Presentation is loading. Please wait.

Presentation is loading. Please wait.

NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Published bySylvia May Modified over 8 years ago

Similar presentations

Presentation on theme: "NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional."— Presentation transcript:

1 NUAGA May 22, 2014

2  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional (PCIP) and PCI Internal Security Assessor (ISA) Certification 4/2014  Annual re-certification  Currently responsible for PCI security for all 44 of the DABC’s retail stores  18 Years Experience with DTS/DABC

3

4

5

6

7

8  Easton-Bell Sports  Bright Horizons  Bell-Canada  Several major hotel chains ◦ These breaches have all occurred by exploiting weaknesses in the systems and processes of a third-party business partner.

9  The PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.  The standard provides an actionable framework for developing a robust data security process - including preventing, detecting and reacting to security incidents.  Applies to any entity that stores, processes and/or transmits CHD.

10 PCI Data Security Standard Requirements PCI DSS is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data. It presents common sense steps that mirror best security practices. Goals PCI DSS Requirements – Validated by Self or Outside Assessment Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy12. Maintain a policy that addresses information security for all personnel

11  Build and Maintain a Secure Network  Protect Card Holder Data  Maintain a Vulnerability Management Program  Implement Strong Access Control Measures  Regularly Monitor and Test Networks  Maintain an Information Security Policy

12 The updated versions of PCI DSS and PA-DSS will:  Provide stronger focus on some of the greater risk areas in the threat environment  Provide increased clarity on PCI DSS & PA-DSS requirements  Build greater understanding on the intent of the requirements and how to apply them  Improve flexibility for all entities implementing, assessing, and building to the Standards  Drive more consistency among assessors  Help manage evolving risks / threats  Align with changes in industry best practices  Clarify scoping and reporting  Eliminate redundant sub-requirements and consolidate documentation

13 The PCI Standards are updated based on feedback from the industry, per the standards development lifecycle as well as in response to current market needs. Common challenge areas and drivers for change include:  Lack of education and awareness  Weak passwords, authentication  Third-party security challenges  Slow self-detection, malware  Inconsistency in assessments

14  1.1.x - Clarified that firewall and router standards have to be both documented and implemented.  1.1.2 - Clarified what the network diagram must include and added a new requirement (1.1.3) for a current diagram that shows cardholder data flows.  2.4 - New requirement to maintain an inventory of system components in scope for PCI DSS  5.1.2 - New requirement to evaluate malware threats for any systems not considered to be commonly affected by malicious software

15  5.3 - New requirement to ensure that anti-virus solutions are actively running and cannot be disabled or altered by users unless specifically authorized by management on a per-case basis  6.1 -Clarified the process for identifying and risk ranking new vulnerabilities and (6.2) patching critical vulnerabilities  6.5.10 - New requirement for coding practices to protect against broken authentication and session management  7.1.1 - New requirement to cover definition of access needs for each role  8.3 - Clarified requirements for two-factor authentication applies to users, administrators, and all third parties, including vendor access for support or maintenance

16  8.5.1 - New requirement for service providers with remote access to customer devices, to use unique authentication credentials for each customer  9.9.x - New requirement to protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution  10.2.5 – Enhanced requirement to include changes to identification and authentication mechanisms (including creation of new account, elevation of privileges) and all changes, additions and deletions to accounts with root or admin privileges

17  11.1.x -New requirement to include an inventory of authorized wireless access points and scanning for unauthorized wireless devices  11.3 - New requirement to implement a methodology for penetration testing, to also include verification that segmentation methods are operational and effective (11.3.4)  12.2 - Clarified that the risk assessment should be performed at least annually and after significant changes to the environment  12.8.2 - Clarified the responsibilities for the service provider’s written agreement/acknowledgement

18  12.8.5 - New requirement to maintain information about which PCI requirements are managed by each service provider, and which are managed by the entity  12.9 - New requirement for service providers to provide a written agreement/acknowledgment to their customers  12.10.x - Clarified the intent for alerts from security monitoring systems to be included in the incident response plan

19  Implementing security into business as usual (BAU) activities  Audit ready anytime  In my opinion, the PCI Data Security Standard is not a policy or procedure. PCI-DSS is a lifestyle!

20 Kevin Perry  DTS/DABC  kperry@utah.gov kperry@utah.gov

Download ppt "NUAGA May 22, 2014.  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional."

Similar presentations

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
ISACA January 8, 2013. IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.

ISACA January 8, IT Auditor at Cintas Corporation Internal Audit Department Internal Security Assessor (ISA) Certification September 2010 Annual.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Complying With Payment Card Industry Data Security Standards (PCI DSS)

Complying With Payment Card Industry Data Security Standards (PCI DSS)
2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.

2014 PCI DSS Meeting OSU Business Affairs Process Improvement Team (PIT) Robin Whitlock & Dan Hough 10/28/2014.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Jeff Williams Information Security Officer CSU, Sacramento

Jeff Williams Information Security Officer CSU, Sacramento
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Kevin R Perry August 12, 2014. Part 1: High Level Changes & Clarifications.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Why Comply with PCI Security Standards?

Why Comply with PCI Security Standards?
Introduction to PCI DSS

Introduction to PCI DSS

Similar presentations

Ads by Google