SlideShare una empresa de Scribd logo

Pci standards, from participation to implementation and review

I
isc2-hellenic

ISC2 Hellenic Chapter 25/10/2016

Tecnología
1 de 30
Descargar para leer sin conexión
PCI STANDARDS, FROM PARTICIPATION TO IMPLEMENTATION AND REVIEW - THE PCI DSS V3.2 PARADIGM C. Stavropoulos (TW – PCI QSA) S. Mavrovouniotis (FD – PCI ISA) 25 October 2016
WHO WE ARE AND HOW WE ARE INVOLVED World’s leading third party financial service provider. Around the world, 2,300 times every second, First Data simplifies the connections that make commerce possible for merchants, financial institutions and their customers. www.firstdata.com Participating organization with certified Internal Security Assessors and implementer of Security standards Trustwave helps businesses fight cybercrime, protect data and reduce security risk. www.trustwave.com Qualified Security Assessor Company Approved Scanning Vendor Company Payment Application Qualified Security Assessor Company (PA-QSA) Qualified Security Assessors P2PE (QSA (P2PE) Payment Application Qualified Security Assessors P2PE (PA-QSA (P2PE) PCI Forensic Investigator Company
INTRODUCTION TO PCI COUNCIL • PCI council (PCI SSC), founded in 2006, is an independentbody, providing oversight of the development and management of Payment CardIndustry Security Standards on a global basis. • PCI council is founded from multi-national acceptance brand members: American Express, Discover, JCB, MC Worldwide and Visa Inc and has a board of advisors from the biggest companies of the payment industry. • PCI Council provides the standards,their supportingdocuments, roster of approved solutions and devices based on those standards, list of approved auditors, guidelines, and education programs for its Members. • PCI Council doesn’t enforce standards,and doesn’t assess against them, it just manages them. • PCI Council trains and qualifies the auditors,and at times reviews their reports to ensure quality • All Standards and resources are available from PCI Council’s site: https://www.pcisecuritystandards.org/
INTRODUCTION TO PCI COUNCIL PCI council (PCI SSC) standards aim at the protection of cardholder payment data, during transit and at rest. The main standards published include: PCI DSS • covers the security of the environmentsthat store, process or transmit account data PCI PA DSS •covers secure payment off-the-shelf applications PCI PTS •covers device tampering detection, cryptographic processes and other mechanisms to protect PIN PCI P2PE •covers encryption, decryption and key management within secure cryptographic devices (from Hardware to Hardware) PCI PIN •covers secure management, processing and transmission of PIN data during online and offline payment card transaction processi ng PCI Card Production • covers the processes to generate and distribute a card and its PIN
INTRODUCTION TO PCI COUNCIL Standards Life Cycle Year 0 • October: standard gets published Year 1 • January: standard gets effective and implemented in the market • November: Feedback on the standard begins • December: previous version retires Year 2 • April - August: feedback is reviewed • November – April: Draft revision begins Year 3 • May July: Final review • October: next version gets published
THE PCI DSS STANDARD Six Goals Twelve Requirements
INTRODUCTION TO PCI DSS December 2004 (PCI DSS 1.0): MasterCard, Visa, American Express, Discover, and JCB create payment card safe practices. The companies collaborated to create a concise and specific set of compliance standards. The first security standard managed by al participating brands for merchants and other organizations in the payment processing lifecycle September 2006 (PCI DSS 1.1): Created the PCI Security Standards Council, an independent group that manages the standard; Implemented requirements for web facing applications October 2008 (PCI DSS 1.2): New requirements for wireless networks protection and antivirus fro all operating systems October 2010 (PCI DSS 2.0): Streamlines the assessment process November 2013 (PCI DSS 3.0): Emphasizes provider compliance and best practice for day to day operations. The standard is active from January 1, 2014 to December 31, 2015 April 2015 (PCI DSS 3.1): The Council issues an updated version of the standard and ends the three year cycle. Clarifications are provided for existing controls and weak encryption for transmitted data is not an evolving New Requirement. The Standard will be retired in October 31. 2016 April 2016 (PCI DSS 3.2): Eight New requirements are introduces based on market trends and feedback from the industry. Multifactor Authentication is now required for both remote and local access. The Story…
THE COMPLIANCE CYCLE Assess - identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data. Repair - fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes. Report - documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider). Compliance is a on-going cycle of assessment, remediation, and reassessment The three on-going steps for adhering to the PCI DSS Assess Repair Report
WHOM DOES PCI DSS AFFECT? The standard applies to all card network members, merchants and service providers that store, process, or transmit cardholder data. Specific Compliance requirements are based on service provider or merchant level. Compliance levels are determined by the type of the entity assessed and transaction volumes. The responsibility to enforce the PCI DSS lies with the Acquiring Banks (organizations that initiate and maintain relationships with merchants for the acceptance of payment cards). The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitiveauthentication data. The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. Connected to components are components that can affect the security of the cardholder data or the systems in the cardholder data environment (CDE) . “System components” include network devices, servers, computing devices, and applications. Security Services, Network, Virtualization, NTP servers
2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data Build and Maintain a Secure Network and Systems Protect cardholder data Maintain a vulnerability management program Implement strongaccess control measures Regularly monitor and test networks Maintain an information security policy SIX GOALS, TWELVE REQUIREMENTS  Secure networkperimeter  protected infrastructure  Secure systembaseline reliableplatform
