SlideShare a Scribd company logo

A Framework for PCI DSS 2.0 Compliance Assessment and Remediation

Cognizant
Cognizant

A plan for compliance with the Payment Card Industry Data Security Standard (PCI DSS) 2.0, involving assessment, remediation and reporting. We offer instructions for each step to ensure that credit cardholder data and information is safeguarded.

1 of 7
• Cognizant 20-20 Insights A Framework for PCI DSS 2.0 Compliance Assessment and Remediation By methodically identifying and remediating IT security gaps, companies can quickly and cost-effectively comply with the Payment Card Industry Data Security Standard. Executive Summary Our PCI Compliance Approach The Payment Card Industry Data Security Standard PCI security for merchants and payment card (PCI DSS) 2.01 is an information security standard processors is the vital result of information for any company that handles cardholder infor- security best practices contained in the PCI mation for the major credit card providers. The DSS. The standard includes 12 requirements for five global payment brands — American Express, any business that stores, processes or transmits Discover Financial Services, JCB International, cardholder data. These requirements specify the MasterCard Worldwide and Visa Inc. — incorpo- framework for a secure payments environment; rate the PCI DSS 2.0 in each of their data security for the purposes of PCI compliance, their essence compliance programs. As such, any company that is three steps: assess, remediate and report (see stores, processes or transmits cardholder data is Appendix). required to comply with these requirements. Each merchant or payment card processor company is Our approach to PCI compliance includes two required to submit an annual compliance report phases, the assessment phase and the remedia- to its merchant bank. tion phase.2 Each phase can be executed inde- pendently of the other and is then followed by This white paper focuses on three key aspects of reporting. PCI DSS 2.0 compliance. First, it provides a brief background on PCI DSS 2.0 and our framework Assessment Phase for PCI DSS 2.0 assessment and remediation In the assessment phase we typically work a 10- services. Second, it discusses a set of issues seen to 12-week session, where the usual activities by companies seeking PCI DSS 2.0 compliance. include: Third, it describes how we help address these PCI DSS 2.0 compliance issues. This paper concludes • Data gathering (typically three weeks). with a case study that shows how we applied • Current state assessment (typically two weeks). our framework in an engagement with a leading • Gap assessments (typically three weeks). North American retailer to quickly and cost-effec- • Future state roadmap (typically two weeks). tively achieve PCI DSS 2.0 compliance. The duration of the assessment phase can differ cognizant 20-20 insights | february 2013
Assessment Phase Planning • Inventory of tools and utilities identified. Week Number 1 2 3 4 5 6 7 8 9 10 11 • Current state policies. Data Gathering 3 • Gap assessment matrix of PCI controls. • Best practices followed (if applicable). Weeks Current State Assessment 2 • Future state roadmap. Weeks Gap Assessment 3 Weeks Roadmap to Future State 2 Weeks Remediation Phase During the remediation phase, our team evalu- Figure 1 ates the effort based on the gaps and the roadmap delivered during the assessment phase. based on the size of the client infrastructure — the Implementation duration depends on gaps found number of devices in the cardholder data environ- during the assessment phase. Typical activities ment. Figure 1 shows an example for constructing during this phase include: an assessment-phase plan. • Planning (typically, four to six weeks). PCI DSS is based on technical and operational • Designing (eight to 10 weeks). requirements related to 12 different areas; data • Building (12 to 15 weeks). gathering is performed across six conceptual areas, covering the following: • Verifying (14 to 16 weeks). • Deploying (varies). • Network infrastructure. • Reassessing for report on compliance (ROC) • Encryption and data protection. (eight to 10 weeks). • Vulnerability management. The reassessment (which includes any final reme- • Access control. diation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to • Network monitoring. gain a report of compliance. Figure 2 illustrates a • Security policies management. remediation-phase plan. Data gathered is then assessed for gaps across During the planning phase, there are multiple each of these six areas. The gaps in the current workshops held with a core group of personnel “as is” state are then categorized as high, that will include both company resources as well medium and low in each area relative to the goal as our consultants. of achieving PCI DSS 2.0 compliance. The final deliverable includes a roadmap for remediating Overcoming Compliance Issues the discovered gaps in order to achieve “future” There are many PCI DSS 2.0 compliance hurdles state PCI DSS 2.0 compliance for the cardholder for companies that store, process and transmit data environment. The deliverables at this phase credit card information in their processing envi- include, but are not limited to: ronments. Among these, the most critical issues • Network inventory. faced include: • Software inventory. • Incomplete awareness of the environment, • Current state network diagram of the and not understanding what is, and what is not, cardholder data environment. part of the credit card data environment (i.e., the target environment for compliance). Remediation Phase Planning Week Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 Plan 4-6 Weeks Design 8-10 Weeks Build 12-15 Weeks Verify 14-16 Weeks Deploy Varies Reassess for ROC 10 Weeks Figure 2 cognizant 20-20 insights 2
• Unavailability of skilled personnel required to • Implementation benefits result in best-in-class, both understand and maintain the security of cost-effective and easy maintainability of PCI the credit card data environment. DSS compliance. • No experience executing activities required, • On-the-job, environment-relevant training either in first time PCI DSS compliance or, once enables organizations to best fit personnel to PCI DSS compliant, in maintaining compliance function. over the next cycle of compliance. • Our large pool of experienced consultants • Lack of both awareness of industry best across various industry verticals have experi- practices and experience with relevant tools ence utilizing technology to enable and protect available that fit the requirements for the the client’s business. company’s environment. • Program management capabilities for smoothly In our experience, we have found that companies managing complex compliance programs. end up investing in the wrong tools and wrong areas, and have no strategic direction when PCI DSS 2.0 Compliance Work in Action architecting solutions, due to a lack of awareness We were recently engaged by a leading North of the target environment or not having the American retailer to help remediate its credit card skilled personnel to make key strategic security data environment. We delivered the following decisions. These shortcomings leave the target services: environment vulnerable, which has a direct impact on the business and the company’s liabilities. • Program management for the PCI remediation program. PCI DSS Compliance Services Benefits • Delivery of security tools from design and We use a hybrid model of both offshore and install to operations. on-site consultants to deliver the best value for • Design and architectural expertise across the the money spent on a PCI DSS 2.0 compliance client’s infrastructure. program. We deploy a pool of experienced subject matter experts across various areas of • Remediation of all findings during the PCI assessment for ROC activities. technology and business environments to ensure program success. The entire engagement was delivered in 11 months using a team of 21 professionals working To execute a PCI compliance program, we provide with the client’s 75-plus resources and another 35 tools that help all along its entire lifecycle, from vendors. We implemented more than 25 tools and planning, to design and build, to testing and services. through validation. Several hurdles were overcome during the reme- The key benefits of our PCI compliance framework diation program. One key challenge was a late include: scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only • The client gains awareness of its credit card addressed gaps implementing 290 PCI controls, data environment, and can apply our recom- but also incorporated the scope change working mendations and best practices to achieve and closely with the client. The program was delivered keep the environment secure and up-to-date. on time, and with significant cost savings to the • Our structured, efficient and practical opera- client. Figure 3 (next page) shows the extent of tional implementation of tools and inter-work- work accomplished. ings can be applied across multi-organizational design dimensions in ways that are scalable Post-remediation, a QSA vendor assessed project and extensible. performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week • Whether it’s a first-time implementation or in pursuit of ROC readiness. a project to maintain PCI compliance, the process is painless, as a result of our precision Figure 5 (on page 5) shows how a tracker is used planning and program management expertise to reveal readiness to attain an ROC. throughout the engagement. cognizant 20-20 insights 3
