Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.

Published byVicente Roy Modified over 9 years ago

Similar presentations

Presentation on theme: "PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009."— Presentation transcript:

1 PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009

2 Today’s Presentation Security Stats Why PCI:DSS What does PCI:DSS mean to you Steps to becoming compliant Tips and Take Aways Question Time

3 About Me Founder – Security Active Security Manager – Atos Origin Senior Security and Risk Consultant – Zurich Global Network & Security Architect – GE Security Research Presenting / Lecturing Security Bloggers Meet Up Blogging / Podcasting / Twittering Consulting / Education / Awareness Ethical Hacker. Net Board of Advisors Hackers for Charity / iT4Communities

4 Security Stats Stats are from the Verizon Business Data Breach Investigations Report http://www.verizonbusiness.com/resources/security/databreachreport.pdf

5 Data Breaches Payment Card Data - Most Wanted Companies unaware of breach occurance

6 Exploitation Hacking and Malicious Code Top for Exploitation Methods Applications and OS targeted by Attackers

7 Threat Points Online presence increased risk Don't underestimate the insider threat

8 Simples Companies unaware of data existence Attacks are easy to carry out, and many could have been prevented

9 Why PCI:DSS ??

10 In the Media

11 The Creation of PCI:DSS Payment Card Industry : Data Security Standard Card Fraud pushed to an unsustainable level Security of information is an important factor to protect against financial loss, as well as reputational loss PCI:DSS is the card schemes response Secure transmission, storage and processing of card holder data. Coverage of systems, policies, and procedures

12 What's it all about? Increase security of card holder data Coverage of entire payments process Backing from the card schemes and banks mandatoryCompliance is mandatory Based on best practice Over 232 controls in 12 areas June 2005 Deadline July 2007 Deadline All merchants to define a compliance date 18% of companies in the UK are compliant

13 What can PCI:DSS Do For You? Brand reputation protection Framework to build upon Understanding of information in your business Improved security controls Documented and formalised process and policy Acceptance and reduction of risk Competitive edge Reduced processing costs Avoid fines and legal costs Continue accepting cards Safe Harbour

14 Who’s Who

15 What does PCI:DSS mean to you?

16 PCI:SS Requirements Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other parameters Protect Cardholder Data Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications

17 PCI:SS Requirements Implement Strong Access Control Measures Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Maintain a policy that addresses information security

18 Steps to becoming Compliant

19 Merchant Requirements

20 Self Assessment Questionnaire Subset of the full Onsite Audit Criteria Completed by the merchant Submitted to the Acquirer Made up of Yes / No / Not Applicable responses Broken up into the six sections of requirement

21 Compliance Life Cycle Pre- Assessment / Gap Analysis Implement / Remediate PCI:DSS Certification Ongoing Compliance monitoring

22 Road to compliance Senior Manager Support Understand the task at hand Identify applications and locations of cardholder data Produce network diagrams and data flows Identify compliance gaps to the 12 requirements Obtain required expertise Establish the scope for compliance Engage with 3 rd parties Conduct vulnerability scans Prioritise remediation activities Clarify compliance on submission of SAQ

23 Key Controls Systems / Technology Network Segmentation System Hardening Encryption Anti-Virus / Anti-Malware Access Controls Password Controls Physical Access Controls Centralized Logging File Integrity Monitoring IDS / IPS Scanning (Wireless & Vulnerabilities)

24 Key Controls Procedures Systems Build Encryption Key Management Secure Applications Development Security Testing (Vuln Scanning & Pen Tests) Log Review Annual Risk Assessment Policies / Procedures Annual Review & Issue Security Awareness Incident Response Annual TestingPeople Background Checks, Security Awareness

25 What’s in Scope? Firewalls / Switches / Routers / Network Appliances / Servers / Workstations / Laptops

26 PA-DSS Payment Application Data Security Standard Required 1 st July 2010Based on Visa’s (Payment Application Best Practices) Required 1 st July 2010 Purpose and scope Payment applications must facilitate (not prevent) PCI:DSS compliance Applies only to payment applications developed by 3 rd parties Goals for Software Development Application must not retain mag stripe data Application must encrypt cardholder data Guidance for PCI:DSS compliant implementation

27 QSA Review / Assessment Detailed audit against PCI:DSS Targets all systems and networks storing, processing or transmitting cardholder data Review of contractual relationships Performed by a VISA certified provider (QSA) Report on compliance submitted to Acquirer

28 Assessment Examples

29 Common Compliance Issues Scoping of project is to large Flat network and no segmentation Legacy systems, and non compliant software Lack of knowledge to interpret controls Lack of formal processes and procedures Confusion of systems scoping Storage, processing and transmitting of data with no business requirement Non compliant 3 rd parties Significant cost to full compliance Evaluation of compensating controls

30 Consequence of non compliance Monthly fine for non compliance Increased cost for processing cards Damage to brand reputation Customers sue for negligence Increased risk of security breach Costly investigative charges No safe harbour Acquirer refuses to allow card processing

31 Misconceptions Self assessment means your compliant Compliance means you wont suffer a breach Outsourcing takes away your need for compliance PCI:DSS is just about IT A single product can make you compliant Compliance can be automated

32 Tips and Take Aways Reduce your scope Ensure senior buy in Prioritise Tasks – High Medium Low Be honest and open about card holder data existence Maintain the good security practices Go beyond card data systems Be proactive with checks and controls No single product equals compliance Make someone responsible for managing compliance

33 Online Documentation PCI:DSS Standard v1.2 https://www.pcisecuritystandards.org/saq/docs/aoc_saq_d_merchants.doc Approved QSA List https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf PCI Prioritized Approach https://www.pcisecuritystandards.org/education/prioritized.shtml https://www.pcisecuritystandards.org/education/prioritized.shtml

34 Q&A Thank You. Dale Pearson 07770 373 586 dale.pearson@securityactive.co.uk

Download ppt "PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.

Payment Card Industry Data Security Standard AAFA ISC/SCLC Fall 08.
National Bank of Dominica Ltd. 2011 Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.

Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.

.. PCI Payment Card Industry Compliance October 2012 Presented By: Jason P. Rusch.
The Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
UCSB Credit Card Processing and PCI Compliance

UCSB Credit Card Processing and PCI Compliance
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.

PCI-DSS Erin Benedictson Information Security Analyst AAA Oregon/Idaho.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Property of CampusGuard Compliance With The PCI DSS.

Property of CampusGuard Compliance With The PCI DSS.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.

Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?

Similar presentations

Ads by Google