SlideShare una empresa de Scribd logo

Pcishrinktofitpresentation 151125162550-lva1-app6891

Descargar como PPTX, PDF
Risk Crew
Risk Crew

PCI stands for “Payment Card Industry”. which is comprised of representatives from the major card brands (Visa, MasterCard, American Express, Discover, JCB etc.) who came together to set minimum security requirements for protecting cardholder data. To achieve this, they wrote a framework of security controls known as the PCI DSS. They wrote a number of other directives but this is the main one that applies to the majority of businesses. The PCI DSS consists of six goals, 12 requirements and 286 controls and must be implemented by any business that processes, stores or transmits credit or debit card holder data. The requirement for PCI DSS compliance is stated in your agreement with the bank that issues you a merchant identification. Your business is required to certify compliance to your bank upon achieving it and annually thereafter. The banks report your compliance to the PCI SCC and can issues fines for non-compliance.

Tecnología
1 de 20
PCI: SHRINK TO FIT
Expectations
THE STANDARD
THE STRUCTURE The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 288 controls Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
THE APPROACH • Risk-based prioritisation of implementation of the controls • Milestone 1: Identify what you have, where you have it and write policies to protect it. • Milestone 2: Network integrity • Milestone 3: Code integrity • Milestone 4: Logs & records • Milestone 5: Incidents • Miles 6: Auditing & testing
THE SCOPE • Any systems that process, store or transmit cardholder data (credit or debit) • Any systems that connect to them
DISCOVER & DOCUMENT
IDENTIFY LEAKAGE Endpoint Social Engineering Data-In-Motion Data-At-Rest Physical Data Loss Laptop / Desktop Server CD / DVD USB iPod MemoryStick PCMCIA MemoryCard Readers Communication Bluetooth Infrared Firewire Serial / Parallel Ports Virtual Machine Other Threat Vectors Screen Scrapers Trojans KeyLoggers Phishing / Spear Phishing Piggybacking Dumpster (Skip) Diving Contractors Road Apple Eavesdropping E-Mail HTTP/S SSH FTP IM VoIP P2P Blogs Databases File Systems File Servers NAS SANs / iSCSI Storage Voice Mail Video Surveillance Printers Backup Tapes / CD / DVD Laptop / Desktop / Server Fax Photocopier Mobile Phone / PDA Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
#2 DESTROY & DE-SCOPE  Both hard & soft copies  If you don’t need it – delete it.  Take your time. Use your CDE map.  Stakeholders sign off  Remember: VoIP & mail servers, MS Outlook archives, fax, scanner & copier memory cards  Include 3rd parties & back up systems  Be ruthless (without Ruth)
#3 OUTSOURCE & OVERSIGHT • What can you outsource? • Risk transference vs. risk mitigation • Compliance requirement in SLA • Should not be cost plus • See proof (ask for copy of their RoC) • Conduct annual onsite audit • Still need program • The liability is still yours
#4 SEPARATE & SEGMENT  Led by “need to know”  Always ask: Why?  Should not be vendor led  Firewall, VLAN, software…  Subnets  Wireless networks  3rd party suppliers! “Any systems connected” to the CDE
POINT-2-POINT ENCRYPTION
ENCRYPTION • Card brand specific technology requirements • PoS configuration requirements • Bank-owned vs. Merchant-owned devices • Compliance requirement in contract & SLA • Who’s responsible for a breach? • Still have compliance validation requirement
#5 TOKENISE • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in scope • Servers processing, storing or transmitting surrogate values not in scope
MODEL
TOKENISATION • Where tokens and card data meet = in scope • Tokenisation hosting solution critical • Be careful of “hybrid” solutions • See PCI Standards Council site for guidance • Test the solution! • This is no silver bullet • Validation still required
5 WAYS TO REDUCE PCI Discover & Document Destroy & De-scope Outsource & Oversight Separate & Segment Tokenisation
BEST WAY Understand that the PCI DSS is a “risk management framework” Not a checklist
www.riskfactory.com 0800 978 8139
A DIFFERENT PERSPECTIVE FROM: www.riskfactory.com 0800 978 8139

Recomendados

You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Securing Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUESecuring Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUEWSO2
 
Presciense InterQuest IoT Talk
Presciense InterQuest IoT TalkPresciense InterQuest IoT Talk
Presciense InterQuest IoT TalkJonathan Lishawa
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe HarborUnsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe HarborRay Potter
 
PCI Change Detection: Thinking Beyond the Checkbox
PCI Change Detection: Thinking Beyond the CheckboxPCI Change Detection: Thinking Beyond the Checkbox
PCI Change Detection: Thinking Beyond the CheckboxTripwire
 
6 Steps to Secure Network Devices
6 Steps to Secure Network Devices6 Steps to Secure Network Devices
6 Steps to Secure Network DevicesLisa Kearney
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 