PCI Remediation System, Device and Process Impacts Program Accomplishments Tools Programs Number of Newly Number of Number of Phased Number of Newly Number of Number of 12 1 2 3 5 2 Implemented Modified Out Implemented Modified Phased Out Processes Number of Newly Number of Number of Phased Number of Project Number of N/A Created Process 30 Modified Process 3 Out Process Flows 4 Management 8 Proj Templates 7 Flows Flows Processes Followed C reated Used Systems Number of Number of Number of Number of POS Number of Number Applications 8 Servers Touched 40 Operating Systems 9 Devices Touched 1,071 Desktops 1,418 of Laptops 300 Touched DBs Touched Touched Touched Number of Client Number of Number of WCSs Number of Jump N/A N/A Proprietary Systems 97 JBM Machines 850 Touched 1 Boxes Touched 4 PCI 1.2.1 2.0 Compliance Touched Touched Network Devices Number of Routers Number of Number of Number of WLCs Number of Number Touched SwitchesTouched Wireless Access Touched Firewalls of Content 1,039 3 89 2 6 2 Points Touched Touched Switches Touched Number of Modems Number of VPN Number of Devices N/A N/A N/A Touched 1,200 Concentrators 2 - NTP Configuration 1,320 Touched Policy, Procedures, Standards Number of Policies Number of Number of Number of Number of Number of Created 11 Policies Modified 2 Procedures 21 Procedures 0 Policies Phased 1 Standards 31 Created Modified out Created Others Number of Stores Number of Number of User Number of New Number of Number of Touched Runbooks Created Accounts Cleaned Service Implemen- Service Imple- VA PenTest 1,824 10 37,000 7 1 (149, 6) (Web, Irving, POS, tations mentations - Remediations ZaleCorp) Modifications Performed Number of Business Number of People Number of RFCs Number of Numberof Number Justifications Docs taken Security Created Anti-Virus Upgrades Critical Security 300 of Stores - 3 885 282 1,718 1,110 Created Awareness Patches Applied devices Hardware Training Encryption Number of Stores ­ – Number of New Number of Vendor Number Scope Number Scope N/A MPLS to Broadband 16 Vendor Contracts 1 Contracts – 8 Reduction Work 7 Increase 4 Conversion Created Modified Streams Activities Figure 3 Figure 6 (on page 6) highlights program tracking and global payment brands. Carrying out these across the key conceptual areas within our three steps is an ongoing process for continuous framework, covering each of the 12 requirements compliance with the PCI DSS requirements. These defined by PCI DSS. steps also enable vigilant assurance of payment card data safety. The client was pleased with the results, noting that the engagement used realistic and achievable PCI DSS 2.0 Requirements timelines where milestones, deliverables and PCI DSS version 2.0 is the global data security resources were continuously fine-tuned to keep standard that any business of any size must follow key activities on track. In fact, the CIO later told to accept payment cards, and to store, process us: “We were on schedule and under budget by and/or transmit cardholder data. It presents $500K. It was an amazing achievement for the common-sense steps that mirror best security entire team.” practices. Appendix Step 1: Assess PCI Background 3 • The primary goal of assessment is to identify “Assess” is to take an inventory of your IT all technology and process vulnerabilities assets and business processes for payment that pose risks to the security of cardholder card processing and analyze them for vulner- data that is transmitted, processed or stored. abilities that could expose cardholder data. Study the PCI DSS for detailed requirements. It “Remediate” is the process of fixing those vul- describes IT infrastructure and processes that nerabilities. “Report” entails compiling records access the payment account infrastructure. required by PCI DSS to validate remediation and Determine how cardholder data flows from submit compliance reports to the acquiring bank beginning to end of the transaction process, cognizant 20-20 insights 4
PCI Controls: Weekly Progress 300 InPlace Assessments 250 247 Number of PCI Controls N/A 229 In-progress 212 200 205 180 172 150 154 145 130 109 105 100 100 85 60 73 75 74 45 58 68 44 40 50 49 41 43 43 43 39 42 41 41 29 24 16 29 33 29 22 13 18 19 20 22 20 13 0 5 0 3/27 4/13 4/20 4/26 5/2 5/4 5/7 5/9 5/11 5/15 5/18 5/22 Figure 4 including PCs and laptops that access critical • Self-assessment questionnaire (SAQ): The systems and storage mechanisms for paper SAQ is a validation tool for merchants and receipts, etc. Check the versions of personal service providers that are not required to do identification number (PIN) entry terminals on-site assessments for PCI DSS compliance. and software applications used for payment Four SAQs are specified for various situations. card transactions and processing to ensure they have passed PCI compliance validation. • Qualified assessors: The PCI Security Standards Council (PCI SSC) provides programs Note: Your liability for PCI compliance also for two kinds of independent experts to help extends to third parties involved with your with your PCI assessment: Qualified Security process flow; therefore, your organization Assessor (QSA) and Approved Scanning must also confirm that partner processes are Vendor (ASV). QSAs have trained personnel compliant. Comprehensive assessment is a and processes to assess and prove compliance vital part of understanding what elements may with the PCI DSS. ASVs provide commercial be vulnerable to security exploitations and software tools to perform vulnerability scans where to direct remediation. for your systems. Visit https://www.pcise- curitystandards.org/approved_companies_ providers/index.php for details and links to qualified assessors. Tracking PCI Readiness for ROC Status Req12 (40) 40 Req11 (24) 2 22 Req10 (29) 1 28 Req9 (28) 28 Req8 (32) 10 22 Req7 (7) 7 N/A Req6 (32) 32 In-place In-progress Req5 (6) 6 Not-started Req4 (9) 6 3 Req3 (34) 23 11 Req2 (24) 1 23 Req1 (25) 25 Comp Control (4) 4 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 5 cognizant 20-20 insights 5
Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas 11-Mar-11 PCI Remediation: Project Timeline Dashboard 2/29 3/11 Current Plan Variance Feb Mar Apr 90% 98% 100% -2% % % % % Project Name Start End Tasks Tasks Tasks Var Status 2/20 2/27 3/5 3/12 3/19 3/26 4/2 4/9 4/16 4/23 Scope Reductions Proj # Owner 78% 98% 100% -2% Scope Reduction Activity A Joyce A J 6/1 10/3 100% 100% 100% - Completed Scope Reduction Activity B Michael A 6/1 7/31 100% 100% 100% - Completed Scope Reduction Activity C John G 1/9 3/17 100% 100% 100% - Completed Scope Reduction Activity D John G 2/27 3/19 13% 99% 100% -1% In Progress Network Infrastructure 1.1 99% 99% 100% -1% Firewall Configuration / Routers 1.1.1 Anna P 9/6 3/15 96% 99% 100% -1% In Progress Vendor Defaults 1.1.2 John G 7/13 11/15 - - - - Completed System Configurations 1.1.3 John G 8/8 11/15 - - - - Completed Password Encryption 1.1.4 Pam A 7/13 10/12 - - - - Completed Encryption and Data Protection 1.2 94% 99% 100% -1% Data Storage and Retention 1.2.1 John G / Anna P 10/19 4/6 92% 99% 100% -1% In Progress Data Transmission 1.2.2 John G / Anna P 11/8 3/28 92% 99% 100% -1% In Progress Encryption of Keys (PIN, PAN) 1.2.3 John G / Anna P 10/3 4/2 90% 99% 100% -1% In Progress Data Protection 1.2.4 Pam A 8/19 3/28 98% 100% 100% - Completed Vulnerability Management 1.3 95% 99% 100% -1% Anti-virus 1.3.1 Pam A 7/18 4/3 95% 98% 100% -2% In Progress Patch Management 1.3.2 Pam A 7/25 4/5 97% 99% 100% -1% In Progress Vulnerability Management 1.3.3 Anna P 10/3 4/6 93% 99% 100% -1% In Progress Software Life Cycle Management 1.3.4 Pam A 6/1 4/6 92% 99% 100% -1% In Progress Web Application Firewalls 1.3.5 John G 9/19 2/3 99% 99% 100% -1% In Progress Access Control 1.4 77% 99% 100% -1% Access Control 1.4.1 Anna P 9/1 3/28 99% 99% 100% -1% In Progress Two Factor Authentication 1.4.2 Anna P 9/28 3/31 71% 99% 100% -1% In Progress RADIUS 1.4.3 Pam A 28/E920 3/31 71% 99% 100% -1% In Progress Password Management 1.4.4 John G / Pam A 9/28 3/31 71% 75% 85% -10% In Progress Facility Management 1.4.5 Peter K 9/28 3/31 71% 75% 85% -10% In Progress Physical User Access 1.4.6 Peter K 9/28 3/31 71% 75% 90% -15% In Progress Storage Media 1.4.7 Peter K 9/28 3/31 71% 75% 90% -15% In Progress Network Monitoring 1.5 62% 87% 100% -13% Audit Logging 1.5.1 Anna P 10/12 4/15 82% 94% 100% -6% In Progress Time Synchronization (NTP) 1.5.2 Pam A 9/30 4/10 98% 99% 100% -1% In Progress Wireless Access Monitoring 1.5.3 John G / Pam A 10/19 4/20 79% 90% 100% -10% In Progress Internal / External Vulnerability Scanning 1.5.4 Peter K 12/15 4/10 75% 90% 100% -10% In Progress Internal / External Penetration 1.5.5 Peter K 2/27 4/10 76% 83% 100% -17% In Progress Intrusion Detection 1.5.6 Pam A 10/11 4/10 69% 99% 100% -1% In Progress File Integrity Monitoring 1.5.7 John G 10/11 4/7 69% 99% 100% -1% In Progress Securities Policies Management 1.6 62% 87% 100% -13% Security Policy 1.6.1 Pam A 10/19 4/5 49% 100% 100% 0% Completed Use Policy 1.6.2 Peter K 10/7 12/5 - - 100% Completed Information Security Policy 1.6.3 Peter K 10/7 12/5 - - 100% Completed Security Awareness 1.6.4 Peter K 10/7 12/5 - - 100% Completed HR Policy 1.6.5 Peter K 10/7 12/5 - - 100% Completed Vendor Policies 1.6.6 Mike A 10/7 12/5 - - 100% Completed Incident Response Planning 1.6.7 Mike A 11/7 1/27 - - 100% Completed In Progress (Variance 10%) In Progress At Risk (Variance 10-19%) At Risk Not Started Not Started Late (Variance 19%) Late Completed On-hold Figure 6 Step 2: Remediate • Re-scanning to verify that remediation actually Remediation is the process of fixing vulnerabili- occurred. ties — including technical flaws in software code or Step 3: Report unsafe practices in how an organization processes Regular reports are required for PCI compliance; or stores cardholder data. Steps include: these are submitted to the acquiring bank and • Scanning your network with software tools that global payment brands that you do business with. analyze infrastructure and spot known vulner- The PCI SSC is not responsible for PCI compliance. abilities. All merchants and processors must submit a quarterly scan report, which must be completed • Reviewing and remediating vulnerabilities by a PCI SSC-approved ASV. Businesses with large found in on-site assessment (if applicable) or through the self-assessment questionnaire flows must conduct an annual on-site assessment process. completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses • Classifying and ranking the vulnerabilities to with small transaction flows may be required help prioritize the order of remediation, from to submit an annual attestation within the self- most serious to least serious. assessment questionnaire. For more details, talk • Applying patches, fixes, work-arounds and to your acquirer. changes to unsafe processes and workflows. cognizant 20-20 insights 6
Footnotes 1 PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum; to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents. php?association=PCI-DSS. 2 The time for each of the phases varies, based on the client’s infrastructure footprint and current state of IT processes. 3 This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php. About the Author Vibha Tyagi is a Principal Consultant within Cognizant’s IT Infrastructure Services Program Management Practice. She is responsible for executing multimillion-dollar, large and complex infrastructure programs, and has spent 19-plus years working with companies across the consumer goods, retail, telecommunications, energy and financial services industries. Vibha received a master’s degree in electrical engineering and an M.B.A. from the University of Chicago’s Booth Graduate School of Business. She can be reached at Vibha.Tyagi@cognizant.com | Twitter: @VibhaTyagi2 | LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of the NASDAQ-100, the SP 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © ­­ Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.

