Presentation is loading. Please wait.

Presentation is loading. Please wait.

Where Do You Have Cardholder Data?

Published byByron Thornton Modified over 6 years ago

Similar presentations

Presentation on theme: "Where Do You Have Cardholder Data?"— Presentation transcript:

1 Where Do You Have Cardholder Data?
Branimir Pacar Director of PCI & Payment Services

2 /We are a NASDAQ agile EMEA company/
Cognosec Assesses, Designs, Implements and Manages Cyber Resilient Solutions

3 Where do I have CHD and why is it important?

4 Compliance vs. Security
Scope of PCI DSS Requirements The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. PCI DSS v3.2, page 10

5 Compliance vs. Security
“Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. It is a general term that can be used regardless of the form the data may take (e.g. electronic, physical).”

6 Compliance vs. Security
Security should be the goal, Compliance will be a consequence

7 Defining the scope Concepts that always apply:
Systems located within the Cardholder data environment (CDE) are in scope Systems that connect to a system in the CDE are in scope In a flat network, all systems are in scope CDE - The people, processes and technology that store, process, or transmit cardholder data or sensitive authentication data. The primary account number is the defining factor for cardholder data. If cardholder name, service code, and/or expiration date are stored, processed or transmitted with the PAN, or are otherwise present in the cardholder data environment (CDE), they must be protected in accordance with applicable PCI DSS requirements 

8 Defining the scope Annually and prior to the annual assessment the assessed entity should confirm the accuracy of the scope Identify the existence of all cardholder data in the environment Verify no cardholder data exists outside of the CDE Assessor will validate that the scope of the assessment is accurately determined

9 Identifying cardholder data
Manual vs. automated methods Specialized tools: Enterprise Desktop Open source Free Manual Cooperation between QSA and client Know the environment Trust but verify

10 Manual cardholder data discovery

11 Work together with your QSA
QSA is not working against you Use knowledge and experience QSA has QSA is objective about your environment No other information than what you provide

12 Know the environment Start with the purpose and business model
Review the cardholder data flow and network diagrams Review the security documentation Identify the technology used in the environment Understand the internal organization Try to resist “Just in case” urge

13 Test and verify Test known locations to verify information is accurate
Test connected systems to verified known locations Wisely determine testing sample Address technology specifics for tested systems Perform negative testing Update the documentation

14 Conclusion Invest time and resources to identify CHD in your environment Proper scoping and CHD identification can save you a lot of time and money Don’t hide CHD from the QSA – you are just saving it for someone to take

15 Thank you! Questions?

16

Download ppt "Where Do You Have Cardholder Data?"

Similar presentations

ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Discussion on SA-500 – AUDIT EVIDENCE

Discussion on SA-500 – AUDIT EVIDENCE
Auditing Computer Systems

Auditing Computer Systems
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.

PCI 3.0 Boot Camp Payment Card Industry Data Security Standards 3.0.
The Right Choice for Call Recording WWW.OAISYS.COM OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.

The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.
NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
PCI requirements in business language What can happen with the cardholder data?

PCI requirements in business language What can happen with the cardholder data?
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Introduction to Payment Card Industry Data Security Standard

Introduction to Payment Card Industry Data Security Standard
North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919) 807-7054

North Carolina Community College System IIPS Conference – Spring 2009 Jason Godfrey IT Security Manager (919)

Similar presentations

Ads by Google