Recomendados

You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…You Know You Need PCI Compliance Help When…
You Know You Need PCI Compliance Help When…Rochester Security Summit
 
Securing Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUESecuring Applications using WSO2 Identity Server and CASQUE
Securing Applications using WSO2 Identity Server and CASQUEWSO2
 
Presciense InterQuest IoT Talk
Presciense InterQuest IoT TalkPresciense InterQuest IoT Talk
Presciense InterQuest IoT TalkJonathan Lishawa
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityEryk Budi Pratama
 
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe HarborUnsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe Harbor
Unsafe Harbor - Tailoring Encryption to Meet HIPAA and Safe HarborRay Potter
 
PCI Change Detection: Thinking Beyond the Checkbox
PCI Change Detection: Thinking Beyond the CheckboxPCI Change Detection: Thinking Beyond the Checkbox
PCI Change Detection: Thinking Beyond the CheckboxTripwire
 
6 Steps to Secure Network Devices
6 Steps to Secure Network Devices6 Steps to Secure Network Devices
6 Steps to Secure Network DevicesLisa Kearney
 
Hotpin datasheet
Hotpin datasheetHotpin datasheet
Hotpin datasheetHai Nguyen
 
New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 Cyd Isaak Francisco
 
Mrx security
Mrx securityMrx security
Mrx securitydavidjd
 
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data LossSeqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data LossQuick Heal Technologies Ltd.
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sally's Special Services
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowRochester Software Associates
 
Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Jamal Soudi
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 
Hem infotech company profile
Hem infotech company profileHem infotech company profile
Hem infotech company profileHem Infotech
 
Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecuritySri Manakula Vinayagar Engineering College
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSSControlCase
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutionssecurityxploded
 
The Secure laptop - intro BXL
The Secure laptop - intro BXLThe Secure laptop - intro BXL
The Secure laptop - intro BXLSectricity
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Marco Di Martino
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
Signature Presentation(10062011) Vc 3 Full
Signature Presentation(10062011) Vc 3 FullSignature Presentation(10062011) Vc 3 Full
Signature Presentation(10062011) Vc 3 Fullnoelheng
 
Feria del arte en bogotá arte y teatro - eltiempo
Feria del arte en bogotá arte y teatro - eltiempoFeria del arte en bogotá arte y teatro - eltiempo
Feria del arte en bogotá arte y teatro - eltiempoangiepalacios24
 
2.02.07 varroosis
2.02.07 varroosis2.02.07 varroosis
2.02.07 varroosisPatricio Crespo
 

Más contenido relacionado

La actualidad más candente

New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 Cyd Isaak Francisco
 
Mrx security
Mrx securityMrx security
Mrx securitydavidjd
 
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data LossSeqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data LossQuick Heal Technologies Ltd.
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sally's Special Services
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowRochester Software Associates
 
Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Jamal Soudi
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Redspin, Inc.
 
Hem infotech company profile
Hem infotech company profileHem infotech company profile
Hem infotech company profileHem Infotech
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment Gazzang
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutionssecurityxploded
 
The Secure laptop - intro BXL
The Secure laptop - intro BXLThe Secure laptop - intro BXL
The Secure laptop - intro BXLSectricity
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers GuideLumension
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Marco Di Martino
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdateMerchant Link
 
Signature Presentation(10062011) Vc 3 Full
Signature Presentation(10062011) Vc 3 FullSignature Presentation(10062011) Vc 3 Full
Signature Presentation(10062011) Vc 3 Fullnoelheng
 

La actualidad más candente (20)

New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016 New VIPRE_DS_EndpointSecurity_2016
New VIPRE_DS_EndpointSecurity_2016
 
Mrx security
Mrx securityMrx security
Mrx security
 
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data LossSeqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
Seqrite Data Loss Prevention- Complete Protection from Data Theft and Data Loss
 
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
Sallysspecialservices networksecurityproposal2-100305141834-phpapp02
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
IT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to KnowIT Security: What an In-Plant Print Center Needs to Know
IT Security: What an In-Plant Print Center Needs to Know
 
Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements Payment Card Industry Compliance Requirements
Payment Card Industry Compliance Requirements
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Hem infotech company profile
Hem infotech company profileHem infotech company profile
Hem infotech company profile
 
Need for cybersecurity
Need for cybersecurityNeed for cybersecurity
Need for cybersecurity
 
Essentials of PCI Assessment
Essentials of PCI Assessment Essentials of PCI Assessment
Essentials of PCI Assessment
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
Fingerprinting healthcare institutions
Fingerprinting healthcare institutionsFingerprinting healthcare institutions
Fingerprinting healthcare institutions
 
The Secure laptop - intro BXL
The Secure laptop - intro BXLThe Secure laptop - intro BXL
The Secure laptop - intro BXL
 