Recommended

BBL2_ChatGPT working smarter.pdf
BBL2_ChatGPT working smarter.pdfBBL2_ChatGPT working smarter.pdf
BBL2_ChatGPT working smarter.pdfG20LandInitiative
 
Chapter 033
Chapter 033Chapter 033
Chapter 033bholmes
 
5 Level of AI Assistants from the Chatbot Conference
5 Level of AI Assistants from the Chatbot Conference5 Level of AI Assistants from the Chatbot Conference
5 Level of AI Assistants from the Chatbot ConferenceStefan Kojouharov
 
Buffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deck
Buffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deckBuffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deck
Buffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deckAA BB
 
AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位
AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位
AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位eLearning Consortium 電子學習聯盟
 
The AI Revolution - Aaron Stelle WFG Title
The AI Revolution - Aaron Stelle WFG TitleThe AI Revolution - Aaron Stelle WFG Title
The AI Revolution - Aaron Stelle WFG TitleAaron Stelle
 
Problemas adolescentes con la red
Problemas adolescentes con la redProblemas adolescentes con la red
Problemas adolescentes con la redClarAlvaro
 
html
htmlhtml
htmldapqui
 

Recommended

BBL2_ChatGPT working smarter.pdf
BBL2_ChatGPT working smarter.pdfBBL2_ChatGPT working smarter.pdf
BBL2_ChatGPT working smarter.pdfG20LandInitiative
 
Chapter 033
Chapter 033Chapter 033
Chapter 033bholmes
 
5 Level of AI Assistants from the Chatbot Conference
5 Level of AI Assistants from the Chatbot Conference5 Level of AI Assistants from the Chatbot Conference
5 Level of AI Assistants from the Chatbot ConferenceStefan Kojouharov
 
Buffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deck
Buffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deckBuffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deck
Buffer: $450K VC investment turned into $3.5M. Buffer's initial pitch deckAA BB
 
AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位
AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位
AI生成工具的新衝擊 - MS Bing & Google Bard 能否挑戰ChatGPT-4領導地位eLearning Consortium 電子學習聯盟
 
The AI Revolution - Aaron Stelle WFG Title
The AI Revolution - Aaron Stelle WFG TitleThe AI Revolution - Aaron Stelle WFG Title
The AI Revolution - Aaron Stelle WFG TitleAaron Stelle
 
