you can scale your behavior appropriately 12/14/2013 22
 By web: www.truvantis.com  By phone: +1 855.345.6298  By email: info@truvantis.com  View this presentation in the recorded webcast (with audio): http://youtu.be/mwvx1q9aMDw 12/14/2013 23

Recommended

PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition
PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 TransitionPCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition
PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 TransitionSally Sheward
 
5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System24/7 Software
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Successful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutSuccessful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutDawid Balut
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
U08784 part 2 presentation
U08784 part 2 presentationU08784 part 2 presentation
U08784 part 2 presentationxero42
 
SureSense Brochure
SureSense BrochureSureSense Brochure
SureSense BrochureRandy Bickford
 

Recommended

PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition
PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 TransitionPCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 Transition
PCI 3.0 Webcast: Minimizing the Business Impact of the PCI 2.0 - 3.0 TransitionSally Sheward
 
5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System5 Traits of a Proactive Guard Tour System
5 Traits of a Proactive Guard Tour System24/7 Software
 
Patch and Vulnerability Management
Patch and Vulnerability ManagementPatch and Vulnerability Management
Patch and Vulnerability ManagementMarcelo Martins
 
Effective Vulnerability Management
Effective Vulnerability ManagementEffective Vulnerability Management
Effective Vulnerability ManagementVicky Ames
 
Successful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutSuccessful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutDawid Balut
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management Argyle Executive Forum
 
U08784 part 2 presentation
U08784 part 2 presentationU08784 part 2 presentation
U08784 part 2 presentationxero42
 
SureSense Brochure
SureSense BrochureSureSense Brochure
SureSense BrochureRandy Bickford
 
3. introduction to software testing
3. introduction to software testing3. introduction to software testing
3. introduction to software testingChandra Maddigapu
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testingTaufik hidayat
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007David Whelbourn, MBA, PMP, PRINCE2, MSP
 
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...QA or the Highway
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Jose Lopez
 
Strategizing to build a perfect test environment
Strategizing to build a perfect test environmentStrategizing to build a perfect test environment
Strategizing to build a perfect test environmentEnov8
 
Chapter 11 group assignment
Chapter 11 group assignmentChapter 11 group assignment
Chapter 11 group assignmentjandrewsxu
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3IANS
 
data computer .ppt
data computer .pptdata computer .ppt
data computer .pptgoodperson7
 
How to Close the SecOps Gap
How to Close the SecOps GapHow to Close the SecOps Gap
How to Close the SecOps GapBMC Software
 

More Related Content

What's hot

3. introduction to software testing
3. introduction to software testing3. introduction to software testing
3. introduction to software testingChandra Maddigapu
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Bossrbrockway
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testingTaufik hidayat
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Managementjpubal
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringBettyRManning
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Rafal Los
 
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...QA or the Highway
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Cigital
 
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Jose Lopez
 
Strategizing to build a perfect test environment
Strategizing to build a perfect test environmentStrategizing to build a perfect test environment
Strategizing to build a perfect test environmentEnov8
 
Chapter 11 group assignment
Chapter 11 group assignmentChapter 11 group assignment
Chapter 11 group assignmentjandrewsxu
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementResolver Inc.
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesIvanti
 
What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3IANS
 

What's hot (20)

3. introduction to software testing
3. introduction to software testing3. introduction to software testing
3. introduction to software testing
 
Enterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A BossEnterprise Class Vulnerability Management Like A Boss
Enterprise Class Vulnerability Management Like A Boss
 
Fundamentals of testing
Fundamentals of testingFundamentals of testing
Fundamentals of testing
 
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce RiskVulnerability Management: How to Think Like a Hacker to Reduce Risk
Vulnerability Management: How to Think Like a Hacker to Reduce Risk
 
Vulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize RiskVulnerability Management: What You Need to Know to Prioritize Risk
Vulnerability Management: What You Need to Know to Prioritize Risk
 
Web Application Vulnerability Management
Web Application Vulnerability ManagementWeb Application Vulnerability Management
Web Application Vulnerability Management
 
The difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoringThe difference between in-depth analysis of virtual infrastructures & monitoring
The difference between in-depth analysis of virtual infrastructures & monitoring
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program10 Steps to Building an Effective Vulnerability Management Program
10 Steps to Building an Effective Vulnerability Management Program
 
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
Strategies and Tactics for Effectively Managing Vulnerabilities in Diverse En...
 
Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007Make_a_PM_Resolution_for_2007
Make_a_PM_Resolution_for_2007
 
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
CoverMyQuality: Implementing a Quality Program by Rick Neighbarger and Susan ...
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
 
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
Is Using Off-the-shelf Antimalware Product to Secure Your Medical Device a Go...
 
