SlideShare una empresa de Scribd logo

PCI DSS v3.0: How to Adapt Your Compliance Strategy

Descargar como PPTX, PDF
AlienVault
AlienVault

This document provides an overview of a presentation on adapting compliance strategies for PCI DSS 3.0. The presentation covers the key changes in PCI DSS 3.0 including more rigorous penetration testing and log review requirements. It then discusses how a unified security management platform can help address the new requirements through integrated asset discovery, vulnerability assessment, network and host intrusion detection, log management and security intelligence. Specific capabilities that can help meet each requirement are outlined. The presentation concludes with contacting information for further discussion.

Tecnología
1 de 37
PCI DSS 3.0: HOW TO ADAPT YOUR COMPLIANCE STRATEGY
INTRODUCTIONS Meet today’s presenters Carlos Villalba Director of Security Services Terra Verde Services Sandy Hawke VP, Product Marketing AlienVault Patrick Bass Director of Security Solutions Terra Verde Services 2
AGENDA • • • • • What’s New in PCI DSS 3.0 Key considerations for adapting your compliance strategy Technology recommendations for addressing new requirements How our clients have simplified PCI DSS compliance Q&A
PCI DSS PRIMER WHAT’S CHANGED FROM V2 TO V3 Carlos A. Villalba Director, Security Services
IT’S FINALLY HERE! Nov 7 2013 Jan 1 2014 Dec 31 2014 • PCI DSS v3 was published • PCI DSS v3 becomes effective • PCI DSS v2 expires
PCI DSS VERSION 3 3-Year Cycle for New Versions
WHAT DID THEY WANT TO FIX  Divergent interpretations of the    standard Weak or default passwords Slow detection of compromise Security problems introduced by 3rd parties and various areas
HIGHLIGHTS       The twelve domains remain Some sub-requirements added Descriptions of tests are more precise   Aligned language of requirement and test Clarified what to do to verify compliance More rigor in determining scope of assessment More guidance on log reviews More rigorous penetration testing
GUIDANCE FOR EACH REQUIREMENT
A PENETRATION TEST METHODOLOGY  Based on industry-accepted approaches,  e.g. NIST SP800-115 A new clause 11.3  Test entire perimeter of CDE & all critical systems  Validate all scope-reduction controls—segmentation  Test from inside and from outside of the network  Test network-function components and OSs  As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5
SECURE SDLC   Programmers of internally-developed and bespoke applications must be trained to avoid known vulnerabilities List expanded to include new requirements for   Coding practices to protect against broken authentication and session management Coding practices to document how PAN and SAD are handled in memory  Combating memory scraping is a good idea for PA-  DSS This was a bit contentious for PCI-DSS
AUTHENTICATION   Requirement text recognizes methods other than password/passphrases, e.g. certificates  Minimum password length is still 7 characters    Authentication credentials ―Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.‖ A service provider must use a different password for each of its clients. Educate users
CHANGE MANAGEMENT  Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files  Configure the software to perform critical file comparisons at least weekly.  New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.
MANAGED SERVICE PROVIDERS  New requirement, 12.8.5, mandates the documentation  of which DSS requirements are managed by the 3rd party. New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
ADAPTING YOUR COMPLIANCE STRATEGY  Assess gaps between v2 and v3 requirements  What process changes are required?  What technology improvements are required?  How long will these take?  Do you have the necessary expertise and technology   in place? Document migration plans to v3 Consider a unified approach to PCI security monitoring
A UNIFIED APPROACH TO PCI DSS COMPLIANCE: USM OVERVIEW Sandy Hawke VP, Product Marketing AlienVault