Problemas adolescentes con la red
Problemas adolescentes con la redProblemas adolescentes con la red
Problemas adolescentes con la redClarAlvaro
 
html
htmlhtml
htmldapqui
 
Slideshare
SlideshareSlideshare
Slidesharebrunatizatto
 
CHRISTIAN_ACADEMIC_RECORD_2
CHRISTIAN_ACADEMIC_RECORD_2CHRISTIAN_ACADEMIC_RECORD_2
CHRISTIAN_ACADEMIC_RECORD_2cebo christian
 
Arundo presentation SSRC May 2013
Arundo presentation SSRC May 2013Arundo presentation SSRC May 2013
Arundo presentation SSRC May 2013Luci Cook
 
eHospital - changing everything we do at Cambridge University Hospitals
eHospital - changing everything we do at Cambridge University HospitalseHospital - changing everything we do at Cambridge University Hospitals
eHospital - changing everything we do at Cambridge University HospitalsHIMSS UK
 
martin luther king
martin luther kingmartin luther king
martin luther kingalanbenevides
 
Software Defined Infrastructure
Software Defined InfrastructureSoftware Defined Infrastructure
Software Defined InfrastructureMark Burgess
 
Seminário finanças
Seminário finançasSeminário finanças
Seminário finançasnoel jose pereira
 
Robòtica educativa - Unboxing LEGO WeDo
Robòtica educativa - Unboxing LEGO WeDoRobòtica educativa - Unboxing LEGO WeDo
Robòtica educativa - Unboxing LEGO WeDoXavier Rosell
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
MapR 5.2 Product Update
MapR 5.2 Product UpdateMapR 5.2 Product Update
MapR 5.2 Product UpdateMapR Technologies
 
Digital locker
Digital lockerDigital locker
Digital lockerDevyani Vaidya
 
Digital locker
Digital lockerDigital locker
Digital lockerRavina Bhavsar
 
Tadel comeje(15 jul 15)
Tadel comeje(15 jul 15)Tadel comeje(15 jul 15)
Tadel comeje(15 jul 15)Roberto Trindade
 
Tadel comeje (22 jul 15)
Tadel comeje (22 jul 15)Tadel comeje (22 jul 15)
Tadel comeje (22 jul 15)Roberto Trindade
 
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia EnergéticaCurso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia EnergéticaEdna Costa
 
Curso de Passe 2016 - Módulo 1
Curso de Passe 2016 - Módulo 1Curso de Passe 2016 - Módulo 1
Curso de Passe 2016 - Módulo 1Edna Costa
 
Somatic hybridization
Somatic hybridizationSomatic hybridization
Somatic hybridizationDev Hingra
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemCA Technologies
 
Systems Lifecycle workbook
Systems Lifecycle workbookSystems Lifecycle workbook
Systems Lifecycle workbookMISY
 
Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Servicesheehab2
 
GVP Module IX rev 1
GVP Module IX rev 1 GVP Module IX rev 1
GVP Module IX rev 1 Himanshu Bhatnagar, MD
 
eFrame® for Insurance Solvency II Internal Model
eFrame® for Insurance Solvency II Internal ModeleFrame® for Insurance Solvency II Internal Model
eFrame® for Insurance Solvency II Internal ModelSecondFloor
 

More Related Content

Viewers also liked

CHRISTIAN_ACADEMIC_RECORD_2
CHRISTIAN_ACADEMIC_RECORD_2CHRISTIAN_ACADEMIC_RECORD_2
CHRISTIAN_ACADEMIC_RECORD_2cebo christian
 
Arundo presentation SSRC May 2013
Arundo presentation SSRC May 2013Arundo presentation SSRC May 2013
Arundo presentation SSRC May 2013Luci Cook
 
eHospital - changing everything we do at Cambridge University Hospitals
eHospital - changing everything we do at Cambridge University HospitalseHospital - changing everything we do at Cambridge University Hospitals
eHospital - changing everything we do at Cambridge University HospitalsHIMSS UK
 
Software Defined Infrastructure
Software Defined InfrastructureSoftware Defined Infrastructure
Software Defined InfrastructureMark Burgess
 
Robòtica educativa - Unboxing LEGO WeDo
Robòtica educativa - Unboxing LEGO WeDoRobòtica educativa - Unboxing LEGO WeDo
Robòtica educativa - Unboxing LEGO WeDoXavier Rosell
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementMel Drews
 
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia EnergéticaCurso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia EnergéticaEdna Costa
 
Curso de Passe 2016 - Módulo 1
Curso de Passe 2016 - Módulo 1Curso de Passe 2016 - Módulo 1
Curso de Passe 2016 - Módulo 1Edna Costa
 
Somatic hybridization
Somatic hybridizationSomatic hybridization
Somatic hybridizationDev Hingra
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemCA Technologies
 

Viewers also liked (18)

Slideshare
SlideshareSlideshare
Slideshare
 
CHRISTIAN_ACADEMIC_RECORD_2
CHRISTIAN_ACADEMIC_RECORD_2CHRISTIAN_ACADEMIC_RECORD_2
CHRISTIAN_ACADEMIC_RECORD_2
 
Arundo presentation SSRC May 2013
Arundo presentation SSRC May 2013Arundo presentation SSRC May 2013
Arundo presentation SSRC May 2013
 
eHospital - changing everything we do at Cambridge University Hospitals
eHospital - changing everything we do at Cambridge University HospitalseHospital - changing everything we do at Cambridge University Hospitals
eHospital - changing everything we do at Cambridge University Hospitals
 
martin luther king
martin luther kingmartin luther king
martin luther king
 
Software Defined Infrastructure
Software Defined InfrastructureSoftware Defined Infrastructure
Software Defined Infrastructure
 
Seminário finanças
Seminário finançasSeminário finanças
Seminário finanças
 
Robòtica educativa - Unboxing LEGO WeDo
Robòtica educativa - Unboxing LEGO WeDoRobòtica educativa - Unboxing LEGO WeDo
Robòtica educativa - Unboxing LEGO WeDo
 
Application Threat Modeling In Risk Management
Application Threat Modeling In Risk ManagementApplication Threat Modeling In Risk Management
Application Threat Modeling In Risk Management
 
MapR 5.2 Product Update
MapR 5.2 Product UpdateMapR 5.2 Product Update
MapR 5.2 Product Update
 
Digital locker
Digital lockerDigital locker
Digital locker
 
Digital locker
Digital lockerDigital locker
Digital locker
 
Tadel comeje(15 jul 15)
Tadel comeje(15 jul 15)Tadel comeje(15 jul 15)
Tadel comeje(15 jul 15)
 
Tadel comeje (22 jul 15)
Tadel comeje (22 jul 15)Tadel comeje (22 jul 15)
Tadel comeje (22 jul 15)
 
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia EnergéticaCurso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
Curso de passe 2016 - Módulo 2 - Anatomia Humana e Anatomia Energética
 
Curso de Passe 2016 - Módulo 1
Curso de Passe 2016 - Módulo 1Curso de Passe 2016 - Módulo 1
Curso de Passe 2016 - Módulo 1
 
Somatic hybridization
Somatic hybridizationSomatic hybridization
Somatic hybridization
 
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT EcosystemProtecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
Protecting Our Cyber-Identity in a Physical and Virtual World for IoT Ecosystem
 

