SlideShare una empresa de Scribd logo
1 de 13
PCI-DSS COMPLIANCE ON THE 
CLOUD 
TO AN EFFICIENT TOOL FOR 
SECURING THE CARD DATA ON 
THE CLOUD: CLOUD CARD 
COMPLIANCE CHECKLIST 
@halloussi By Mr. EL ALLOUSSI LA, USA, March 2014
12 PCI DSS requirements 
Activities Describing the Requirements 
Build and maintain a secure 
network. 
halloussi@gmail.com 
1. Install and maintain a firewall configuration to protect data; this 
includes firewall on client. 
2. Do not use vendor supplied defaults for system passwords and 
other security parameters. 
Protect cardholder data. 3. Protect stored cardholder data. 
4. Encrypt transmission of cardholder data and sensitive 
information across open public networks. 
Maintain a vulnerability 
management program. 
5. Use and regularly update antivirus software. 
6. Develop and maintain secure systems and applications. 
Implement strong access 
control measures. 
7. Restrict access to data by business on a needto-know basis. 
8. Assign a unique ID to each person with computer access. 
9. Restrict access to cardholder data. 
Regularly monitor and test 
networks. 
10. Track and monitor all access to network resources and 
cardholder data. 
11. Regularly test security systems and processes. 
Maintain an Information 
security policy. 
12. Maintain a policy that addresses information security.
PCI DSS Cloud Computing 
Guidelines (2013) 
 The responsibilities delineated between the client and the 
Cloud Service Provider (CSP) for managing PCI DSS controls 
are influenced by a number of variables, including: 
 The purpose for which the client is using the cloud service 
 The scope of PCI DSS requirements that the client is outsourcing to the 
CSP 
 The services and system components that the CSP has validated within 
its own operations 
 The service option that the client has selected to engage the CSP 
(IaaS, PaaS or SaaS) 
 The scope of any additional services the CSP is providing to proactively 
manage the client’s compliance (for example, additional managed 
security services) 
halloussi@gmail.com
PCI DSS Cloud Computing 
Guidelines (2013) 
 Define Responsibilities such as in the following example: 
halloussi@gmail.com
PCI DSS Cloud Computing 
Guidelines (2013) 
 Define Responsibilities such as in the following example: 
halloussi@gmail.com
Challenges 
 Cloud environment need to be aligned with 
Card Payment Industry specifications 
 Need for tools for auditors, IT professionals 
and Card Professional to verify the 
environment 
 Outsourcing Card Environment is possible by 
assuring the convenience and checking 
periodically 
 We develop an exhaustive Checklist as a tool 
halloussi@gmail.com 
for auditors
Checklist main domains 
halloussi@gmail.com 
Application and Interface Security 
Data security 
Network and transport security 
Business Continuity 
management
Network Security: Infrastructure & 
Virtualization Security (example and 
ControleSpexcifitcartioan ct)PCI DSS Question Expected Testing In 
halloussi@gmail.com 
place 
Not in 
place 
Target 
Date 
Network environments 
and virtual instances 
shall be designed and 
configured to restrict and 
monitor traffic between 
trusted and untrusted 
connections, these 
configurations shall be 
reviewed at least 
annually, and supported 
by a documented 
justification for use for all 
allowed services, 
protocols, and ports, and 
compensating controls. 
Does a current network diagram 
exists and that it documents all 
connections to cardholder data, 
including any wireless networks? 
 Examine diagram(s) 
 Observe network 
configurations 
Is the network diagram kept 
current? 
 Interview responsible 
personnel 
Does the diagram shows all 
cardholder data flows across 
systems and networks? 
Is the diagram kept current and 
updated as needed upon changes 
to the environment? 
 Examine data-flow diagram 
 Interview personnel 
Do firewall and router 
configuration standards include a 
description of groups, roles, and 
responsibilities for management 
of network components? 
Are roles and responsibilities are 
assigned as documented? 
 Interview personnel 
responsible for management of 
network components
Data Security & Information Lifecycle 
Management: eCommerce Transactions 
(example and extract) 
Control Specification PCI DSS Question Expected Testing In 