KEY QUESTIONS FOR PCI DSS Pre-audit checklist:  Where do your PCI-relevant assets live, how are they configured, and how are they segmented from the rest of your network?  Who accesses these resources (and the other W’s… when, where, what can they do, why and how)?  What are the vulnerabilities that are in your PCI-defined network – app, OS, etc? Are there any known attackers targeting these?  What constitutes your network baseline? What is considered ―normal/acceptable‖? Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen?
Security Piece it all Intelligence Asset Discovery • • • • together Look for strange Behavioral activity which could Monitoring indicate a threat Start looking Threat for threats Detection What do Unified we need Security for PCIManagement DSS? Figure out what Asset is valuable Discovery Identify ways the Vulnerability target could be Assessment compromised Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • • • • Network IDS Host IDS Wireless IDS File Integrity Monitoring Behavioral Monitoring • • • Log Collection Netflow Analysis Service Availability Monitoring Security Intelligence • • SIEM Correlation Incident Response BTW… this is just the technologies… Terra Verde can help with process!
ALIENVAULT LABS THREAT INTELLIGENCE: COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT        Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
WHY ALIENVAULT FOR PCI DSS COMPLIANCE?     All-in-one functionality  Easy management  Multiple functions without multiple consoles Automate what and where you can*  ―Baked in‖ guidance when you can’t Flexible reporting & queries… as detailed as you want it. Threat intelligence from AlienVault Labs *Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about! 20
TECHNOLOGY RECOMMENDATIONS FOR PCI DSS 3.0 Patrick Bass Director, Security Solutions
PCI COMPLIANCE STRUGGLES  You aren’t alone  96% of breach victims were not compliant (Verizon, 2012).  5 common failures  Testing security  Monitoring networks  Maintaining firewalls  Using vendor defaults  Maintaining a security policy
TVS CLIENTS USM components that have helped our clients the most: Log aggregation, correlation, analysis Network intrusion detection Host intrusion detection Wireless intrusion detection Vulnerability scanning File integrity monitoring Key USM advantages: • • • • • Consolidated features Essential security capabilities Reduced cost & complexity Single pane-of-glass Easy to use & deploy
REQUIREMENT 1: Install and maintain a firewall configuration to protect data PCI DSS Requirement USM Capabilities Benefits 1.1, 1.2, 1.3  NetFlow analysis  Unified and correlated NetFlow analysis and firewall logs delivers ―single pane of glass‖ visibility into access to cardholder-related data and resources  Built-in asset discovery provides a dynamic asset inventory and topology diagrams. Cardholder-related resources can be identified and monitored for unusual activity.  Accurate and automated asset inventory combined with relevant security events accelerate incident response efforts and analysis.  System availability monitoring  SIEM  Asset discovery
REQUIREMENT 2: No use of vendor-supplied parameter defaults PCI DSS Requirement USM Capabilities Benefits 2.1, 2.2, 2.3  Network intrusion detection (IDS) • Built-in, automated vulnerability assessment identifies the use of weak and default passwords.  Vulnerability assessment • Built-in host-based intrusion detection and file integrity monitoring will signal when password files and other critical system files have been modified.  Host-based intrusion detection (HIDS)
REQUIREMENT 3: Protects stored cardholder data PCI DSS Requirement USM Capabilities Benefits 3.6.7  Log management • Unified log review and analysis, with triggered alerts for high risk systems (containing credit cardholder data).  Host-based intrusion detection (HIDS)  File integrity monitoring  NetFlow analysis  SIEM • Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys. • Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.