2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide2015 Endpoint and Mobile Security Buyers Guide
2015 Endpoint and Mobile Security Buyers Guide
 
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet ChallengeWSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
WSO2Con EU 2015: Keynote - The Identity of Things: The Next Internet Challenge
 
Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3Presentazione-CyberArk-MDM-v3
Presentazione-CyberArk-MDM-v3
 
Point-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance UpdatePoint-to-Point Encryption: Best Practices and PCI Compliance Update
Point-to-Point Encryption: Best Practices and PCI Compliance Update
 
Signature Presentation(10062011) Vc 3 Full
Signature Presentation(10062011) Vc 3 FullSignature Presentation(10062011) Vc 3 Full
Signature Presentation(10062011) Vc 3 Full
 

Destacado

Feria del arte en bogotá arte y teatro - eltiempo
Feria del arte en bogotá arte y teatro - eltiempoFeria del arte en bogotá arte y teatro - eltiempo
Feria del arte en bogotá arte y teatro - eltiempoangiepalacios24
 
Orgullo colombiano yeka
Orgullo colombiano yekaOrgullo colombiano yeka
Orgullo colombiano yekajessicaflo
 
JAGarcia _Portfolio
JAGarcia _PortfolioJAGarcia _Portfolio
JAGarcia _PortfolioJhune Garcia
 

Destacado (11)

Feria del arte en bogotá arte y teatro - eltiempo
Feria del arte en bogotá arte y teatro - eltiempoFeria del arte en bogotá arte y teatro - eltiempo
Feria del arte en bogotá arte y teatro - eltiempo
 
2.02.07 varroosis
2.02.07 varroosis2.02.07 varroosis
2.02.07 varroosis
 
Basics of seo
Basics of seoBasics of seo
Basics of seo
 
Orgullo colombiano yeka
Orgullo colombiano yekaOrgullo colombiano yeka
Orgullo colombiano yeka
 
Viviendas precarias
Viviendas precariasViviendas precarias
Viviendas precarias
 
JAGarcia _Portfolio
JAGarcia _PortfolioJAGarcia _Portfolio
JAGarcia _Portfolio
 
TCFLEFTalk
TCFLEFTalkTCFLEFTalk
TCFLEFTalk
 
TPLプレゼン
TPLプレゼンTPLプレゼン
TPLプレゼン
 
NAIT 2015 WE
NAIT 2015 WENAIT 2015 WE
NAIT 2015 WE
 
JAGarcia _CV
JAGarcia _CVJAGarcia _CV
JAGarcia _CV
 
clase de deporte
clase de deporteclase de deporte
clase de deporte
 

Similar a Pcishrinktofitpresentation 151125162550-lva1-app6891

ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSSControlCase
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008Denny Lee
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptwebhostingguy
 
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...DataStax
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataPrecisely
 

Similar a Pcishrinktofitpresentation 151125162550-lva1-app6891 (20)

ControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSSControlCase Data Discovery and PCI DSS
ControlCase Data Discovery and PCI DSS
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Tizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.pptTizor_Data-Best-Practices.ppt
Tizor_Data-Best-Practices.ppt
 
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
Don’t Get Caught in a PCI Pickle: Meet Compliance and Protect Payment Card Da...
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
Key Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
 

Más de Risk Crew

Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Risk Crew
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Crew
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Crew
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Crew
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Crew
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Crew
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Crew
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Crew
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Crew
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Crew
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Crew
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Crew
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Crew
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Crew
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Crew
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Crew
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Crew
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Crew
 

Más de Risk Crew (19)

Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891Databasetheft 151120161435-lva1-app6891
Databasetheft 151120161435-lva1-app6891
 
Risk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a HackerRisk Factory: Inside the Mind of a Hacker
Risk Factory: Inside the Mind of a Hacker
 
Risk Factory The 2014 Numbers
Risk Factory The 2014 NumbersRisk Factory The 2014 Numbers
Risk Factory The 2014 Numbers
 
Risk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best PracticeRisk Factory Information Security Coordination Challenges & Best Practice
Risk Factory Information Security Coordination Challenges & Best Practice
 
Risk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big DataRisk Factory Big Daddy Digs Big Data
Risk Factory Big Daddy Digs Big Data
 
Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013Risk Factory: Top 10 Risks 2013
Risk Factory: Top 10 Risks 2013
 
Risk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile DevicesRisk Factory: Getting a Grip on Mobile Devices
Risk Factory: Getting a Grip on Mobile Devices
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Risk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response ProgrammeRisk Factory: How to Implement an Effective Incident Response Programme
Risk Factory: How to Implement an Effective Incident Response Programme
 
Risk Factory: Beyond Data Leakage
Risk Factory: Beyond Data LeakageRisk Factory: Beyond Data Leakage
Risk Factory: Beyond Data Leakage
 
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment IndustryRisk Factory: Security Lessons From the Online Adult Entertainment Industry
Risk Factory: Security Lessons From the Online Adult Entertainment Industry
 
Risk Factory: Let's Get Physical
Risk Factory: Let's Get PhysicalRisk Factory: Let's Get Physical
Risk Factory: Let's Get Physical
 
Risk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to FitRisk Factory: PCI Shrink to Fit
Risk Factory: PCI Shrink to Fit
 
Risk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the CloudRisk Factory: PCI Compliance in the Cloud
Risk Factory: PCI Compliance in the Cloud
 
Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron? Risk Factory: Database Security: Oxymoron?
Risk Factory: Database Security: Oxymoron?
 