halloussi@gmail.com 
place 
Not in 
place 
Target 
Date 
Data related to 
electronic commerce (e-commerce) 
that 
traverses public 
networks shall be 
appropriately classified 
and protected from 
fraudulent activity, 
unauthorized disclosure, 
or modification in such 
a manner to prevent 
contract dispute and 
compromise of data. 
Were Encryption keys changed from 
default at installation? 
 Interview responsible personnel 
 examine supporting 
documentation 
Are encryption keys changed 
anytime anyone with knowledge of 
the keys leaves the company or 
changes positions? 
 Interview responsible personnel 
 examine supporting 
documentation 
Are default passwords/passphrases 
on access points are not used? 
 Examine vendor documentation 
and login to wireless devices 
Is firmware on wireless devices 
updated to support strong 
encryption for authentication over 
wireless networks? 
Is firmware on wireless devices 
updated to support strong 
encryption for Transmission over 
wireless networks? 
 Examine vendor documentation 
 Observe wireless configuration 
settings 
Were other security-related 
wireless vendor defaults changed? 
 Examine vendor documentation 
 Observe wireless configuration 
settings
Application & Interface Security: 
Application Security (example and 
extract) Control Specification PCI DSS Question Expected Testing In 
halloussi@gmail.com 
place 
Not 
in 
place 
Target 
Date 
Applications and 
programming 
interfaces (APIs) 
shall be designed, 
developed, deployed 
and tested in 
accordance with 
leading industry 
standards (e.g., 
OWASP for web 
applications) and 
adhere to applicable 
legal, statutory, or 
regulatory 
compliance 
obligations. 
6.5.a : Are developers required training in 
secure coding techniques based on industry 
best practices and guidance? 
 Review policies and 
procedures for training 
 Interview personnel 
6.5.b : Are developers knowledgeable in 
secure coding techniques, including how to 
avoid common coding vulnerabilities, and 
understanding how sensitive data is handled 
in memory? 
 Interview personnel 
 Examine records of training 
Are processes to protect applications from the 
following vulnerabilities, in place? 
– Are injection flaws addressed by coding 
techniques (Modifying meaning of 
command and queries or utilizing 
parameterized queries)? 
 Review policies and 
procedures for software-development 
 Interview personnel 
– Are buffer overflows addressed by coding 
techniques (buffer boundaries and 
truncating input strings)? 
 Review policies and 
procedures for software-development 
 Interview personnel
Business Continuity Management & Operational Resilience: 
Datacenter Utilities / Environmental Conditions (example and 
extract) 
Control Specification PCI DSS Question Expected Testing In 
halloussi@gmail.com 
place 
Not 
in 
place 
Targ 
et 
Date 
Datacenter utilities 
services and 
environmental conditions 
(e.g., water, power, 
temperature and 
humidity controls, 
telecommunications, and 
internet connectivity) 
shall be secured, 
monitored, maintained, 
and tested for continual 
effectiveness at planned 
intervals to ensure 
protection from 
unauthorized interception 
or damage, and designed 
with automated fail-over 
or other redundancies in 
the event of planned or 
unplanned disruptions. 
Is there physical security controls for 
each computer room, data center, and 
other physical areas with systems in 
the cardholder data environment? 
Is access controlled with badge 
readers or other devices including 
authorized badges and lock and key? 
Are they “locked” to prevent 
unauthorized use? 
 Observe a system 
administrator’s attempt to log 
into consoles for randomly 
selected systems in the 
cardholder environment 
Are video cameras and/or access 
control mechanisms in place to 
monitor the entry/exit points to 
sensitive areas? 
Are video cameras and/or access 
control mechanisms protected from 
tampering or disabling?
Cloud PCI Checklist 
Very rich resources for Auditors and Card 
professionals 
A new norm for Cloud adopters for 
checking environment before outsourcing 
Card Data 
halloussi@gmail.com 
12
halloussi@gmail.com 
Dear auditors: 
Contact me for any more 
information about the exhaustive 
Checklist 
@halloussi 
fr.slideshare.net/alloussi

