pci:dss what is it, and what does it mean to you?
DESCRIPTION
PCI:DSS What is it, and what does it mean to you?. Dale Pearson 17 th November 2009. Today’s Presentation. Security Stats Why PCI:DSS What does PCI:DSS mean to you Steps to becoming compliant Tips and Take Aways Question Time. About Me. Founder – Security Active - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/1.jpg)
PCI:DSSWhat is it, and what does it mean to you?
Dale Pearson17th November 2009
![Page 2: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/2.jpg)
Today’s Presentation
• Security Stats• Why PCI:DSS• What does PCI:DSS mean to you• Steps to becoming compliant• Tips and Take Aways• Question Time
![Page 3: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/3.jpg)
About Me
• Founder – Security Active• Security Manager – Atos Origin• Senior Security and Risk Consultant – Zurich• Global Network & Security Architect – GE
• Security Research• Presenting / Lecturing• Security Bloggers Meet Up• Blogging / Podcasting / Twittering• Consulting / Education / Awareness• Ethical Hacker . Net Board of Advisors• Hackers for Charity / iT4Communities
![Page 4: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/4.jpg)
Security Stats
Stats are from the Verizon Business Data Breach Investigations Report http://www.verizonbusiness.com/resources/security/databreachreport.pdf
![Page 5: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/5.jpg)
Data Breaches
Payment Card Data - Most Wanted
Companies unaware of breach occurance
![Page 6: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/6.jpg)
Exploitation
Hacking and Malicious Code Top for Exploitation Methods
Applications and OS targeted by Attackers
![Page 7: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/7.jpg)
Threat Points
Online presence increased risk
Don't underestimate the insider threat
![Page 8: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/8.jpg)
Simples
Companies unaware of data existence
Attacks are easy to carry out, and many could have been prevented
![Page 9: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/9.jpg)
Why PCI:DSS ??
![Page 10: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/10.jpg)
In the Media
![Page 11: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/11.jpg)
The Creation of PCI:DSS
• Payment Card Industry : Data Security Standard• Card Fraud pushed to an unsustainable level• Security of information is an important factor to
protect against financial loss, as well as reputational loss
• PCI:DSS is the card schemes response• Secure transmission, storage and processing of
card holder data.• Coverage of systems, policies, and procedures
![Page 12: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/12.jpg)
What's it all about?
• Increase security of card holder data• Coverage of entire payments process• Backing from the card schemes and banks• Compliance is mandatorymandatory• Based on best practice• Over 232 controls in 12 areas
• June 2005 Deadline• July 2007 Deadline• All merchants to define a compliance date
• 18% of companies in the UK are compliant
![Page 13: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/13.jpg)
What can PCI:DSS Do For You?
• Brand reputation protection• Framework to build upon• Understanding of information in your business• Improved security controls• Documented and formalised process and policy• Acceptance and reduction of risk• Competitive edge• Reduced processing costs• Avoid fines and legal costs• Continue accepting cards• Safe Harbour
![Page 14: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/14.jpg)
Who’s Who
![Page 15: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/15.jpg)
What does PCI:DSS mean to you?