REQUIREMENT 4: Encrypt cardholder data transmission across open public networks PCI DSS Requirement USM Capabilities Benefits 4.1  NetFlow analysis • Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.  Behavioral monitoring  Wireless IDS  SIEM • Built-in wireless IDS monitors encryption strength and identifies unauthorized access attempts to critical infrastructure.
REQUIREMENT 5: Use and update anti-virus software PCI DSS Requirement USM Capabilities Benefits 5.1, 5.2  Host-based intrusion detection (HIDS) • Built-in host-based intrusion detection provides an extra layer of defense against zero day threats (before an anti- virus update can be issued).  Network intrusion detection (IDS)  Log management • Unified log management provides an audit trail of anti- virus software use by collecting log data from anti-virus software. • Built-in network intrusion detection identifies and alerts on malware infections in the credit cardholder data environment.
REQUIREMENT 6: Develop and maintain secure systems and applications PCI DSS Requirement USM Capabilities Benefits 6.1, 6.2, 6.3, 6.3.2, 6.4, 6.5  Asset discovery • Built-in and consolidated asset inventory, vulnerability assessment, threat detection and event correlation provides a unified view of an organization’s security posture and critical system configuration.  Vulnerability assessment  Network intrusion detection (IDS)  SIEM • Built-in vulnerability assessment checks for a variety of well-known security exploits (i.e., SQL injection).
REQUIREMENT 7: Restrict cardholder data access to need to know PCI DSS Requirement USM Capabilities Benefits 7.1, 7.2  SIEM • Automated event correlation identifies unauthorized access to systems with credit cardholder data.
REQUIREMENT 8: Assign unique IDs to everyone with computer access PCI DSS Requirement USM Capabilities Benefits 8.1, 8.2, 8.4, 8.5  Log Management • Built-in log management captures all user account creation activities and can also identify unencrypted passwords on critical systems.
REQUIREMENT 10: Track and monitor access to all network resources and cardholder data PCI DSS Requirement USM Capabilities Benefits 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7  Host-based intrusion detection (HIDS)  Built-in threat detection, behavioral monitoring and event correlation signals attacks in progress—for example, unauthorized access followed by additional security exposures such as cardholder data exfiltration.  Network intrusion detection (IDS)  Behavioral monitoring  Log management  SIEM  Built-in log management enables the collection and correlation of valid and invalid authentication attempts on critical devices.  Centralized, role-based access control for audit trails and event logs preserves ―chain of custody‖ for investigations.
REQUIREMENT 11: Regularly test security systems and processes PCI DSS Requirement USM Capabilities 11.1, 11.2,  Vulnerability assessment 11.3, 11.4, 11.5, 11.6, 11.7  Wireless IDS  Host-based intrusion detection (HIDS)  File integrity monitoring  SIEM Benefits  Built-in vulnerability assessment streamlines the scanning and remediation process – one console to manage it all.  Built-in wireless IDS detects and alerts on rogue wireless access points, and weak encryption configurations.  Built-in host-based intrusion detection identifies the attachment of USB devices including WLAN cards.  Unified vulnerability assessment, threat detection, and event correlation provides full situational awareness in order to reliably test security systems and processes.  Built-in file integrity monitoring alerts on unauthorized modification of system files, configuration files, or content.
CONTACT US Carlos Villalba Director, Security Services Terra Verde Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21) Sandy Hawke VP, Product Marketing AlienVault shawke@alienvault.com Patrick Bass Director, Security Solutions Terra Verde Services patrick.bass@TerraVerdeServices.com 877-707-7997 (x 16)
NOW FOR SOME Q&A… Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Already a customer? TVS provides training: http://www.terraverdeservices.com/alienvaulttraining.html Questions? hello@alienvault.com
VIEW WEBCAST ON-DEMAND… A recorded version of this webcast is available On-Demand, and can be viewed Here.