Más contenido relacionado

La actualidad más candente

Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudCognizant
 
Data Driven Security in SSAS
Data Driven Security in SSASData Driven Security in SSAS
Data Driven Security in SSASMike Duffy
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesHyTrust
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinAnton Chuvakin
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection   ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection   ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...Ulf Mattsson
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Brian K. Dickard
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceCisco Service Provider
 
Cloud computing Risk management
Cloud computing Risk management  Cloud computing Risk management
Cloud computing Risk management Padma Jella
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud CrossoverArmor
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantOlivia Grey
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb finalChristophe Monnier
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environmentwebhostingguy
 
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREA SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREIJNSA Journal
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud ComputingMartin Bioh
 

La actualidad más candente (19)

Ensuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the CloudEnsuring PCI DSS Compliance in the Cloud
Ensuring PCI DSS Compliance in the Cloud
 
Data Driven Security in SSAS
Data Driven Security in SSASData Driven Security in SSAS
Data Driven Security in SSAS
 
Cloud Auditing
Cloud AuditingCloud Auditing
Cloud Auditing
 
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best PracticesPCI-DSS Compliant Cloud - Design & Architecture Best Practices
PCI-DSS Compliant Cloud - Design & Architecture Best Practices
 
Spirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton ChuvakinSpirit of PCI DSS by Dr. Anton Chuvakin
Spirit of PCI DSS by Dr. Anton Chuvakin
 
1784 1788
1784 17881784 1788
1784 1788
 
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection   ulf mattsson - oracle nyoug sep ...Practical advice for cloud data protection   ulf mattsson - oracle nyoug sep ...
Practical advice for cloud data protection ulf mattsson - oracle nyoug sep ...
 
Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)Cloud Computing Risk Management (IIA Webinar)
Cloud Computing Risk Management (IIA Webinar)
 
Using Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI complianceUsing Cisco’s VMDC to help facilitate PCI compliance
Using Cisco’s VMDC to help facilitate PCI compliance
 
Cloud computing Risk management
Cloud computing Risk management  Cloud computing Risk management
Cloud computing Risk management
 
The Cloud Crossover
The Cloud CrossoverThe Cloud Crossover
The Cloud Crossover
 
Apani PCI-DSS Compliance
Apani PCI-DSS ComplianceApani PCI-DSS Compliance
Apani PCI-DSS Compliance
 
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS CompliantRequirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
Requirements and Security Assessment Procedure for C7 To Be PCI DSS Compliant
 
Risk management for cloud computing hb final
Risk management for cloud computing hb finalRisk management for cloud computing hb final
Risk management for cloud computing hb final
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
Information Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting EnvironmentInformation Assurance in an Enterprise Hosting Environment
Information Assurance in an Enterprise Hosting Environment
 
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTUREA SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
A SECURITY FRAMEWORK IN CLOUD COMPUTING INFRASTRUCTURE
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
Security Problem With Cloud Computing
Security Problem With Cloud ComputingSecurity Problem With Cloud Computing
Security Problem With Cloud Computing
 

Destacado

Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklistbackdoor
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information securityVijay Sekar
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Hassan EL ALLOUSSI
 
Management de projet - réussir ses projets, c'est pas gagné d'avance !
Management de projet - réussir ses projets, c'est pas gagné d'avance !Management de projet - réussir ses projets, c'est pas gagné d'avance !
Management de projet - réussir ses projets, c'est pas gagné d'avance !Pascal Méance
 
Management des risques
Management des risquesManagement des risques
Management des risquesyounes elhaiba
 
Lexique du management de projet
Lexique du management de projetLexique du management de projet
Lexique du management de projetMichel Estève
 
Development of National Cybersecurity Strategy and Organisation
Development of National Cybersecurity Strategy and OrganisationDevelopment of National Cybersecurity Strategy and Organisation
Development of National Cybersecurity Strategy and OrganisationDr David Probert
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Management d'intégration du projet
Management d'intégration du projetManagement d'intégration du projet
Management d'intégration du projetyounes elhaiba
 
Management des délais
Management des délaisManagement des délais
Management des délaisyounes elhaiba
 
Management du contenu du projet
Management du contenu du projetManagement du contenu du projet
Management du contenu du projetyounes elhaiba
 