2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect stored cardholder data Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a vulnerability management program Implement strongaccess control measures Regularly monitor and test networks Maintain an information security policy  Encrypted, truncated data  reducedrisk to data  Secure communications preventdata leakage SIX GOALS, TWELVE REQUIREMENTS
6. Develop and maintain secure systems and applications 5. Protect all systems against malware and regularly update antivirus software or programs 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect stored cardholder data Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement strongaccess control measures Regularly monitor and test networks Maintain an information security policy  ActiveAnti-virus  preventbypassing of security controls  Secure systems secure handlingof confidentialdata SIX GOALS, TWELVE REQUIREMENTS
7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures Regularly monitor and test networks Maintain an information security policy  Authenticated users ensure accountability  Proper access control preventinformation misuse and exposure  Secure facilitiespreventdata theft SIX GOALS, TWELVE REQUIREMENTS
7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks Maintain an information security policy  Track system eventsprompt discoveryof anomaliesand policyviolations  Identify and fix vulnerabilitiespreventweakness exploitation SIX GOALS, TWELVE REQUIREMENTS
7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks 12. Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy  Formalizeand enforce security policiesand proceduresensure consistencyin data security SIX GOALS, TWELVE REQUIREMENTS
6. Develop and maintain secure systems and applications 5. Protect all systems against malware and regularly update antivirus software or programs 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect stored cardholder data 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks 12. Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy SIX GOALS, TWELVE REQUIREMENTS
PCI DSS 3.2 The Change
PCI SECURITY STANDARDS V3.2 Released April 2016 Feedback from Industry Changing payment and threat environment Attack trends in breach reports PCI DSS is a “MATURE” Standard and no more 3 year cycle Summary of Key Charges Accommodate Updated migration dates for SSL/early TLS Support for display for PAN beyond first six/last four Incorporate some Business-As-Usual (BAU) Requirements (Future- Dated) Expand multi-factor authentication requirement
PCI SECURITY STANDARDS V3.2 Evolving Requirement - Changes to ensure that the standards are up to date with emerging threats and changes in the market.  3 for both Merchants and Service providers  5 only for Service Providers Additional guidance -Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Clarification - Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. Three Change Types 47 3 8 PCI DSS 3.2 CLARIFICATION ADDITIONAL GUIDANCE EVOLVING REQUIREMENT
PCI SECURITY STANDARDS V3.2 Key Dates to Note! New PCI DSS 3.2 is released and available from PCI SCC April 28th 2016 PCI DSS Version 3.1 will be retired All Assessments after this date must be with Version 3.2 (ROC/AOC/SAQ) October 31st 2016 FINAL DATE to implement “Evolving Requirements” February 1st 2018
EVOLVING REQUIREMENT This requirements are best practice until January 31, 2018, after which they become a requirement.
NEW REQUIREMENTS FOR PCI DSS 3.2 PCI DSS requirement 3.3 - to ensure that only the minimum number of digits are displayed as necessary to perform a specific business function. PCI DSS requirement 6.4.6 - Ensure security controls are in place following a change in the cardholder data environment  have a process to analyze how changes may impact the environment and the security controls that organizations rely on to protect cardholder data PCI DSS requirement 8.3 - Multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information Both for Merchants and Service Providers
NEW REQUIREMENTS FOR PCI DSS 3.2 PCI DSS requirement 3.5.1 – service providers to maintain a documented description of the cryptographic architecture. PCI DSS requirement 10.8 – outline that service providers need to detect and report on failures of critical security control systems PCI DSS requirement 11.3.4.1 - indicates that service providers need to perform penetration testing on segmentation controls every six months. PCI DSS requirement 12.4 - for executive management of service providers to establish responsibilities and a PCI DSS compliance program. PCI DSS requirement 12.11 - asks that service providers perform quarterly reviews to confirm that personnel are following security policies and operational procedures For Service Providers only
IMPLEMENTATION AND REVIEW Examples in Enforcing Requirements
ASSESSOR’S APPROACH FOR REVIEW Market Update Draft Version Internal Review and Feedback New Release Requirements Sampling Guidelines BAU Update
IMPLEMENTER’S APPROACH Gap Analysis – Second Step (if necessary) Documentation Update Assessments per BU & Action Plan Gap Analysis - First Step Against other Standards Against Corporate Global Docs. New Version gets Published Review Changes Identify Potential Gaps
TYPES OF CHANGES WITH EXAMPLES • Agree on Understanding and Evidence • Confirm status • Evidence for Implementation Changes already addressed (ex. Change Management) • Agree on Understanding and Evidence • Action Plan • Evidence for Implementation Small Changes (ex. Crypto Architecture) • Agree on Understanding and Evidence • Action Plan • Secure Budget and Resources • Evidence for Implementation Bigger Changes (ex. 2FA, Pen Tests)
WORKING TOGETHER
TAKE AWAYS Internal SMEs & Training Up to Date with standards Work Together with the auditors and not against them Compliance like Security requires time, people and budget Compliance like Security is an ongoing and never ending process
THANK YOU Efstathios Mavrovouniotis Efstathios.Mavrovouniotis@firstdata.com Christos Stavropoulos CStavropoulos@trustwave.com