Strategizing to build a perfect test environment
Strategizing to build a perfect test environmentStrategizing to build a perfect test environment
Strategizing to build a perfect test environment
 
Chapter 11 group assignment
Chapter 11 group assignmentChapter 11 group assignment
Chapter 11 group assignment
 
Best Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability ManagementBest Practices and ROI for Risk-based Vulnerability Management
Best Practices and ROI for Risk-based Vulnerability Management
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse
 
OSB130 Patch Management Best Practices
OSB130 Patch Management Best PracticesOSB130 Patch Management Best Practices
OSB130 Patch Management Best Practices
 
What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3What is an IANS CISO Workshop? Factor 3
What is an IANS CISO Workshop? Factor 3
 

Similar to Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 Transition

data computer .ppt
data computer .pptdata computer .ppt
data computer .pptgoodperson7
 
How to Close the SecOps Gap
How to Close the SecOps GapHow to Close the SecOps Gap
How to Close the SecOps GapBMC Software
 
Implementing Security Cs Ps
Implementing Security Cs PsImplementing Security Cs Ps
Implementing Security Cs Psdenigoin
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsPriyanka Aash
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesRyan Faircloth
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-SessionRyan Faircloth
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...QA or the Highway
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trendsArun Kulkarni
 
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...Symantec
 
Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...
Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...
Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...Verhaert Masters in Innovation
 
STLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall WorldSTLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall WorldAngela Dugan
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
 
Web Application Penetration Tests - Reporting
Web Application Penetration Tests - ReportingWeb Application Penetration Tests - Reporting
Web Application Penetration Tests - ReportingNetsparker
 
Adopting Cloud Testing for Continuous Delivery
Adopting Cloud Testing for Continuous DeliveryAdopting Cloud Testing for Continuous Delivery
Adopting Cloud Testing for Continuous DeliverySOASTA
 
The Most Underutilized Configuration Management Features
The Most Underutilized Configuration Management Features The Most Underutilized Configuration Management Features
The Most Underutilized Configuration Management Features Cireson
 
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed Pinsent
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed PinsentThe AIDA toolkit: Assessing Institutional Digital Assets, by Ed Pinsent
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed PinsentJISC KeepIt project
 

Similar to Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 Transition (20)

data computer .ppt
data computer .pptdata computer .ppt
data computer .ppt
 
How to Close the SecOps Gap
How to Close the SecOps GapHow to Close the SecOps Gap
How to Close the SecOps Gap
 
1.basics of software testing
1.basics of software testing 1.basics of software testing
1.basics of software testing
 
Technology ahia 2012 jmk
Technology ahia 2012 jmkTechnology ahia 2012 jmk
Technology ahia 2012 jmk
 
Implementing Security Cs Ps
Implementing Security Cs PsImplementing Security Cs Ps
Implementing Security Cs Ps
 
Introducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy ProductsIntroducing a Security Program to Large Scale Legacy Products
Introducing a Security Program to Large Scale Legacy Products
 
A Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use CasesA Framework for Developing and Operationalizing Security Use Cases
A Framework for Developing and Operationalizing Security Use Cases
 
325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session325838924-Splunk-Use-Case-Framework-Introduction-Session
325838924-Splunk-Use-Case-Framework-Introduction-Session
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
 
Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011Arved sandstrom - the rotwithin - atlseccon2011
Arved sandstrom - the rotwithin - atlseccon2011
 
Next generation software testing trends
Next generation software testing trendsNext generation software testing trends
Next generation software testing trends
 
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
Data Center Security: Achieving Prevention & the Targeted Prevention Policy's...
 
System maintenance.ppt
System maintenance.pptSystem maintenance.ppt
System maintenance.ppt
 
Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...
Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...
Innovation day 2012 11. luc van goethem & frederik wouters - verhaert - 'r...
 
STLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall WorldSTLDODN - Agile Testing in a Waterfall World
STLDODN - Agile Testing in a Waterfall World
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Web Application Penetration Tests - Reporting
Web Application Penetration Tests - ReportingWeb Application Penetration Tests - Reporting
Web Application Penetration Tests - Reporting
 
Adopting Cloud Testing for Continuous Delivery
Adopting Cloud Testing for Continuous DeliveryAdopting Cloud Testing for Continuous Delivery
Adopting Cloud Testing for Continuous Delivery
 
The Most Underutilized Configuration Management Features
The Most Underutilized Configuration Management Features The Most Underutilized Configuration Management Features
The Most Underutilized Configuration Management Features
 
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed Pinsent
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed PinsentThe AIDA toolkit: Assessing Institutional Digital Assets, by Ed Pinsent
The AIDA toolkit: Assessing Institutional Digital Assets, by Ed Pinsent
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Truvantis PCI 3.0 Webcast: Minimizing the Business Impact of the PCI-DSS 3.0 Transition