Similar to A Framework for PCI DSS 2.0 Compliance Assessment and Remediation

Systems Lifecycle workbook
Systems Lifecycle workbookSystems Lifecycle workbook
Systems Lifecycle workbookMISY
 
Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Servicesheehab2
 
eFrame® for Insurance Solvency II Internal Model
eFrame® for Insurance Solvency II Internal ModeleFrame® for Insurance Solvency II Internal Model
eFrame® for Insurance Solvency II Internal ModelSecondFloor
 
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...Dr. Bippin Makoond
 
How to deal with Stress-testing today...
How to deal with Stress-testing today...How to deal with Stress-testing today...
How to deal with Stress-testing today...C Louiza
 
Snapshotz Assessments & Audits
Snapshotz Assessments & AuditsSnapshotz Assessments & Audits
Snapshotz Assessments & AuditsColin Taylor
 
Capstone project IT Management 17 page due in 48 hours.docx
Capstone project IT Management 17 page due in 48 hours.docxCapstone project IT Management 17 page due in 48 hours.docx
Capstone project IT Management 17 page due in 48 hours.docxstirlingvwriters
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 
Process Improvement Framework
Process Improvement FrameworkProcess Improvement Framework
Process Improvement Frameworktimpco
 
AMC Optimized Data Protection Strategy
AMC Optimized Data Protection StrategyAMC Optimized Data Protection Strategy
AMC Optimized Data Protection Strategytcollins3413
 
2.11 Milestone Review - Phase 1.ppt
2.11 Milestone Review - Phase 1.ppt2.11 Milestone Review - Phase 1.ppt
2.11 Milestone Review - Phase 1.pptAlfredoArturoGranado
 
2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...
2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...
2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...GIS in the Rockies
 

Similar to A Framework for PCI DSS 2.0 Compliance Assessment and Remediation (20)

Systems Lifecycle workbook
Systems Lifecycle workbookSystems Lifecycle workbook
Systems Lifecycle workbook
 
Oracle Database Security Diagnostic Service
Oracle Database Security Diagnostic ServiceOracle Database Security Diagnostic Service
Oracle Database Security Diagnostic Service
 
GVP Module IX rev 1
GVP Module IX rev 1 GVP Module IX rev 1
GVP Module IX rev 1
 
eFrame® for Insurance Solvency II Internal Model
eFrame® for Insurance Solvency II Internal ModeleFrame® for Insurance Solvency II Internal Model
eFrame® for Insurance Solvency II Internal Model
 
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
How Cognizant's ZDLC solution is helping Data Lineage for compliance to Basel...
 
How to deal with Stress-testing today...
How to deal with Stress-testing today...How to deal with Stress-testing today...
How to deal with Stress-testing today...
 
Audit planning
Audit planningAudit planning
Audit planning
 
Audit planning
Audit planningAudit planning
Audit planning
 
Critical Asset Performance Standards (CAPS) Development for Offshore Reliability
Critical Asset Performance Standards (CAPS) Development for Offshore ReliabilityCritical Asset Performance Standards (CAPS) Development for Offshore Reliability
Critical Asset Performance Standards (CAPS) Development for Offshore Reliability
 
2 Day MOSTI Workshop
2 Day MOSTI Workshop2 Day MOSTI Workshop
2 Day MOSTI Workshop
 
Snapshotz Assessments & Audits
Snapshotz Assessments & AuditsSnapshotz Assessments & Audits
Snapshotz Assessments & Audits
 
DW&BI
DW&BIDW&BI
DW&BI
 
Capstone project IT Management 17 page due in 48 hours.docx
Capstone project IT Management 17 page due in 48 hours.docxCapstone project IT Management 17 page due in 48 hours.docx
Capstone project IT Management 17 page due in 48 hours.docx
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
Process Improvement Framework
Process Improvement FrameworkProcess Improvement Framework
Process Improvement Framework
 
AMC Optimized Data Protection Strategy
AMC Optimized Data Protection StrategyAMC Optimized Data Protection Strategy
AMC Optimized Data Protection Strategy
 
2.11 Milestone Review - Phase 1.ppt
2.11 Milestone Review - Phase 1.ppt2.11 Milestone Review - Phase 1.ppt
2.11 Milestone Review - Phase 1.ppt
 
Guide dogs
Guide dogsGuide dogs
Guide dogs
 
2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...
2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...
2012 URISA Track, How to Conduct Geographic Information Systems (GIS) Work wi...
 
Ifad Ifpri Monitoring And Evaluation
Ifad Ifpri Monitoring And EvaluationIfad Ifpri Monitoring And Evaluation
Ifad Ifpri Monitoring And Evaluation
 

More from Cognizant

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Cognizant
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingCognizant
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesCognizant
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition EngineeredCognizant
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...Cognizant
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesCognizant
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateCognizant
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...Cognizant
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Cognizant
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Cognizant
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityCognizant
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersCognizant
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalCognizant
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueCognizant
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachCognizant
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudCognizant
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedCognizant
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the FutureCognizant
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformCognizant
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...Cognizant
 

More from Cognizant (20)

Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
Using Adaptive Scrum to Tame Process Reverse Engineering in Data Analytics Pr...
 
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-makingData Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
Data Modernization: Breaking the AI Vicious Cycle for Superior Decision-making
 
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional ExperiencesIt Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
It Takes an Ecosystem: How Technology Companies Deliver Exceptional Experiences
 
Intuition Engineered
Intuition EngineeredIntuition Engineered
Intuition Engineered
 
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
The Work Ahead: Transportation and Logistics Delivering on the Digital-Physic...
 
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital InitiativesEnhancing Desirability: Five Considerations for Winning Digital Initiatives
Enhancing Desirability: Five Considerations for Winning Digital Initiatives
 
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility MandateThe Work Ahead in Manufacturing: Fulfilling the Agility Mandate
The Work Ahead in Manufacturing: Fulfilling the Agility Mandate
 
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
The Work Ahead in Higher Education: Repaving the Road for the Employees of To...
 
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...Engineering the Next-Gen Digital Claims Organisation for Australian General I...
Engineering the Next-Gen Digital Claims Organisation for Australian General I...
 
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
Profitability in the Direct-to-Consumer Marketplace: A Playbook for Media and...
 
Green Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for SustainabilityGreen Rush: The Economic Imperative for Sustainability
Green Rush: The Economic Imperative for Sustainability
 
Policy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for InsurersPolicy Administration Modernization: Four Paths for Insurers
Policy Administration Modernization: Four Paths for Insurers
 
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with DigitalThe Work Ahead in Utilities: Powering a Sustainable Future with Digital
The Work Ahead in Utilities: Powering a Sustainable Future with Digital
 
AI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to ValueAI in Media & Entertainment: Starting the Journey to Value
AI in Media & Entertainment: Starting the Journey to Value
 
Operations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First ApproachOperations Workforce Management: A Data-Informed, Digital-First Approach
Operations Workforce Management: A Data-Informed, Digital-First Approach
 
Five Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the CloudFive Priorities for Quality Engineering When Taking Banking to the Cloud
Five Priorities for Quality Engineering When Taking Banking to the Cloud
 
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining FocusedGetting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
Getting Ahead With AI: How APAC Companies Replicate Success by Remaining Focused
 
Crafting the Utility of the Future
Crafting the Utility of the FutureCrafting the Utility of the Future
Crafting the Utility of the Future
 
Utilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data PlatformUtilities Can Ramp Up CX with a Customer Data Platform
Utilities Can Ramp Up CX with a Customer Data Platform
 
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
The Work Ahead in Intelligent Automation: Coping with Complexity in a Post-Pa...
 