Recomendados

PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 

Recomendados

PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2Kimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS Nhat Phan Canh
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
PCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualPCI DSS 3.2 - Business as Usual
PCI DSS 3.2 - Business as UsualKimberly Simon MBA
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overviewsameh Abulfotooh
 
PCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionPCI DSS 2.0 Detailed Introduction
PCI DSS 2.0 Detailed IntroductionControlCase
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the CloudKimberly Simon MBA
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as UsualKimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guideMohammad Makchudul Alam (Arif)
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
PA-DSS
PA-DSSPA-DSS
PA-DSSChristian Heinrich
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 
Panoptis 2016
Panoptis 2016Panoptis 2016
Panoptis 2016isc2-hellenic
 
Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Marsisc2-hellenic
 

Más contenido relacionado

La actualidad más candente

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSSKimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance MonitoringKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveMark Akins
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2ControlCase
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyAlienVault
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarAriel Ben-Harosh
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certificationAlexander Polyakov
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overviewokrantz
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringKimberly Simon MBA
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)ControlCase
 

La actualidad más candente (20)

Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
SFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA PerspectiveSFISSA - PCI DSS 3.0 - A QSA Perspective
SFISSA - PCI DSS 3.0 - A QSA Perspective
 
PCI Compliance in the Cloud
PCI Compliance in the CloudPCI Compliance in the Cloud
PCI Compliance in the Cloud
 
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2Continual Compliance for PCI DSS, E13PA and ISO 27001/2
Continual Compliance for PCI DSS, E13PA and ISO 27001/2
 
PCI DSS Business as Usual
PCI DSS Business as UsualPCI DSS Business as Usual
PCI DSS Business as Usual
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance StrategyPCI DSS v3.0: How to Adapt Your Compliance Strategy
PCI DSS v3.0: How to Adapt Your Compliance Strategy
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - WebinarComsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
Comsec PCI DSS v3 2 - Overview and Summary of Changes - Webinar
 
Application security and pa dss certification
Application security and pa dss certificationApplication security and pa dss certification
Application security and pa dss certification
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
PA-DSS
PA-DSSPA-DSS
PA-DSS
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)Making PCI V3.0 Business as Usual (BAU)
Making PCI V3.0 Business as Usual (BAU)
 

Destacado

Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Marsisc2-hellenic
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment isc2-hellenic
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment isc2-hellenic
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpectedisc2-hellenic
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017isc2-hellenic
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Teamisc2-hellenic
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOisc2-hellenic
 

Destacado (9)

Panoptis 2016
Panoptis 2016Panoptis 2016
Panoptis 2016
 
Operation Grand Mars
Operation Grand MarsOperation Grand Mars
Operation Grand Mars
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Cyber Security Expect the Unexpected
Cyber Security Expect the UnexpectedCyber Security Expect the Unexpected
Cyber Security Expect the Unexpected
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017GDPR Cyber Insurance 11/1/2017
GDPR Cyber Insurance 11/1/2017
 
European Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security TeamEuropean Cyber Security Challenge - Greel National Cyber Security Team
European Cyber Security Challenge - Greel National Cyber Security Team
 
The evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISOThe evolving threats and the challenges of the modern CISO
The evolving threats and the challenges of the modern CISO
 

Similar a Pci standards, from participation to implementation and review

PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardJohn Bedrick
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation servicesTariq Juneja
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard- Mark - Fullbright
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)Maksim Djackov
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explainedEdwin_Bos
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIBen Rothke
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsChristopher Foot
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Crew
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Risk Crew
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxControlCase
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit StandardsKeyur Thakore
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf3Columns
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as UsualControlCase
 

Similar a Pci standards, from participation to implementation and review (20)

PCI DSS for Pentesting
PCI DSS for PentestingPCI DSS for Pentesting
PCI DSS for Pentesting
 
PCI DSS for Penetration Testing
PCI DSS for Penetration TestingPCI DSS for Penetration Testing
PCI DSS for Penetration Testing
 
PCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The StandardPCI Compliance - Delving Deeper In The Standard
PCI Compliance - Delving Deeper In The Standard
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
PCI Certification and remediation services
PCI Certification and remediation servicesPCI Certification and remediation services
PCI Certification and remediation services
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
PCI Compliance (for developers)
PCI Compliance (for developers)PCI Compliance (for developers)
PCI Compliance (for developers)
 
AL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_webAL_PCI-Cheatsheet_web
AL_PCI-Cheatsheet_web
 
PCI-DSS explained
PCI-DSS explainedPCI-DSS explained
PCI-DSS explained
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Verderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCIVerderber Rothke What’s New With PCI
Verderber Rothke What’s New With PCI
 
PruebaJLF.pptx
PruebaJLF.pptxPruebaJLF.pptx
PruebaJLF.pptx
 
Secrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance ProjectsSecrets for Successful Regulatory Compliance Projects
Secrets for Successful Regulatory Compliance Projects
 
Risk Factory: PCI - The Essentials
Risk Factory: PCI - The EssentialsRisk Factory: PCI - The Essentials
Risk Factory: PCI - The Essentials
 
Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892Riskfactorypcitheessentials 151125164111-lva1-app6892
Riskfactorypcitheessentials 151125164111-lva1-app6892
 
PCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptxPCI DSS 4.0 Webinar Final.pptx
PCI DSS 4.0 Webinar Final.pptx
 
Data Center Audit Standards
Data Center Audit StandardsData Center Audit Standards
Data Center Audit Standards
 
5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf5 Key Requirements for PCI DSS Compliance.pdf
5 Key Requirements for PCI DSS Compliance.pdf
 
Making Compliance Business as Usual
Making Compliance Business as UsualMaking Compliance Business as Usual
Making Compliance Business as Usual
 

Más de isc2-hellenic

General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0isc2-hellenic
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentationisc2-hellenic
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapterisc2-hellenic
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosisc2-hellenic
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1isc2-hellenic
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2isc2-hellenic
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0isc2-hellenic
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercisesisc2-hellenic
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attackisc2-hellenic
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & updateisc2-hellenic
 

Más de isc2-hellenic (12)

General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0General assembly 2016 02 24 1.0
General assembly 2016 02 24 1.0
 
2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation2016 02-14 - tlp-white ce2016 presentation
2016 02-14 - tlp-white ce2016 presentation
 
2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter2016 02-14-nis directive-overview isc2 chapter
2016 02-14-nis directive-overview isc2 chapter
 
Event 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatosEvent 16 12-15 kostas papadatos
Event 16 12-15 kostas papadatos
 
Event 16 12-15 panel1
Event 16 12-15 panel1Event 16 12-15 panel1
Event 16 12-15 panel1
 
Event 16 12-15 panel2
Event 16 12-15 panel2Event 16 12-15 panel2
Event 16 12-15 panel2
 
Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0Event 16 12-15 global information security workforce study 1.0
Event 16 12-15 global information security workforce study 1.0
 
5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises5. Experience from recent national & international cyber exercises
5. Experience from recent national & international cyber exercises
 
4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack4. Mitigating a Cyber Attack
4. Mitigating a Cyber Attack
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
2. Chapter introduction & update
2. Chapter introduction & update2. Chapter introduction & update
2. Chapter introduction & update
 
1. Welcome Note
1. Welcome Note1. Welcome Note
1. Welcome Note
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Pci standards, from participation to implementation and review

