SlideShare a Scribd company logo

PCI DSS in Pictures and What to Expect in PCI 3.0

Praveen Vackayil
Praveen Vackayil

Presentation summarizing PCI requirements. Also includes a sneak preview of what to expect in PCI DSS 3.0.

Technology
1 of 27
Download to read offline
www.sisainfosec.com Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
Introductions
SISA Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions Products •SISA Security Assistant Compliance Management Tool for •PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
•SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA Consulting– Training –Products Customers in 25 Countries About SISA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
PCI DSS
1. Network Diagram •Formal •Comprehensive 2. Network Device Administration •Change Management •Console Connections •Remote Connections 3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months 4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network 5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234 2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points 3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened 4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
1. Storage •Protect Stored Card Number •Do not store CVV or Track Data 2. Retention Period • Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data 3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM • SSH, SSL/TLS, IPSec are acceptable 2. Never send unprotected card numbers over E-mail or chat
1. Scope • All Windows systems must have AV 2. AV should be •On •Updated •Running periodic scans • Getting automatic updates 3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities 2. Application Development •Code Review •Change Management 3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc 4. Public Facing Applications •WAF or •Application VA annually
1. Assigning Access to CHD •Job related need •Approval mechanism for access 2. Implementing Access to CHD • Automated access control system •Default deny-all setting
1. Password Requirements •History, Lifetime, Length, Complexity, 2. Account Lockout, Forgot Password • Password Reset Process
1. CCTV Recordings 2. Access Card Logs 3. Visitor Management 3. Media Management
1. Every system and network component has to have logs 2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects 3. Log Retention •3 months – 1 year rule 4. NTP 5. FIM on logs
1. VA •Internal VA •External VA by an ASV •Every quarter 2. PT •Internal PT •External PT •Annually 3. Wireless Scans 4. IDS/IPS 5. FIM High Med Low
1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP 800-30, OCTAVE, etc. 2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination 3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy 6. Service Providers 7. Incident Management
PCI DSS 3.0
Dates •PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
1. Updated Network Diagram 2. Updated Hardware Inventory
1. AV is required on Non-Windows based systems also
1. Update list of application vulnerabilities as per OWASP, NIST, SANS, etc.
1. Security Requirements for Authentication Mechanisms Other than Passwords • Tokens • Smart Cards
1. More Stringent Requirements for Penetration Testing
1. Maintain a list of service providers and what services they offer 2. Service providers should maintain their applicable PCI Requirements 3. Risks pertaining to service providers
Thank You

Recommended

Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2Ragavan Seetharaman
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overviewManageEngine EventLog Analyzer
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 

Recommended

Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceReaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous Compliance
Reaching PCI Nirvana: Ensure a Successful Audit & Maintain Continuous ComplianceAlgoSec
 
AWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAWS Security Fundamentals: Dos and Don’ts
AWS Security Fundamentals: Dos and Don’tsAlgoSec
 
ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2ManageEngine EventLog Analyzer v7. 2
ManageEngine EventLog Analyzer v7. 2Ragavan Seetharaman
 
Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Cisco aci and AlgoSec webinar
Cisco aci and AlgoSec webinar Maytal Levi
 
Create and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesCreate and Manage a Micro-Segmented Data Center – Best Practices
Create and Manage a Micro-Segmented Data Center – Best PracticesAlgoSec
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overviewManageEngine EventLog Analyzer
 
Putting the Sec into DevOps
Putting the Sec into DevOpsPutting the Sec into DevOps
Putting the Sec into DevOpsMaytal Levi
 
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...
Accelerate Application Deployment Across Cisco ACI Fabric, On-Premise Firewal...AlgoSec
 
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKitSysKit Ltd
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time AlgoSec
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Ace
AceAce
AceWill Storey
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesThoughtworks
 
Security on AWS
Security on AWSSecurity on AWS
Security on AWSCloudHesive
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 

More Related Content

What's hot

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...ManageEngine EventLog Analyzer
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)AlgoSec
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKitSysKit Ltd
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSAlgoSec
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationAlgoSec
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionMaytal Levi
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Maytal Levi
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareManageEngine EventLog Analyzer
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghNCCOMMS
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...AlgoSec
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time AlgoSec
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarAlgoSec
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring Site24x7
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlAlgoSec
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentAlgoSec
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesThoughtworks
 

What's hot (20)

The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
The Oldest Club in English Football uses ManageEngine EventLog Analyzer to Co...
 