  • 2.  The PCI DSS refresh cycle  What has changed in general terms  Review of specific, significant changes   Requirement 0 Requirements 1-12  Reorganization  Final of documents notes 12/14/2013 2
  • 3. The YouTube recording of this webcast is linked from the end of the presentation and available here: http://youtu.be/mwvx1q9aMDw 12/14/2013 3
  • 4.  IT security consulting company: www.truvantis.com  Authorized PCI DSS Qualified Security Assessor (QSA) Company  Deep, comprehensive expertise in IT security testing (pen testing, vulnerability assessments, etc.), policy creation, audit, PCI assessments and governance We also understand that IT security can’t get in the way of doing business! 12/14/2013 4
  • 6. A great deal of clarification  Some additional requirements  More useful narrative before the requirements  Reorganization of the documents  Focus on goals, not technology  Today, look at a few of the more important changes 12/14/2013 6
  • 7.  Scope   Cannot store SAD after authorization even without the PAN Determination of the scope of the CDE is the entity’s responsibility  Segmentation   If a control is used to de-scope, then that control is in-scope A system can only be out of scope if its compromise would not impact the security of the CDE 12/14/2013 7
  • 8.  Wireless  Don’t  Service  providers It’s still your job to monitor the compliance of your service providers  The fact that they have an AOC does not change that, it just helps with validation “For example, providing the AOC and/or relevant sections of the service provider’s ROC (redacted to protect any confidential information) could help provide all or some of the information.” 12/14/2013 8
  • 9.  Business-as-Usual   Totally new section Discusses how to build compliance into your daily routine This is not a new requirement Consider it guidance and advice that will help 12/14/2013 9
  • 10.  Security policies and daily operational procedures moved into relevant sections  Just moving section 12 items into a more sensible place  NEW: Inventory of system components and the function/use    You probably did this anyway Just leave an audit trail to show you keep it current TIP: Create a task regularly to review it 12/14/2013 10
  • 11.  Still at least 7 characters, alphanumeric  Can now use equivalent strength   Do the math to establish equivalence TIP: This is a low bar – do better 12/14/2013 11
  • 12.  2.0 “Deploy anti-virus software on all systems commonly affected by malicious software”  Now your responsibility to make sure they continue to not need it  3.0 “perform periodic evaluations to identify and evaluate evolving malware threats” 12/14/2013 12
  • 13.  These   Security patches indicate vulnerabilities All vulnerabilities must be ‘risk-ranked’   requirements have been coordinated At least HIGH risk (to you) Additionally flag CRITICAL if  “they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed”  CRITICAL  One month  Other  vendor-supplied security patches vendor-supplied security patches ‘Appropriate’ time frame (Three months) 12/14/2013 13
  • 14.  NEW: Broken authentication and session management    Flagging session tokens … as “secure” Not exposing session IDs in the URL Incorporating appropriate time-outs and rotation of session IDs after a successful login  PCI is following OWASP Top 10  TIP: OWASP has a new Top 10 for 2013  TIP: Also see www.securecoding.cert.org 12/14/2013 14
  • 15.  NEW:     Protect devices that capture payment Mandatory after July 1st 2015 Maintain a list of devices Periodically inspect device surfaces to detect tampering Training for personnel to detect tampering or replacement 12/14/2013 15
  • 16.  Scanning    for rogue devices Must test for all routes to get wireless devices in Just looking for add IP addresses is not enough USB etc. specifically called out  TIP: Focus on intent, not the language 12/14/2013 16
  • 17.  Can now combine multiple scans to get a passing grade    Recognizes that new issues can arise during a remediation phase Re-test would show new failing items Avoid the never ending cycle of not passing 12/14/2013 17
  • 18.  Greatly     enhanced detail and deeper in scope New goals mandatory as of July 1st, 2015 Test de-scoping controls Review last 12mo threats and vulnerabilities The type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment  TIP: Don’t be sold a vulnerability assessment as a pen test  TIP: Ask your penetration tester when they will be working with the new rules 12/14/2013 18
  • 19.  “at least annually and after significant changes to the environment”  Many requirements now reference your risk assessment  TIP: Use the new prevalence of “Risk Assessment” in the standard to help you work out what your risk assessment should look like 12/14/2013 19
  • 20.  Plan   not just for a major breach It should drill down into more alerts from monitoring systems like firewalls Larger mandate to choose what to monitor and where alerts should come from  TIP: Again - focus on intent, not language 12/14/2013 20
  • 21.  Guidance regarding intent moved into the standard  Reporting instructions moved to a template  SAQs  will be updated - not released yet Expect:   Multiple SAQ submission will be permitted New SAQs such as hosted payment pages 12/14/2013 21
  • 22.  Download and review the ‘Summary of Changes’ document now   Review every item and measure the impact Comply with the language, but focus on the intent  Review your ‘risk assessment’ in the light of 3.0  By understanding your risk, you can scale your behavior appropriately 12/14/2013 22
  • 23.  By web: www.truvantis.com  By phone: +1 855.345.6298  By email: info@truvantis.com  View this presentation in the recorded webcast (with audio): http://youtu.be/mwvx1q9aMDw 12/14/2013 23