  • 1. PCI STANDARDS, FROM PARTICIPATION TO IMPLEMENTATION AND REVIEW - THE PCI DSS V3.2 PARADIGM C. Stavropoulos (TW – PCI QSA) S. Mavrovouniotis (FD – PCI ISA) 25 October 2016
  • 2. WHO WE ARE AND HOW WE ARE INVOLVED World’s leading third party financial service provider. Around the world, 2,300 times every second, First Data simplifies the connections that make commerce possible for merchants, financial institutions and their customers. www.firstdata.com Participating organization with certified Internal Security Assessors and implementer of Security standards Trustwave helps businesses fight cybercrime, protect data and reduce security risk. www.trustwave.com Qualified Security Assessor Company Approved Scanning Vendor Company Payment Application Qualified Security Assessor Company (PA-QSA) Qualified Security Assessors P2PE (QSA (P2PE) Payment Application Qualified Security Assessors P2PE (PA-QSA (P2PE) PCI Forensic Investigator Company
  • 3. INTRODUCTION TO PCI COUNCIL • PCI council (PCI SSC), founded in 2006, is an independentbody, providing oversight of the development and management of Payment CardIndustry Security Standards on a global basis. • PCI council is founded from multi-national acceptance brand members: American Express, Discover, JCB, MC Worldwide and Visa Inc and has a board of advisors from the biggest companies of the payment industry. • PCI Council provides the standards,their supportingdocuments, roster of approved solutions and devices based on those standards, list of approved auditors, guidelines, and education programs for its Members. • PCI Council doesn’t enforce standards,and doesn’t assess against them, it just manages them. • PCI Council trains and qualifies the auditors,and at times reviews their reports to ensure quality • All Standards and resources are available from PCI Council’s site: https://www.pcisecuritystandards.org/
  • 4. INTRODUCTION TO PCI COUNCIL PCI council (PCI SSC) standards aim at the protection of cardholder payment data, during transit and at rest. The main standards published include: PCI DSS • covers the security of the environmentsthat store, process or transmit account data PCI PA DSS •covers secure payment off-the-shelf applications PCI PTS •covers device tampering detection, cryptographic processes and other mechanisms to protect PIN PCI P2PE •covers encryption, decryption and key management within secure cryptographic devices (from Hardware to Hardware) PCI PIN •covers secure management, processing and transmission of PIN data during online and offline payment card transaction processi ng PCI Card Production • covers the processes to generate and distribute a card and its PIN
  • 5. INTRODUCTION TO PCI COUNCIL Standards Life Cycle Year 0 • October: standard gets published Year 1 • January: standard gets effective and implemented in the market • November: Feedback on the standard begins • December: previous version retires Year 2 • April - August: feedback is reviewed • November – April: Draft revision begins Year 3 • May July: Final review • October: next version gets published
  • 6. THE PCI DSS STANDARD Six Goals Twelve Requirements
  • 7. INTRODUCTION TO PCI DSS December 2004 (PCI DSS 1.0): MasterCard, Visa, American Express, Discover, and JCB create payment card safe practices. The companies collaborated to create a concise and specific set of compliance standards. The first security standard managed by al participating brands for merchants and other organizations in the payment processing lifecycle September 2006 (PCI DSS 1.1): Created the PCI Security Standards Council, an independent group that manages the standard; Implemented requirements for web facing applications October 2008 (PCI DSS 1.2): New requirements for wireless networks protection and antivirus fro all operating systems October 2010 (PCI DSS 2.0): Streamlines the assessment process November 2013 (PCI DSS 3.0): Emphasizes provider compliance and best practice for day to day operations. The standard is active from January 1, 2014 to December 31, 2015 April 2015 (PCI DSS 3.1): The Council issues an updated version of the standard and ends the three year cycle. Clarifications are provided for existing controls and weak encryption for transmitted data is not an evolving New Requirement. The Standard will be retired in October 31. 2016 April 2016 (PCI DSS 3.2): Eight New requirements are introduces based on market trends and feedback from the industry. Multifactor Authentication is now required for both remote and local access. The Story…
  • 8. THE COMPLIANCE CYCLE Assess - identifying all locations of cardholder data, taking an inventory of your IT assets and business processes for payment card processing and analyzing them for vulnerabilities that could expose cardholder data. Repair - fixing identified vulnerabilities, securely removing any unnecessary cardholder data storage, and implementing secure business processes. Report - documenting assessment and remediation details, and submitting compliance reports to the acquiring bank and card brands you do business with (or other requesting entity if you’re a service provider). Compliance is a on-going cycle of assessment, remediation, and reassessment The three on-going steps for adhering to the PCI DSS Assess Repair Report