Risk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back DoorRisk Factory: Modems the Forgotten Back Door
Risk Factory: Modems the Forgotten Back Door
 
Risk Factory How to Steal an Identity
Risk Factory How to Steal an IdentityRisk Factory How to Steal an Identity
Risk Factory How to Steal an Identity
 
Risk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic EavesdroppingRisk Factory: The State of Electronic Eavesdropping
Risk Factory: The State of Electronic Eavesdropping
 
Risk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best PracticesRisk Factory Geo-location Security Issues & Best Practices
Risk Factory Geo-location Security Issues & Best Practices
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 

Pcishrinktofitpresentation 151125162550-lva1-app6891

  • 4. THE STRUCTURE The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 288 controls Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data. Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Requirement 3: Protect stored cardholder data. Requirement 4: Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software. Requirement 6: Develop and maintain secure systems and applications. Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know. Requirement 8: Assign a unique ID to each person with computer access. Requirement 9: Restrict physical access to cardholder data. Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data. Requirement 11: Regularly test security systems and processes. Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
  • 5. THE APPROACH • Risk-based prioritisation of implementation of the controls • Milestone 1: Identify what you have, where you have it and write policies to protect it. • Milestone 2: Network integrity • Milestone 3: Code integrity • Milestone 4: Logs & records • Milestone 5: Incidents • Miles 6: Auditing & testing
  • 6. THE SCOPE • Any systems that process, store or transmit cardholder data (credit or debit) • Any systems that connect to them
  • 8. IDENTIFY LEAKAGE Endpoint Social Engineering Data-In-Motion Data-At-Rest Physical Data Loss Laptop / Desktop Server CD / DVD USB iPod MemoryStick PCMCIA MemoryCard Readers Communication Bluetooth Infrared Firewire Serial / Parallel Ports Virtual Machine Other Threat Vectors Screen Scrapers Trojans KeyLoggers Phishing / Spear Phishing Piggybacking Dumpster (Skip) Diving Contractors Road Apple Eavesdropping E-Mail HTTP/S SSH FTP IM VoIP P2P Blogs Databases File Systems File Servers NAS SANs / iSCSI Storage Voice Mail Video Surveillance Printers Backup Tapes / CD / DVD Laptop / Desktop / Server Fax Photocopier Mobile Phone / PDA Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
  • 9. #2 DESTROY & DE-SCOPE  Both hard & soft copies  If you don’t need it – delete it.  Take your time. Use your CDE map.  Stakeholders sign off  Remember: VoIP & mail servers, MS Outlook archives, fax, scanner & copier memory cards  Include 3rd parties & back up systems  Be ruthless (without Ruth)
  • 10. #3 OUTSOURCE & OVERSIGHT • What can you outsource? • Risk transference vs. risk mitigation • Compliance requirement in SLA • Should not be cost plus • See proof (ask for copy of their RoC) • Conduct annual onsite audit • Still need program • The liability is still yours
  • 11. #4 SEPARATE & SEGMENT  Led by “need to know”  Always ask: Why?  Should not be vendor led  Firewall, VLAN, software…  Subnets  Wireless networks  3rd party suppliers! “Any systems connected” to the CDE
  • 13. ENCRYPTION • Card brand specific technology requirements • PoS configuration requirements • Bank-owned vs. Merchant-owned devices • Compliance requirement in contract & SLA • Who’s responsible for a breach? • Still have compliance validation requirement
  • 14. #5 TOKENISE • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in scope • Servers processing, storing or transmitting surrogate values not in scope
  • 15. MODEL
  • 16. TOKENISATION • Where tokens and card data meet = in scope • Tokenisation hosting solution critical • Be careful of “hybrid” solutions • See PCI Standards Council site for guidance • Test the solution! • This is no silver bullet • Validation still required
  • 17. 5 WAYS TO REDUCE PCI Discover & Document Destroy & De-scope Outsource & Oversight Separate & Segment Tokenisation
  • 18. BEST WAY Understand that the PCI DSS is a “risk management framework” Not a checklist
  • 20. A DIFFERENT PERSPECTIVE FROM: www.riskfactory.com 0800 978 8139