Recomendados

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 

Recomendados

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowAlienVault
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
Pci dss-for-it-providers
Pci dss-for-it-providersPci dss-for-it-providers
Pci dss-for-it-providersCalyptix Security
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
PCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowPCI DSS 3.0 – What You Need to Know
PCI DSS 3.0 – What You Need to KnowTerra Verde
 
PCI DSS Essential Guide
PCI DSS Essential GuidePCI DSS Essential Guide
PCI DSS Essential GuideKim Jensen
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webDerrick McBreairty
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 
How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliantEvgeniya Shumakher
 

Más contenido relacionado

La actualidad más candente

PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataInMobi Technology
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsVictor Oluwajuwon Badejo
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONhimalya sharma
 

La actualidad más candente (20)

PCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder dataPCI DSS v3 - Protecting Cardholder data
PCI DSS v3 - Protecting Cardholder data
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as Usual
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
A Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security StandardsA Case Study on Payment Card Industry Data Security Standards
A Case Study on Payment Card Industry Data Security Standards
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATIONPCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
PCI DSS | PCI DSS Training | PCI DSS IMPLEMENTATION
 

Similar a PCI DSS v3.0: How to Adapt Your Compliance Strategy

How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityCryptzone
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
PCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to KnowPCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to KnowTerra Verde
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSAmazon Web Services
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsHelpSystems
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonUlf Mattsson
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsOWASP Delhi
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & ComplianceAmazon Web Services
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoJonathan Eubanks
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesCloudPassage
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 

Similar a PCI DSS v3.0: How to Adapt Your Compliance Strategy (20)

How to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network SecurityHow to Overcome Network Access Control Limitations for Better Network Security
How to Overcome Network Access Control Limitations for Better Network Security
 
Will your cloud be compliant
Will your cloud be compliantWill your cloud be compliant
Will your cloud be compliant
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
How to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USMHow to Simplify PCI DSS Compliance with AlienVault USM
How to Simplify PCI DSS Compliance with AlienVault USM
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
PCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to KnowPCI 3.0 – What You Need to Know
PCI 3.0 – What You Need to Know
 
Customer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWSCustomer Case Study: Achieving PCI Compliance in AWS
Customer Case Study: Achieving PCI Compliance in AWS
 
An Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power SystemsAn Introduction to PCI Compliance on IBM Power Systems
An Introduction to PCI Compliance on IBM Power Systems
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
IBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf MattssonIBM Share Conference 2010, Boston, Ulf Mattsson
IBM Share Conference 2010, Boston, Ulf Mattsson
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
 
Palo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & CompliancePalo Alto Networks: Protection for Security & Compliance
Palo Alto Networks: Protection for Security & Compliance
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance Info
 
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview VMworld 2013: VMware Compliance Reference Architecture Framework Overview
VMworld 2013: VMware Compliance Reference Architecture Framework Overview
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
What You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud GuidelinesWhat You Need To Know About The New PCI Cloud Guidelines
What You Need To Know About The New PCI Cloud Guidelines
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 