2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)2019 02-20 micro-segmentation based network security strategies (yoni geva)
2019 02-20 micro-segmentation based network security strategies (yoni geva)
 
User activity monitoring with SysKit
User activity monitoring with SysKitUser activity monitoring with SysKit
User activity monitoring with SysKit
 
Migrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWSMigrating Application Connectivity and Network Security to AWS
Migrating Application Connectivity and Network Security to AWS
 
Radically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertificationRadically reduce firewall rules with application-driven rule recertification
Radically reduce firewall rules with application-driven rule recertification
 
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solutionAlgosec 5 more_things_you_can_do_with_a_security_policy_management_solution
Algosec 5 more_things_you_can_do_with_a_security_policy_management_solution
 
Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation Tying cyber attacks to business processes, for faster mitigation
Tying cyber attacks to business processes, for faster mitigation
 
What's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management SoftwareWhat's New in EventLog Analyzer - Log Management Software
What's New in EventLog Analyzer - Log Management Software
 
CSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert HoitinghCSF18 Azure Information Protection - Albert Hoitingh
CSF18 Azure Information Protection - Albert Hoitingh
 
Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...Application visibility across the security estate the value and the vision ...
Application visibility across the security estate the value and the vision ...
 
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network MonitorKaseya connect 2013: Leveraging the power of Kaseya Network Monitor
Kaseya connect 2013: Leveraging the power of Kaseya Network Monitor
 
Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time Put out audit security fires, pass audits -every time
Put out audit security fires, pass audits -every time
 
WSO2 IoT Server - Product Overview
WSO2 IoT Server - Product OverviewWSO2 IoT Server - Product Overview
WSO2 IoT Server - Product Overview
 
compliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinarcompliance made easy. pass your audits stress-free webinar
compliance made easy. pass your audits stress-free webinar
 
End user-experience monitoring
End user-experience monitoring End user-experience monitoring
End user-experience monitoring
 
Ace
AceAce
Ace
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Security Change Management: Agility vs. Control
Security Change Management: Agility vs. ControlSecurity Change Management: Agility vs. Control
Security Change Management: Agility vs. Control
 
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud EnvironmentA Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment
 
Tips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-ServicesTips and tricks for Testing Micro-Services
Tips and tricks for Testing Micro-Services
 

Similar to PCI DSS in Pictures and What to Expect in PCI 3.0

Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Donald E. Hester
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Computer system validations
Computer system validations Computer system validations
Computer system validations Saikiran Koyalkar
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupCloudHesive
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
Cloud computing and innovations
Cloud computing and innovationsCloud computing and innovations
Cloud computing and innovationsSPIN Chennai
 
Jsm computer solutions
Jsm computer solutionsJsm computer solutions
Jsm computer solutionsJason Mast
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testingMarcus Dempsey
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleRochester Security Summit
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applicationskanimozhin
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudCloudHesive
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsJim Bugwadia
 

Similar to PCI DSS in Pictures and What to Expect in PCI 3.0 (20)

Security on AWS
Security on AWSSecurity on AWS
Security on AWS
 
Information Assurance for Accountant 2007
Information Assurance for Accountant 2007Information Assurance for Accountant 2007
Information Assurance for Accountant 2007
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Computer system validations
Computer system validations Computer system validations
Computer system validations
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
Security on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition MeetupSecurity on AWS, 2021 Edition Meetup
Security on AWS, 2021 Edition Meetup
 
CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
Cloud computing and innovations
Cloud computing and innovationsCloud computing and innovations
Cloud computing and innovations
 
Jsm computer solutions
Jsm computer solutionsJsm computer solutions
Jsm computer solutions
 
PCI 3.0 and penetration testing
PCI 3.0 and penetration testingPCI 3.0 and penetration testing
PCI 3.0 and penetration testing
 
Dealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation StyleDealing with Web Application Security, Regulation Style
Dealing with Web Application Security, Regulation Style
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Security architecture best practices for saas applications
Security architecture best practices for saas applicationsSecurity architecture best practices for saas applications
Security architecture best practices for saas applications
 
NIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public CloudNIST Cybersecurity Framework (CSF) on the Public Cloud
NIST Cybersecurity Framework (CSF) on the Public Cloud
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
ISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply ChainsISACA SV Chapter: Securing Software Supply Chains
ISACA SV Chapter: Securing Software Supply Chains
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