![Page 16: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/16.jpg)
PCI:SS RequirementsBuild and Maintain a Secure NetworkBuild and Maintain a Secure Network•Install and maintain a firewall configuration to protect cardholder data•Do not use vendor-supplied defaults for system passwords and other parameters
Protect Cardholder DataProtect Cardholder Data•Protect stored cardholder data•Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management ProgramMaintain a Vulnerability Management Program•Use and regularly update anti-virus software•Develop and maintain secure systems and applications
![Page 17: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/17.jpg)
PCI:SS RequirementsImplement Strong Access Control MeasuresImplement Strong Access Control Measures•Restrict access to cardholder data by business need-to-know•Assign a unique ID to each person with computer access•Restrict physical access to cardholder data
Regularly Monitor and Test NetworksRegularly Monitor and Test Networks•Track and monitor all access to network resources and cardholder data•Regularly test security systems and processes
Maintain an Information Security PolicyMaintain an Information Security Policy•Maintain a policy that addresses information security
![Page 18: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/18.jpg)
Steps to becoming Compliant
![Page 19: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/19.jpg)
Merchant Requirements
![Page 20: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/20.jpg)
Self Assessment Questionnaire
• Subset of the full Onsite Audit Criteria• Completed by the merchant• Submitted to the Acquirer• Made up of Yes / No / Not Applicable
responses• Broken up into the six sections of requirement
![Page 21: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/21.jpg)
Compliance Life Cycle
Pre-Assessment / Gap Analysis
Implement / Remediate
PCI:DSS Certification
![Page 22: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/22.jpg)
Road to compliance
• Senior Manager Support• Understand the task at hand• Identify applications and locations of cardholder
data• Produce network diagrams and data flows• Identify compliance gaps to the 12 requirements• Obtain required expertise• Establish the scope for compliance• Engage with 3rd parties• Conduct vulnerability scans• Prioritise remediation activities• Clarify compliance on submission of SAQ
![Page 23: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/23.jpg)
Key Controls
Systems / TechnologySystems / Technology• Network Segmentation• System Hardening• Encryption• Anti-Virus / Anti-Malware• Access Controls• Password Controls• Physical Access Controls• Centralized Logging• File Integrity Monitoring• IDS / IPS• Scanning (Wireless & Vulnerabilities)
![Page 24: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/24.jpg)
Key Controls
ProceduresProcedures• Systems Build• Encryption Key Management• Secure Applications Development• Security Testing (Vuln Scanning & Pen Tests)• Log Review• Annual Risk Assessment• Policies / Procedures Annual Review & Issue• Security Awareness• Incident Response Annual Testing
PeoplePeople• Background Checks, Security Awareness
![Page 25: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/25.jpg)
What’s in Scope?
Firewalls / Switches / Routers / Network Appliances / Servers / Workstations / Laptops
![Page 26: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/26.jpg)
PA-DSS Payment Application Data Security Standard
• Based on Visa’s (Payment Application Best Practices) Required 1Required 1stst July 2010 July 2010
Purpose and scopePurpose and scope• Payment applications must facilitate (not
prevent) PCI:DSS compliance• Applies only to payment applications developed
by 3rd parties
Goals for Software DevelopmentGoals for Software Development• Application must not retain mag stripe data• Application must encrypt cardholder data• Guidance for PCI:DSS compliant
implementation
![Page 27: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/27.jpg)
QSA Review / Assessment
• Detailed audit against PCI:DSS• Targets all systems and networks storing,
processing or transmitting cardholder data• Review of contractual relationships• Performed by a VISA certified provider (QSA)• Report on compliance submitted to Acquirer
![Page 28: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/28.jpg)
Assessment Examples
![Page 29: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/29.jpg)
Common Compliance Issues
• Scoping of project is to large• Flat network and no segmentation• Legacy systems, and non compliant software• Lack of knowledge to interpret controls• Lack of formal processes and procedures• Confusion of systems scoping• Storage, processing and transmitting of data
with no business requirement• Non compliant 3rd parties• Significant cost to full compliance• Evaluation of compensating controls
![Page 30: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/30.jpg)
Consequence of non compliance
• Monthly fine for non compliance• Increased cost for processing cards• Damage to brand reputation• Customers sue for negligence• Increased risk of security breach• Costly investigative charges• No safe harbour• Acquirer refuses to allow card processing
![Page 31: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/31.jpg)
Misconceptions
• Self assessment means your compliant• Compliance means you wont suffer a breach• Outsourcing takes away your need for
compliance• PCI:DSS is just about IT• A single product can make you compliant• Compliance can be automated
![Page 32: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/32.jpg)
Tips and Take Aways
• Reduce your scope• Ensure senior buy in• Prioritise Tasks – High Medium Low• Be honest and open about card holder data
existence• Maintain the good security practices• Go beyond card data systems• Be proactive with checks and controls• No single product equals compliance• Make someone responsible for managing
compliance
![Page 33: PCI:DSS What is it, and what does it mean to you?](https://reader036.vdocument.in/reader036/viewer/2022062517/56813aee550346895da35f0b/html5/thumbnails/33.jpg)
Online Documentation
• PCI:DSS Standard v1.2 https://www.pcisecuritystandards.org/saq/docs/aoc_saq_d_merchants.doc
• Approved QSA List https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf
• PCI Prioritized Approachhttps://www.pcisecuritystandards.org/education/prioritized.shtml