Management de la qualité
Management de la qualitéManagement de la qualité
Management de la qualitéyounes elhaiba
 
Evaluation financiere de projet
Evaluation financiere de projetEvaluation financiere de projet
Evaluation financiere de projetHassan EL ALLOUSSI
 
Introduction à la certification itil foundation
Introduction à la certification itil foundationIntroduction à la certification itil foundation
Introduction à la certification itil foundationHassan EL ALLOUSSI
 
Introduction à la conduite de projet
Introduction à la conduite de projetIntroduction à la conduite de projet
Introduction à la conduite de projetHassan EL ALLOUSSI
 

Destacado (20)

Security Policy Checklist
Security Policy ChecklistSecurity Policy Checklist
Security Policy Checklist
 
Sécurité dans le cloud
Sécurité dans le cloudSécurité dans le cloud
Sécurité dans le cloud
 
DM for IDS
DM for IDSDM for IDS
DM for IDS
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information security
 
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
Cloud-based IDS architectures : APPLYING THE IDS APPROACHES INTO THE CLOUD EN...
 
Management de projet - réussir ses projets, c'est pas gagné d'avance !
Management de projet - réussir ses projets, c'est pas gagné d'avance !Management de projet - réussir ses projets, c'est pas gagné d'avance !
Management de projet - réussir ses projets, c'est pas gagné d'avance !
 
Management des risques
Management des risquesManagement des risques
Management des risques
 
Lexique du management de projet
Lexique du management de projetLexique du management de projet
Lexique du management de projet
 
Development of National Cybersecurity Strategy and Organisation
Development of National Cybersecurity Strategy and OrganisationDevelopment of National Cybersecurity Strategy and Organisation
Development of National Cybersecurity Strategy and Organisation
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Management d'intégration du projet
Management d'intégration du projetManagement d'intégration du projet
Management d'intégration du projet
 
Management des délais
Management des délaisManagement des délais
Management des délais
 
Management du contenu du projet
Management du contenu du projetManagement du contenu du projet
Management du contenu du projet
 
Management des coûts
Management des coûtsManagement des coûts
Management des coûts
 
Management de la qualité
Management de la qualitéManagement de la qualité
Management de la qualité
 
Gestion de projet
Gestion de projetGestion de projet
Gestion de projet
 
Evaluation financiere de projet
Evaluation financiere de projetEvaluation financiere de projet
Evaluation financiere de projet
 
Introduction à la certification itil foundation
Introduction à la certification itil foundationIntroduction à la certification itil foundation
Introduction à la certification itil foundation
 
Introduction à la conduite de projet
Introduction à la conduite de projetIntroduction à la conduite de projet
Introduction à la conduite de projet
 

Similar a Presentation: To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist

Lancy-Curriculum Vitae
Lancy-Curriculum VitaeLancy-Curriculum Vitae
Lancy-Curriculum VitaeLancy Menezes
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoJonathan Eubanks
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIINextLabs, Inc.
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualControlCase
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance -  Delving Deeper In The StandardPCI Compliance -  Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
Comptia security-sy0-401
Comptia security-sy0-401Comptia security-sy0-401
Comptia security-sy0-401pgupta101
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewisc2-hellenic
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?Lumension
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Compliance in Virtualized Environments
Compliance in Virtualized EnvironmentsCompliance in Virtualized Environments
Compliance in Virtualized EnvironmentsSeccuris Inc.
 

Similar a Presentation: To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist (20)

AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
Lancy-Curriculum Vitae
Lancy-Curriculum VitaeLancy-Curriculum Vitae
Lancy-Curriculum Vitae
 
OmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance InfoOmniNet MDS HIPPA Compliance Info
OmniNet MDS HIPPA Compliance Info
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Advanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of IIIAdvanced Authorization for SAP Global Deployments Part II of III
Advanced Authorization for SAP Global Deployments Part II of III
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance -  Delving Deeper In The StandardPCI Compliance -  Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Comptia security-sy0-401
Comptia security-sy0-401Comptia security-sy0-401
Comptia security-sy0-401
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAM
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?PCI DSS Compliance and Security: Harmony or Discord?
PCI DSS Compliance and Security: Harmony or Discord?
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
Compliance in Virtualized Environments
Compliance in Virtualized EnvironmentsCompliance in Virtualized Environments
Compliance in Virtualized Environments
 