Más de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 

Más de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 

Último

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

PCI DSS v3.0: How to Adapt Your Compliance Strategy

  • 1. PCI DSS 3.0: HOW TO ADAPT YOUR COMPLIANCE STRATEGY
  • 2. INTRODUCTIONS Meet today’s presenters Carlos Villalba Director of Security Services Terra Verde Services Sandy Hawke VP, Product Marketing AlienVault Patrick Bass Director of Security Solutions Terra Verde Services 2
  • 3. AGENDA • • • • • What’s New in PCI DSS 3.0 Key considerations for adapting your compliance strategy Technology recommendations for addressing new requirements How our clients have simplified PCI DSS compliance Q&A
  • 4. PCI DSS PRIMER WHAT’S CHANGED FROM V2 TO V3 Carlos A. Villalba Director, Security Services
  • 5. IT’S FINALLY HERE! Nov 7 2013 Jan 1 2014 Dec 31 2014 • PCI DSS v3 was published • PCI DSS v3 becomes effective • PCI DSS v2 expires
  • 6. PCI DSS VERSION 3 3-Year Cycle for New Versions
  • 7. WHAT DID THEY WANT TO FIX  Divergent interpretations of the    standard Weak or default passwords Slow detection of compromise Security problems introduced by 3rd parties and various areas
  • 8. HIGHLIGHTS       The twelve domains remain Some sub-requirements added Descriptions of tests are more precise   Aligned language of requirement and test Clarified what to do to verify compliance More rigor in determining scope of assessment More guidance on log reviews More rigorous penetration testing
  • 9. GUIDANCE FOR EACH REQUIREMENT
  • 10. A PENETRATION TEST METHODOLOGY  Based on industry-accepted approaches,  e.g. NIST SP800-115 A new clause 11.3  Test entire perimeter of CDE & all critical systems  Validate all scope-reduction controls—segmentation  Test from inside and from outside of the network  Test network-function components and OSs  As a minimum, perform application tests for the vulnerabilities listed in Requirement 6.5
  • 11. SECURE SDLC   Programmers of internally-developed and bespoke applications must be trained to avoid known vulnerabilities List expanded to include new requirements for   Coding practices to protect against broken authentication and session management Coding practices to document how PAN and SAD are handled in memory  Combating memory scraping is a good idea for PA-  DSS This was a bit contentious for PCI-DSS
  • 12. AUTHENTICATION   Requirement text recognizes methods other than password/passphrases, e.g. certificates  Minimum password length is still 7 characters    Authentication credentials ―Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above.‖ A service provider must use a different password for each of its clients. Educate users
  • 13. CHANGE MANAGEMENT  Deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files  Configure the software to perform critical file comparisons at least weekly.  New requirement, 11.5.1, mandates the implementation of a process to respond to any alerts generated by that mechanism.
  • 14. MANAGED SERVICE PROVIDERS  New requirement, 12.8.5, mandates the documentation  of which DSS requirements are managed by the 3rd party. New requirement, 12.9, mandates that 3rd parties must acknowledge in writing that they will comply with the DSS to protect CHD entrusted to them or, if managing some aspect of the CDE, state they will comply with the DSS in performing that management.
  • 15. ADAPTING YOUR COMPLIANCE STRATEGY  Assess gaps between v2 and v3 requirements  What process changes are required?  What technology improvements are required?  How long will these take?  Do you have the necessary expertise and technology   in place? Document migration plans to v3 Consider a unified approach to PCI security monitoring
  • 16. A UNIFIED APPROACH TO PCI DSS COMPLIANCE: USM OVERVIEW Sandy Hawke VP, Product Marketing AlienVault
  • 17. KEY QUESTIONS FOR PCI DSS Pre-audit checklist:  Where do your PCI-relevant assets live, how are they configured, and how are they segmented from the rest of your network?  Who accesses these resources (and the other W’s… when, where, what can they do, why and how)?  What are the vulnerabilities that are in your PCI-defined network – app, OS, etc? Are there any known attackers targeting these?  What constitutes your network baseline? What is considered ―normal/acceptable‖? Ask your team… What do we NEVER want to happen in our PCI environment? How do we capture those events when they do happen?