A Framework for PCI DSS 2.0 Compliance Assessment and Remediation

  • 1. • Cognizant 20-20 Insights A Framework for PCI DSS 2.0 Compliance Assessment and Remediation By methodically identifying and remediating IT security gaps, companies can quickly and cost-effectively comply with the Payment Card Industry Data Security Standard. Executive Summary Our PCI Compliance Approach The Payment Card Industry Data Security Standard PCI security for merchants and payment card (PCI DSS) 2.01 is an information security standard processors is the vital result of information for any company that handles cardholder infor- security best practices contained in the PCI mation for the major credit card providers. The DSS. The standard includes 12 requirements for five global payment brands — American Express, any business that stores, processes or transmits Discover Financial Services, JCB International, cardholder data. These requirements specify the MasterCard Worldwide and Visa Inc. — incorpo- framework for a secure payments environment; rate the PCI DSS 2.0 in each of their data security for the purposes of PCI compliance, their essence compliance programs. As such, any company that is three steps: assess, remediate and report (see stores, processes or transmits cardholder data is Appendix). required to comply with these requirements. Each merchant or payment card processor company is Our approach to PCI compliance includes two required to submit an annual compliance report phases, the assessment phase and the remedia- to its merchant bank. tion phase.2 Each phase can be executed inde- pendently of the other and is then followed by This white paper focuses on three key aspects of reporting. PCI DSS 2.0 compliance. First, it provides a brief background on PCI DSS 2.0 and our framework Assessment Phase for PCI DSS 2.0 assessment and remediation In the assessment phase we typically work a 10- services. Second, it discusses a set of issues seen to 12-week session, where the usual activities by companies seeking PCI DSS 2.0 compliance. include: Third, it describes how we help address these PCI DSS 2.0 compliance issues. This paper concludes • Data gathering (typically three weeks). with a case study that shows how we applied • Current state assessment (typically two weeks). our framework in an engagement with a leading • Gap assessments (typically three weeks). North American retailer to quickly and cost-effec- • Future state roadmap (typically two weeks). tively achieve PCI DSS 2.0 compliance. The duration of the assessment phase can differ cognizant 20-20 insights | february 2013
  • 2. Assessment Phase Planning • Inventory of tools and utilities identified. Week Number 1 2 3 4 5 6 7 8 9 10 11 • Current state policies. Data Gathering 3 • Gap assessment matrix of PCI controls. • Best practices followed (if applicable). Weeks Current State Assessment 2 • Future state roadmap. Weeks Gap Assessment 3 Weeks Roadmap to Future State 2 Weeks Remediation Phase During the remediation phase, our team evalu- Figure 1 ates the effort based on the gaps and the roadmap delivered during the assessment phase. based on the size of the client infrastructure — the Implementation duration depends on gaps found number of devices in the cardholder data environ- during the assessment phase. Typical activities ment. Figure 1 shows an example for constructing during this phase include: an assessment-phase plan. • Planning (typically, four to six weeks). PCI DSS is based on technical and operational • Designing (eight to 10 weeks). requirements related to 12 different areas; data • Building (12 to 15 weeks). gathering is performed across six conceptual areas, covering the following: • Verifying (14 to 16 weeks). • Deploying (varies). • Network infrastructure. • Reassessing for report on compliance (ROC) • Encryption and data protection. (eight to 10 weeks). • Vulnerability management. The reassessment (which includes any final reme- • Access control. diation as needed) is conducted in conjunction with a (QSA approved) third-party assessor to • Network monitoring. gain a report of compliance. Figure 2 illustrates a • Security policies management. remediation-phase plan. Data gathered is then assessed for gaps across During the planning phase, there are multiple each of these six areas. The gaps in the current workshops held with a core group of personnel “as is” state are then categorized as high, that will include both company resources as well medium and low in each area relative to the goal as our consultants. of achieving PCI DSS 2.0 compliance. The final deliverable includes a roadmap for remediating Overcoming Compliance Issues the discovered gaps in order to achieve “future” There are many PCI DSS 2.0 compliance hurdles state PCI DSS 2.0 compliance for the cardholder for companies that store, process and transmit data environment. The deliverables at this phase credit card information in their processing envi- include, but are not limited to: ronments. Among these, the most critical issues • Network inventory. faced include: • Software inventory. • Incomplete awareness of the environment, • Current state network diagram of the and not understanding what is, and what is not, cardholder data environment. part of the credit card data environment (i.e., the target environment for compliance). Remediation Phase Planning Week Number 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 Plan 4-6 Weeks Design 8-10 Weeks Build 12-15 Weeks Verify 14-16 Weeks Deploy Varies Reassess for ROC 10 Weeks Figure 2 cognizant 20-20 insights 2
  • 3. • Unavailability of skilled personnel required to • Implementation benefits result in best-in-class, both understand and maintain the security of cost-effective and easy maintainability of PCI the credit card data environment. DSS compliance. • No experience executing activities required, • On-the-job, environment-relevant training either in first time PCI DSS compliance or, once enables organizations to best fit personnel to PCI DSS compliant, in maintaining compliance function. over the next cycle of compliance. • Our large pool of experienced consultants • Lack of both awareness of industry best across various industry verticals have experi- practices and experience with relevant tools ence utilizing technology to enable and protect available that fit the requirements for the the client’s business. company’s environment. • Program management capabilities for smoothly In our experience, we have found that companies managing complex compliance programs. end up investing in the wrong tools and wrong areas, and have no strategic direction when PCI DSS 2.0 Compliance Work in Action architecting solutions, due to a lack of awareness We were recently engaged by a leading North of the target environment or not having the American retailer to help remediate its credit card skilled personnel to make key strategic security data environment. We delivered the following decisions. These shortcomings leave the target services: environment vulnerable, which has a direct impact on the business and the company’s liabilities. • Program management for the PCI remediation program. PCI DSS Compliance Services Benefits • Delivery of security tools from design and We use a hybrid model of both offshore and install to operations. on-site consultants to deliver the best value for • Design and architectural expertise across the the money spent on a PCI DSS 2.0 compliance client’s infrastructure. program. We deploy a pool of experienced subject matter experts across various areas of • Remediation of all findings during the PCI assessment for ROC activities. technology and business environments to ensure program success. The entire engagement was delivered in 11 months using a team of 21 