Último

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024Brian Pichman
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and businessFrancesco Corti
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingFrancesco Corti
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptxHansamali Gamage
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsDianaGray10
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updateadam112203
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FESTBillieHyde
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInThousandEyes
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Libraryshyamraj55
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3DianaGray10
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 

Último (20)

Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024CyberSecurity - Computers In Libraries 2024
CyberSecurity - Computers In Libraries 2024
 
From the origin to the future of Open Source model and business
From the origin to the future of  Open Source model and businessFrom the origin to the future of  Open Source model and business
From the origin to the future of Open Source model and business
 
Where developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is goingWhere developers are challenged, what developers want and where DevEx is going
Where developers are challenged, what developers want and where DevEx is going
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx.NET 8 ChatBot with Azure OpenAI Services.pptx
.NET 8 ChatBot with Azure OpenAI Services.pptx
 
Automation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projectsAutomation Ops Series: Session 2 - Governance for UiPath projects
Automation Ops Series: Session 2 - Governance for UiPath projects
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Patch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 updatePatch notes explaining DISARM Version 1.4 update
Patch notes explaining DISARM Version 1.4 update
 
Technical SEO for Improved Accessibility WTS FEST
Technical SEO for Improved Accessibility  WTS FESTTechnical SEO for Improved Accessibility  WTS FEST
Technical SEO for Improved Accessibility WTS FEST
 
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedInOutage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
Outage Analysis: March 5th/6th 2024 Meta, Comcast, and LinkedIn
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 
How to release an Open Source Dataweave Library
How to release an Open Source Dataweave LibraryHow to release an Open Source Dataweave Library
How to release an Open Source Dataweave Library
 
UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3UiPath Studio Web workshop Series - Day 3
UiPath Studio Web workshop Series - Day 3
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 

Presentation: To an efficient tool for securing the card data on the Cloud: Cloud Card Compliance Checklist