  • 18. Security Piece it all Intelligence Asset Discovery • • • • together Look for strange Behavioral activity which could Monitoring indicate a threat Start looking Threat for threats Detection What do Unified we need Security for PCIManagement DSS? Figure out what Asset is valuable Discovery Identify ways the Vulnerability target could be Assessment compromised Active Network Scanning Passive Network Scanning Asset Inventory Host-based Software Inventory Vulnerability Assessment • Network Vulnerability Testing Threat Detection • • • • Network IDS Host IDS Wireless IDS File Integrity Monitoring Behavioral Monitoring • • • Log Collection Netflow Analysis Service Availability Monitoring Security Intelligence • • SIEM Correlation Incident Response BTW… this is just the technologies… Terra Verde can help with process!
  • 19. ALIENVAULT LABS THREAT INTELLIGENCE: COMPLETE COVERAGE TO STAY AHEAD OF THE THREAT        Network and host-based IDS signatures – detects the latest threats in your environment Asset discovery signatures – identifies the latest OS’es, applications, and device types Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems Correlation rules – translates raw events into actionable remediation tasks Reporting modules – provides new ways of viewing data about your environment Dynamic incident response templates – delivers customized guidance on how to respond to each alert Newly supported data source plug-ins – expands your monitoring footprint
  • 20. WHY ALIENVAULT FOR PCI DSS COMPLIANCE?     All-in-one functionality  Easy management  Multiple functions without multiple consoles Automate what and where you can*  ―Baked in‖ guidance when you can’t Flexible reporting & queries… as detailed as you want it. Threat intelligence from AlienVault Labs *Disclaimer: Despite the hype, you can’t automate EVERYTHING nor would you want to. This is cyber security we’re talking about! 20
  • 21. TECHNOLOGY RECOMMENDATIONS FOR PCI DSS 3.0 Patrick Bass Director, Security Solutions
  • 22. PCI COMPLIANCE STRUGGLES  You aren’t alone  96% of breach victims were not compliant (Verizon, 2012).  5 common failures  Testing security  Monitoring networks  Maintaining firewalls  Using vendor defaults  Maintaining a security policy
  • 23. TVS CLIENTS USM components that have helped our clients the most: Log aggregation, correlation, analysis Network intrusion detection Host intrusion detection Wireless intrusion detection Vulnerability scanning File integrity monitoring Key USM advantages: • • • • • Consolidated features Essential security capabilities Reduced cost & complexity Single pane-of-glass Easy to use & deploy
  • 24. REQUIREMENT 1: Install and maintain a firewall configuration to protect data PCI DSS Requirement USM Capabilities Benefits 1.1, 1.2, 1.3  NetFlow analysis  Unified and correlated NetFlow analysis and firewall logs delivers ―single pane of glass‖ visibility into access to cardholder-related data and resources  Built-in asset discovery provides a dynamic asset inventory and topology diagrams. Cardholder-related resources can be identified and monitored for unusual activity.  Accurate and automated asset inventory combined with relevant security events accelerate incident response efforts and analysis.  System availability monitoring  SIEM  Asset discovery
  • 25. REQUIREMENT 2: No use of vendor-supplied parameter defaults PCI DSS Requirement USM Capabilities Benefits 2.1, 2.2, 2.3  Network intrusion detection (IDS) • Built-in, automated vulnerability assessment identifies the use of weak and default passwords.  Vulnerability assessment • Built-in host-based intrusion detection and file integrity monitoring will signal when password files and other critical system files have been modified.  Host-based intrusion detection (HIDS)
  • 26. REQUIREMENT 3: Protects stored cardholder data PCI DSS Requirement USM Capabilities Benefits 3.6.7  Log management • Unified log review and analysis, with triggered alerts for high risk systems (containing credit cardholder data).  Host-based intrusion detection (HIDS)  File integrity monitoring  NetFlow analysis  SIEM • Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys. • Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.
  • 27. REQUIREMENT 4: Encrypt cardholder data transmission across open public networks PCI DSS Requirement USM Capabilities Benefits 4.1  NetFlow analysis • Unified NetFlow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from cardholder-related resources.  Behavioral monitoring  Wireless IDS  SIEM • Built-in wireless IDS monitors encryption strength and identifies unauthorized access attempts to critical infrastructure.
  • 28. REQUIREMENT 5: Use and update anti-virus software PCI DSS Requirement USM Capabilities Benefits 5.1, 5.2  Host-based intrusion detection (HIDS) • Built-in host-based intrusion detection provides an extra layer of defense against zero day threats (before an anti- virus update can be issued).  Network intrusion detection (IDS)  Log management • Unified log management provides an audit trail of anti- virus software use by collecting log data from anti-virus software. • Built-in network intrusion detection identifies and alerts on malware infections in the credit cardholder data environment.