professionals working To execute a PCI compliance program, we provide with the client’s 75-plus resources and another 35 tools that help all along its entire lifecycle, from vendors. We implemented more than 25 tools and planning, to design and build, to testing and services. through validation. Several hurdles were overcome during the reme- The key benefits of our PCI compliance framework diation program. One key challenge was a late include: scope change from PCI DSS 1.2 compliance to PCI DSS 2.0 compliance. The program not only • The client gains awareness of its credit card addressed gaps implementing 290 PCI controls, data environment, and can apply our recom- but also incorporated the scope change working mendations and best practices to achieve and closely with the client. The program was delivered keep the environment secure and up-to-date. on time, and with significant cost savings to the • Our structured, efficient and practical opera- client. Figure 3 (next page) shows the extent of tional implementation of tools and inter-work- work accomplished. ings can be applied across multi-organizational design dimensions in ways that are scalable Post-remediation, a QSA vendor assessed project and extensible. performance to create an ROC. Figure 4 (on page 5) illustrates a progress card created each week • Whether it’s a first-time implementation or in pursuit of ROC readiness. a project to maintain PCI compliance, the process is painless, as a result of our precision Figure 5 (on page 5) shows how a tracker is used planning and program management expertise to reveal readiness to attain an ROC. throughout the engagement. cognizant 20-20 insights 3
  • 4. PCI Remediation System, Device and Process Impacts Program Accomplishments Tools Programs Number of Newly Number of Number of Phased Number of Newly Number of Number of 12 1 2 3 5 2 Implemented Modified Out Implemented Modified Phased Out Processes Number of Newly Number of Number of Phased Number of Project Number of N/A Created Process 30 Modified Process 3 Out Process Flows 4 Management 8 Proj Templates 7 Flows Flows Processes Followed C reated Used Systems Number of Number of Number of Number of POS Number of Number Applications 8 Servers Touched 40 Operating Systems 9 Devices Touched 1,071 Desktops 1,418 of Laptops 300 Touched DBs Touched Touched Touched Number of Client Number of Number of WCSs Number of Jump N/A N/A Proprietary Systems 97 JBM Machines 850 Touched 1 Boxes Touched 4 PCI 1.2.1 2.0 Compliance Touched Touched Network Devices Number of Routers Number of Number of Number of WLCs Number of Number Touched SwitchesTouched Wireless Access Touched Firewalls of Content 1,039 3 89 2 6 2 Points Touched Touched Switches Touched Number of Modems Number of VPN Number of Devices N/A N/A N/A Touched 1,200 Concentrators 2 - NTP Configuration 1,320 Touched Policy, Procedures, Standards Number of Policies Number of Number of Number of Number of Number of Created 11 Policies Modified 2 Procedures 21 Procedures 0 Policies Phased 1 Standards 31 Created Modified out Created Others Number of Stores Number of Number of User Number of New Number of Number of Touched Runbooks Created Accounts Cleaned Service Implemen- Service Imple- VA PenTest 1,824 10 37,000 7 1 (149, 6) (Web, Irving, POS, tations mentations - Remediations ZaleCorp) Modifications Performed Number of Business Number of People Number of RFCs Number of Numberof Number Justifications Docs taken Security Created Anti-Virus Upgrades Critical Security 300 of Stores - 3 885 282 1,718 1,110 Created Awareness Patches Applied devices Hardware Training Encryption Number of Stores ­ – Number of New Number of Vendor Number Scope Number Scope N/A MPLS to Broadband 16 Vendor Contracts 1 Contracts – 8 Reduction Work 7 Increase 4 Conversion Created Modified Streams Activities Figure 3 Figure 6 (on page 6) highlights program tracking and global payment brands. Carrying out these across the key conceptual areas within our three steps is an ongoing process for continuous framework, covering each of the 12 requirements compliance with the PCI DSS requirements. These defined by PCI DSS. steps also enable vigilant assurance of payment card data safety. The client was pleased with the results, noting that the engagement used realistic and achievable PCI DSS 2.0 Requirements timelines where milestones, deliverables and PCI DSS version 2.0 is the global data security resources were continuously fine-tuned to keep standard that any business of any size must follow key activities on track. In fact, the CIO later told to accept payment cards, and to store, process us: “We were on schedule and under budget by and/or transmit cardholder data. It presents $500K. It was an amazing achievement for the common-sense steps that mirror best security entire team.” practices. Appendix Step 1: Assess PCI Background 3 • The primary goal of assessment is to identify “Assess” is to take an inventory of your IT all technology and process vulnerabilities assets and business processes for payment that pose risks to the security of cardholder card processing and analyze them for vulner- data that is transmitted, processed or stored. abilities that could expose cardholder data. Study the PCI DSS for detailed requirements. It “Remediate” is the process of fixing those vul- describes IT infrastructure and processes that nerabilities. “Report” entails compiling records access the payment account infrastructure. required by PCI DSS to validate remediation and Determine how cardholder data flows from submit compliance reports to the acquiring bank beginning to end of the transaction process, cognizant 20-20 insights 4
  • 5. PCI Controls: Weekly Progress 300 InPlace Assessments 250 247 Number of PCI Controls N/A 229 In-progress 212 200 205 180 172 150 154 145 130 109 105 100 100 85 60 73 75 74 45 58 68 44 40 50 49 41 43 43 43 39 42 41 41 29 24 16 29 33 29 22 13 18 19 20 22 20 13 0 5 0 3/27 4/13 4/20 4/26 5/2 5/4 5/7 5/9 5/11 5/15 5/18 5/22 Figure 4 including PCs and laptops that access critical • Self-assessment questionnaire (SAQ): The systems and storage mechanisms for paper SAQ is a validation tool for merchants and receipts, etc. Check the versions of personal service providers that are not required to do identification number (PIN) entry terminals on-site assessments for PCI DSS compliance. and software applications used for payment Four SAQs are specified for various situations. card transactions and processing to ensure they have passed PCI compliance validation. • Qualified assessors: The PCI Security Standards Council (PCI SSC) provides programs Note: Your liability for PCI compliance also for two kinds of independent experts to help extends to third parties involved with your with your PCI assessment: Qualified Security process flow; therefore, your organization Assessor (QSA) and Approved Scanning must also confirm that partner processes are Vendor (ASV). QSAs have trained personnel compliant. Comprehensive assessment is a and processes to assess and prove compliance vital part of understanding what elements may with the PCI DSS. ASVs provide commercial be vulnerable to security exploitations and software tools to perform vulnerability scans where to direct remediation. for your systems. Visit https://www.pcise- curitystandards.org/approved_companies_ providers/index.php for details and links to qualified assessors. Tracking PCI Readiness for ROC Status Req12 (40) 40 Req11 (24) 2 22 Req10 (29) 1 28 Req9 (28) 28 Req8 (32) 10 22 Req7 (7) 7 N/A Req6 (32) 32 In-place In-progress Req5 (6) 6 Not-started Req4 (9) 6 3 Req3 (34) 23 11 Req2 (24) 1 23 Req1 (25) 25 Comp Control (4) 4 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 5 cognizant 20-20 insights 5