  • 1. PCI-DSS COMPLIANCE ON THE CLOUD TO AN EFFICIENT TOOL FOR SECURING THE CARD DATA ON THE CLOUD: CLOUD CARD COMPLIANCE CHECKLIST @halloussi By Mr. EL ALLOUSSI LA, USA, March 2014
  • 2. 12 PCI DSS requirements Activities Describing the Requirements Build and maintain a secure network. halloussi@gmail.com 1. Install and maintain a firewall configuration to protect data; this includes firewall on client. 2. Do not use vendor supplied defaults for system passwords and other security parameters. Protect cardholder data. 3. Protect stored cardholder data. 4. Encrypt transmission of cardholder data and sensitive information across open public networks. Maintain a vulnerability management program. 5. Use and regularly update antivirus software. 6. Develop and maintain secure systems and applications. Implement strong access control measures. 7. Restrict access to data by business on a needto-know basis. 8. Assign a unique ID to each person with computer access. 9. Restrict access to cardholder data. Regularly monitor and test networks. 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes. Maintain an Information security policy. 12. Maintain a policy that addresses information security.
  • 3. PCI DSS Cloud Computing Guidelines (2013)  The responsibilities delineated between the client and the Cloud Service Provider (CSP) for managing PCI DSS controls are influenced by a number of variables, including:  The purpose for which the client is using the cloud service  The scope of PCI DSS requirements that the client is outsourcing to the CSP  The services and system components that the CSP has validated within its own operations  The service option that the client has selected to engage the CSP (IaaS, PaaS or SaaS)  The scope of any additional services the CSP is providing to proactively manage the client’s compliance (for example, additional managed security services) halloussi@gmail.com
  • 4. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example: halloussi@gmail.com
  • 5. PCI DSS Cloud Computing Guidelines (2013)  Define Responsibilities such as in the following example: halloussi@gmail.com
  • 6. Challenges  Cloud environment need to be aligned with Card Payment Industry specifications  Need for tools for auditors, IT professionals and Card Professional to verify the environment  Outsourcing Card Environment is possible by assuring the convenience and checking periodically  We develop an exhaustive Checklist as a tool halloussi@gmail.com for auditors
  • 7. Checklist main domains halloussi@gmail.com Application and Interface Security Data security Network and transport security Business Continuity management
  • 8. Network Security: Infrastructure & Virtualization Security (example and ControleSpexcifitcartioan ct)PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Target Date Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections, these configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, and ports, and compensating controls. Does a current network diagram exists and that it documents all connections to cardholder data, including any wireless networks?  Examine diagram(s)  Observe network configurations Is the network diagram kept current?  Interview responsible personnel Does the diagram shows all cardholder data flows across systems and networks? Is the diagram kept current and updated as needed upon changes to the environment?  Examine data-flow diagram  Interview personnel Do firewall and router configuration standards include a description of groups, roles, and responsibilities for management of network components? Are roles and responsibilities are assigned as documented?  Interview personnel responsible for management of network components
  • 9. Data Security & Information Lifecycle Management: eCommerce Transactions (example and extract) Control Specification PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Target Date Data related to electronic commerce (e-commerce) that traverses public networks shall be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data. Were Encryption keys changed from default at installation?  Interview responsible personnel  examine supporting documentation Are encryption keys changed anytime anyone with knowledge of the keys leaves the company or changes positions?  Interview responsible personnel  examine supporting documentation Are default passwords/passphrases on access points are not used?  Examine vendor documentation and login to wireless devices Is firmware on wireless devices updated to support strong encryption for authentication over wireless networks? Is firmware on wireless devices updated to support strong encryption for Transmission over wireless networks?  Examine vendor documentation  Observe wireless configuration settings Were other security-related wireless vendor defaults changed?  Examine vendor documentation  Observe wireless configuration settings
  • 10. Application & Interface Security: Application Security (example and extract) Control Specification PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Target Date Applications and programming interfaces (APIs) shall be designed, developed, deployed and tested in accordance with leading industry standards (e.g., OWASP for web applications) and adhere to applicable legal, statutory, or regulatory compliance obligations. 6.5.a : Are developers required training in secure coding techniques based on industry best practices and guidance?  Review policies and procedures for training  Interview personnel 6.5.b : Are developers knowledgeable in secure coding techniques, including how to avoid common coding vulnerabilities, and understanding how sensitive data is handled in memory?  Interview personnel  Examine records of training Are processes to protect applications from the following vulnerabilities, in place? – Are injection flaws addressed by coding techniques (Modifying meaning of command and queries or utilizing parameterized queries)?  Review policies and procedures for software-development  Interview personnel – Are buffer overflows addressed by coding techniques (buffer boundaries and truncating input strings)?  Review policies and procedures for software-development  Interview personnel
  • 11. Business Continuity Management & Operational Resilience: Datacenter Utilities / Environmental Conditions (example and extract) Control Specification PCI DSS Question Expected Testing In halloussi@gmail.com place Not in place Targ et Date Datacenter utilities services and environmental conditions (e.g., water, power, temperature and humidity controls, telecommunications, and internet connectivity) shall be secured, monitored, maintained, and tested for continual effectiveness at planned intervals to ensure protection from unauthorized interception or damage, and designed with automated fail-over or other redundancies in the event of planned or unplanned disruptions. Is there physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment? Is access controlled with badge readers or other devices including authorized badges and lock and key? Are they “locked” to prevent unauthorized use?  Observe a system administrator’s attempt to log into consoles for randomly selected systems in the cardholder environment Are video cameras and/or access control mechanisms in place to monitor the entry/exit points to sensitive areas? Are video cameras and/or access control mechanisms protected from tampering or disabling?
  • 12. Cloud PCI Checklist Very rich resources for Auditors and Card professionals A new norm for Cloud adopters for checking environment before outsourcing Card Data halloussi@gmail.com 12
  • 13. halloussi@gmail.com Dear auditors: Contact me for any more information about the exhaustive Checklist @halloussi fr.slideshare.net/alloussi