PCI DSS in Pictures and What to Expect in PCI 3.0

  • 1. www.sisainfosec.com Praveen Joseph Vackayil CISSP, PCI QSA, CCNA, ISO 27001 LA, MS, BE
  • 3. SISA Consulting PCI DSS •PCI QSA Validation Services (PCI-DSS) •PCI ASV Scanning Services (PCI-DSS) •PCI Assurance Services (SAQ) PA DSS •PA QSA Validation Services (PA-DSS) Advisory •Risk Assessment (IS-RA) •Privacy and Standards Compliance (ISO 27001, GLBA, HIPAA, DPA, COBITFISMA, BS 25999) •Application Pen Test and Code Review •Network VA and Pen Test •Forensics Training •CPISI – PCI DSS Implementation •CISRA – Risk Assessment Implementation •OCTAVE (SEI-CMU) Security Risk Assessment Workshop •ISO 27001 Implementation Workshop •Business Continuity Management Workshop •Secure Coding in Dot-Net •Awareness Sessions Products •SISA Security Assistant Compliance Management Tool for •PCI DSS •HIPAA •FFIEC •FISMA •ISO 27001 •Application Security
  • 4. •SISA Information Security Pvt Ltd, Asia •SISA Information Security Inc., Americas •SISA Information Security WLL, EMEA Consulting– Training –Products Customers in 25 Countries About SISA Our customers are some of the world’s biggest Banks, Merchants, IT, BPOs and Telecoms
  • 6.
  • 7. 1. Network Diagram •Formal •Comprehensive 2. Network Device Administration •Change Management •Console Connections •Remote Connections 3. Network Device Maintenance: •Business Justifications •Firewall Rule Review every 6 months 4. Placement of Firewalls: •Between Internet and DMZ •Between DMZ and Internal Network 5. Configuration of Firewalls: •Stateful Inspection •Filtering Traffic between Internal and External network •NATting for internal IP Addresses
  • 8. 1. No Defaults •Username: administrator, system, cisco, infosys •Password: 0000, 1234 2. Wireless Environments •Change the default WEP keys •Change the default passwords on access points 3. Device Configurations •One primary function per server •Only required services are enabled •Systems are hardened 4. Admin access to devices: •Console access should be authenticated •Non-console access should be strongly encrypted. Eg. SSH •No Telnet
  • 9. 1. Storage •Protect Stored Card Number •Do not store CVV or Track Data 2. Retention Period • Define business period for retention •Review stored cardholder data every quarter •Remove obsolete data 3. Key Management • Generate Strong keys •Store keys securely •Distribute keys securely •Change keys at the end of their lifetime
  • 10. 1. Encrypt card numbers sent over the Internet, Wireless networks, GPRS, GSM • SSH, SSL/TLS, IPSec are acceptable 2. Never send unprotected card numbers over E-mail or chat
  • 11. 1. Scope • All Windows systems must have AV 2. AV should be •On •Updated •Running periodic scans • Getting automatic updates 3. AV Logs •At AV server end •At AV client end •Retained as per the 3 months-1 year rule
  • 12. 1. Patch Management •Latest patches on all systems •Deploy Critical patches in 30 days •Risk Ranking •Refer to external sources for vulnerabilities 2. Application Development •Code Review •Change Management 3. Custom Code Should Address • SQL Injection •Buffer Overflow •Cross Site Scripting •Cross Site Request Forgery, etc 4. Public Facing Applications •WAF or •Application VA annually
  • 13. 1. Assigning Access to CHD •Job related need •Approval mechanism for access 2. Implementing Access to CHD • Automated access control system •Default deny-all setting
  • 14. 1. Password Requirements •History, Lifetime, Length, Complexity, 2. Account Lockout, Forgot Password • Password Reset Process
  • 15. 1. CCTV Recordings 2. Access Card Logs 3. Visitor Management 3. Media Management
  • 16. 1. Every system and network component has to have logs 2. Things that must be logged: •Access to CHD •Admin activities •Access to logs •Use of authentication mechanisms •Initialization of logs •Creation/deletion of system level objects 3. Log Retention •3 months – 1 year rule 4. NTP 5. FIM on logs
  • 17. 1. VA •Internal VA •External VA by an ASV •Every quarter 2. PT •Internal PT •External PT •Annually 3. Wireless Scans 4. IDS/IPS 5. FIM High Med Low
  • 18. 1. Risk Assessment • Formal methodology • Eg. ISO 27005, NIST SP 800-30, OCTAVE, etc. 2. HR •Recruitment •Background checks •NDA •Awareness •ID creation/deletion •Termination 3. Acceptable Usage Policy 4. Operational Security Policy 5. Information Security Policy 6. Service Providers 7. Incident Management
  • 20. Dates •PCI DSS 3.0 will be published on 7 November 2013 •Version 3.0 becomes optional from 1 January 2014 onwards •Version 2.0 will remain active until 31 December 2014
  • 21. 1. Updated Network Diagram 2. Updated Hardware Inventory
  • 22. 1. AV is required on Non-Windows based systems also
  • 23. 1. Update list of application vulnerabilities as per OWASP, NIST, SANS, etc.
  • 24. 1. Security Requirements for Authentication Mechanisms Other than Passwords • Tokens • Smart Cards
  • 25. 1. More Stringent Requirements for Penetration Testing
  • 26. 1. Maintain a list of service providers and what services they offer 2. Service providers should maintain their applicable PCI Requirements 3. Risks pertaining to service providers