  • 6. Illustrative Workstream Tracking Across Six PCI DSS Conceptual Areas 11-Mar-11 PCI Remediation: Project Timeline Dashboard 2/29 3/11 Current Plan Variance Feb Mar Apr 90% 98% 100% -2% % % % % Project Name Start End Tasks Tasks Tasks Var Status 2/20 2/27 3/5 3/12 3/19 3/26 4/2 4/9 4/16 4/23 Scope Reductions Proj # Owner 78% 98% 100% -2% Scope Reduction Activity A Joyce A J 6/1 10/3 100% 100% 100% - Completed Scope Reduction Activity B Michael A 6/1 7/31 100% 100% 100% - Completed Scope Reduction Activity C John G 1/9 3/17 100% 100% 100% - Completed Scope Reduction Activity D John G 2/27 3/19 13% 99% 100% -1% In Progress Network Infrastructure 1.1 99% 99% 100% -1% Firewall Configuration / Routers 1.1.1 Anna P 9/6 3/15 96% 99% 100% -1% In Progress Vendor Defaults 1.1.2 John G 7/13 11/15 - - - - Completed System Configurations 1.1.3 John G 8/8 11/15 - - - - Completed Password Encryption 1.1.4 Pam A 7/13 10/12 - - - - Completed Encryption and Data Protection 1.2 94% 99% 100% -1% Data Storage and Retention 1.2.1 John G / Anna P 10/19 4/6 92% 99% 100% -1% In Progress Data Transmission 1.2.2 John G / Anna P 11/8 3/28 92% 99% 100% -1% In Progress Encryption of Keys (PIN, PAN) 1.2.3 John G / Anna P 10/3 4/2 90% 99% 100% -1% In Progress Data Protection 1.2.4 Pam A 8/19 3/28 98% 100% 100% - Completed Vulnerability Management 1.3 95% 99% 100% -1% Anti-virus 1.3.1 Pam A 7/18 4/3 95% 98% 100% -2% In Progress Patch Management 1.3.2 Pam A 7/25 4/5 97% 99% 100% -1% In Progress Vulnerability Management 1.3.3 Anna P 10/3 4/6 93% 99% 100% -1% In Progress Software Life Cycle Management 1.3.4 Pam A 6/1 4/6 92% 99% 100% -1% In Progress Web Application Firewalls 1.3.5 John G 9/19 2/3 99% 99% 100% -1% In Progress Access Control 1.4 77% 99% 100% -1% Access Control 1.4.1 Anna P 9/1 3/28 99% 99% 100% -1% In Progress Two Factor Authentication 1.4.2 Anna P 9/28 3/31 71% 99% 100% -1% In Progress RADIUS 1.4.3 Pam A 28/E920 3/31 71% 99% 100% -1% In Progress Password Management 1.4.4 John G / Pam A 9/28 3/31 71% 75% 85% -10% In Progress Facility Management 1.4.5 Peter K 9/28 3/31 71% 75% 85% -10% In Progress Physical User Access 1.4.6 Peter K 9/28 3/31 71% 75% 90% -15% In Progress Storage Media 1.4.7 Peter K 9/28 3/31 71% 75% 90% -15% In Progress Network Monitoring 1.5 62% 87% 100% -13% Audit Logging 1.5.1 Anna P 10/12 4/15 82% 94% 100% -6% In Progress Time Synchronization (NTP) 1.5.2 Pam A 9/30 4/10 98% 99% 100% -1% In Progress Wireless Access Monitoring 1.5.3 John G / Pam A 10/19 4/20 79% 90% 100% -10% In Progress Internal / External Vulnerability Scanning 1.5.4 Peter K 12/15 4/10 75% 90% 100% -10% In Progress Internal / External Penetration 1.5.5 Peter K 2/27 4/10 76% 83% 100% -17% In Progress Intrusion Detection 1.5.6 Pam A 10/11 4/10 69% 99% 100% -1% In Progress File Integrity Monitoring 1.5.7 John G 10/11 4/7 69% 99% 100% -1% In Progress Securities Policies Management 1.6 62% 87% 100% -13% Security Policy 1.6.1 Pam A 10/19 4/5 49% 100% 100% 0% Completed Use Policy 1.6.2 Peter K 10/7 12/5 - - 100% Completed Information Security Policy 1.6.3 Peter K 10/7 12/5 - - 100% Completed Security Awareness 1.6.4 Peter K 10/7 12/5 - - 100% Completed HR Policy 1.6.5 Peter K 10/7 12/5 - - 100% Completed Vendor Policies 1.6.6 Mike A 10/7 12/5 - - 100% Completed Incident Response Planning 1.6.7 Mike A 11/7 1/27 - - 100% Completed In Progress (Variance 10%) In Progress At Risk (Variance 10-19%) At Risk Not Started Not Started Late (Variance 19%) Late Completed On-hold Figure 6 Step 2: Remediate • Re-scanning to verify that remediation actually Remediation is the process of fixing vulnerabili- occurred. ties — including technical flaws in software code or Step 3: Report unsafe practices in how an organization processes Regular reports are required for PCI compliance; or stores cardholder data. Steps include: these are submitted to the acquiring bank and • Scanning your network with software tools that global payment brands that you do business with. analyze infrastructure and spot known vulner- The PCI SSC is not responsible for PCI compliance. abilities. All merchants and processors must submit a quarterly scan report, which must be completed • Reviewing and remediating vulnerabilities by a PCI SSC-approved ASV. Businesses with large found in on-site assessment (if applicable) or through the self-assessment questionnaire flows must conduct an annual on-site assessment process. completed by a PCI SSC-approved QSA and submit the findings to each acquirer. Businesses • Classifying and ranking the vulnerabilities to with small transaction flows may be required help prioritize the order of remediation, from to submit an annual attestation within the self- most serious to least serious. assessment questionnaire. For more details, talk • Applying patches, fixes, work-arounds and to your acquirer. changes to unsafe processes and workflows. cognizant 20-20 insights 6
  • 7. Footnotes 1 PCI DSS is a standard developed by the PCI Security Standards Council, which is an open global forum; to read related documents, see: https://www.pcisecuritystandards.org/security_standards/documents. php?association=PCI-DSS. 2 The time for each of the phases varies, based on the client’s infrastructure footprint and current state of IT processes. 3 This material was extracted from the PCI Security Standards Council; for more information on the council, visit its Web site: https://www.pcisecuritystandards.org/index.php. About the Author Vibha Tyagi is a Principal Consultant within Cognizant’s IT Infrastructure Services Program Management Practice. She is responsible for executing multimillion-dollar, large and complex infrastructure programs, and has spent 19-plus years working with companies across the consumer goods, retail, telecommunications, energy and financial services industries. Vibha received a master’s degree in electrical engineering and an M.B.A. from the University of Chicago’s Booth Graduate School of Business. She can be reached at Vibha.Tyagi@cognizant.com | Twitter: @VibhaTyagi2 | LinkedIn: http://www.linkedin.com/pub/vibha-tyagi/0/794/8b6. About Cognizant Cognizant (NASDAQ: CTSH) is a leading provider of information technology, consulting, and business process out- sourcing services, dedicated to helping the world’s leading companies build stronger businesses. Headquartered in Teaneck, New Jersey (U.S.), Cognizant combines a passion for client satisfaction, technology innovation, deep industry and business process expertise, and a global, collaborative workforce that embodies the future of work. With over 50 delivery centers worldwide and approximately 156,700 employees as of December 31, 2012, Cognizant is a member of the NASDAQ-100, the SP 500, the Forbes Global 2000, and the Fortune 500 and is ranked among the top performing and fastest growing companies in the world. Visit us online at www.cognizant.com or follow us on Twitter: Cognizant. World Headquarters European Headquarters India Operations Headquarters 500 Frank W. Burr Blvd. 1 Kingdom Street #5/535, Old Mahabalipuram Road Teaneck, NJ 07666 USA Paddington Central Okkiyam Pettai, Thoraipakkam Phone: +1 201 801 0233 London W2 6BD Chennai, 600 096 India Fax: +1 201 801 0243 Phone: +44 (0) 20 7297 7600 Phone: +91 (0) 44 4209 6000 Toll Free: +1 888 937 3277 Fax: +44 (0) 20 7121 0102 Fax: +91 (0) 44 4209 6060 Email: inquiry@cognizant.com Email: infouk@cognizant.com Email: inquiryindia@cognizant.com © ­­ Copyright 2013, Cognizant. All rights reserved. No part of this document may be reproduced, stored in a retrieval system, transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the express written permission from Cognizant. The information contained herein is subject to change without notice. All other trademarks mentioned herein are the property of their respective owners.