  • 29. REQUIREMENT 6: Develop and maintain secure systems and applications PCI DSS Requirement USM Capabilities Benefits 6.1, 6.2, 6.3, 6.3.2, 6.4, 6.5  Asset discovery • Built-in and consolidated asset inventory, vulnerability assessment, threat detection and event correlation provides a unified view of an organization’s security posture and critical system configuration.  Vulnerability assessment  Network intrusion detection (IDS)  SIEM • Built-in vulnerability assessment checks for a variety of well-known security exploits (i.e., SQL injection).
  • 30. REQUIREMENT 7: Restrict cardholder data access to need to know PCI DSS Requirement USM Capabilities Benefits 7.1, 7.2  SIEM • Automated event correlation identifies unauthorized access to systems with credit cardholder data.
  • 31. REQUIREMENT 8: Assign unique IDs to everyone with computer access PCI DSS Requirement USM Capabilities Benefits 8.1, 8.2, 8.4, 8.5  Log Management • Built-in log management captures all user account creation activities and can also identify unencrypted passwords on critical systems.
  • 32. REQUIREMENT 10: Track and monitor access to all network resources and cardholder data PCI DSS Requirement USM Capabilities Benefits 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7  Host-based intrusion detection (HIDS)  Built-in threat detection, behavioral monitoring and event correlation signals attacks in progress—for example, unauthorized access followed by additional security exposures such as cardholder data exfiltration.  Network intrusion detection (IDS)  Behavioral monitoring  Log management  SIEM  Built-in log management enables the collection and correlation of valid and invalid authentication attempts on critical devices.  Centralized, role-based access control for audit trails and event logs preserves ―chain of custody‖ for investigations.
  • 33. REQUIREMENT 11: Regularly test security systems and processes PCI DSS Requirement USM Capabilities 11.1, 11.2,  Vulnerability assessment 11.3, 11.4, 11.5, 11.6, 11.7  Wireless IDS  Host-based intrusion detection (HIDS)  File integrity monitoring  SIEM Benefits  Built-in vulnerability assessment streamlines the scanning and remediation process – one console to manage it all.  Built-in wireless IDS detects and alerts on rogue wireless access points, and weak encryption configurations.  Built-in host-based intrusion detection identifies the attachment of USB devices including WLAN cards.  Unified vulnerability assessment, threat detection, and event correlation provides full situational awareness in order to reliably test security systems and processes.  Built-in file integrity monitoring alerts on unauthorized modification of system files, configuration files, or content.
  • 34.
  • 35. CONTACT US Carlos Villalba Director, Security Services Terra Verde Services carlos.villalba@TerraVerdeServices.com 877-707-7997 (x 21) Sandy Hawke VP, Product Marketing AlienVault shawke@alienvault.com Patrick Bass Director, Security Solutions Terra Verde Services patrick.bass@TerraVerdeServices.com 877-707-7997 (x 16)
  • 36. NOW FOR SOME Q&A… Download a Free 30-Day Trial http://www.alienvault.com/free-trial Try our Interactive Demo Site http://www.alienvault.com/live-demo-site Join us for a LIVE Demo! http://www.alienvault.com/marketing/alienvault-usmlive-demo Already a customer? TVS provides training: http://www.terraverdeservices.com/alienvaulttraining.html Questions? hello@alienvault.com
  • 37. VIEW WEBCAST ON-DEMAND… A recorded version of this webcast is available On-Demand, and can be viewed Here.

Notas del editor

  1. Need to add their photos
  2. Before we go into the nitty gritty of the requirements (and let’s face it, that’s the really boring stuff), at a high –level what are the core functionalities I need to pass my audit and stay in compliance?Asset visibility (broad and deep)Vulnerability assessment (network, apps, etc)Threat detectionFile integrity monitoringHost-based IDS (on the “interesting” stuff)Network-based IDSWireless IDSBehavioral MonitoringService availability – if credit card processing breaks, you have bigger problemsNetwork anomaliesPolicy violationsUser activity – especially those with superpowersSecurity IntelligenceEvent Correlation (here’s where “Big Data” comes in, but yawn who cares, that’s just a processing challenge)Incident ResponseCompliance ReportingExecutive DashboardsEasy management (RBAC, output types, filters, etc.)
  3. Need to add their photos
  4. AlienVault training page – from Terra Verde websiteEd to send me the URL to add here as a CTA