  • 9. WHOM DOES PCI DSS AFFECT? The standard applies to all card network members, merchants and service providers that store, process, or transmit cardholder data. Specific Compliance requirements are based on service provider or merchant level. Compliance levels are determined by the type of the entity assessed and transaction volumes. The responsibility to enforce the PCI DSS lies with the Acquiring Banks (organizations that initiate and maintain relationships with merchants for the acceptance of payment cards). The cardholder data environment (CDE) is comprised of people, processes and technologies that store, process, or transmit cardholder data or sensitiveauthentication data. The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. Connected to components are components that can affect the security of the cardholder data or the systems in the cardholder data environment (CDE) . “System components” include network devices, servers, computing devices, and applications. Security Services, Network, Virtualization, NTP servers
  • 10. 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data Build and Maintain a Secure Network and Systems Protect cardholder data Maintain a vulnerability management program Implement strongaccess control measures Regularly monitor and test networks Maintain an information security policy SIX GOALS, TWELVE REQUIREMENTS  Secure networkperimeter  protected infrastructure  Secure systembaseline reliableplatform
  • 11. 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect stored cardholder data Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a vulnerability management program Implement strongaccess control measures Regularly monitor and test networks Maintain an information security policy  Encrypted, truncated data  reducedrisk to data  Secure communications preventdata leakage SIX GOALS, TWELVE REQUIREMENTS
  • 12. 6. Develop and maintain secure systems and applications 5. Protect all systems against malware and regularly update antivirus software or programs 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect stored cardholder data Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program Implement strongaccess control measures Regularly monitor and test networks Maintain an information security policy  ActiveAnti-virus  preventbypassing of security controls  Secure systems secure handlingof confidentialdata SIX GOALS, TWELVE REQUIREMENTS
  • 13. 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures Regularly monitor and test networks Maintain an information security policy  Authenticated users ensure accountability  Proper access control preventinformation misuse and exposure  Secure facilitiespreventdata theft SIX GOALS, TWELVE REQUIREMENTS
  • 14. 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks Maintain an information security policy  Track system eventsprompt discoveryof anomaliesand policyviolations  Identify and fix vulnerabilitiespreventweakness exploitation SIX GOALS, TWELVE REQUIREMENTS
  • 15. 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network Protect cardholder data Maintain a vulnerability management program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks 12. Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy  Formalizeand enforce security policiesand proceduresensure consistencyin data security SIX GOALS, TWELVE REQUIREMENTS
  • 16. 6. Develop and maintain secure systems and applications 5. Protect all systems against malware and regularly update antivirus software or programs 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1. Install and maintain a firewall configuration to protect cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Protect stored cardholder data 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components Build and Maintain a Secure Network and Systems Protect Cardholder Data Maintain a Vulnerability Management Program 9. Restrict physical access to cardholder data Implement Strong Access Control Measures 11. Regularly test security systems and processes 10. Track and monitor all access to network resources and cardholder data Regularly Monitor and Test Networks 12. Maintain a policy that addresses information security for all personnel Maintain an Information Security Policy SIX GOALS, TWELVE REQUIREMENTS
  • 17. PCI DSS 3.2 The Change
  • 18. PCI SECURITY STANDARDS V3.2 Released April 2016 Feedback from Industry Changing payment and threat environment Attack trends in breach reports PCI DSS is a “MATURE” Standard and no more 3 year cycle Summary of Key Charges Accommodate Updated migration dates for SSL/early TLS Support for display for PAN beyond first six/last four Incorporate some Business-As-Usual (BAU) Requirements (Future- Dated) Expand multi-factor authentication requirement
  • 19. PCI SECURITY STANDARDS V3.2 Evolving Requirement - Changes to ensure that the standards are up to date with emerging threats and changes in the market.  3 for both Merchants and Service providers  5 only for Service Providers Additional guidance -Explanation, definition and/or instruction to increase understanding or provide further information or guidance on a particular topic. Clarification - Clarifies intent of requirement. Ensures that concise wording in the standard portrays the desired intent of requirements. Three Change Types 47 3 8 PCI DSS 3.2 CLARIFICATION ADDITIONAL GUIDANCE EVOLVING REQUIREMENT
  • 20. PCI SECURITY STANDARDS V3.2 Key Dates to Note! New PCI DSS 3.2 is released and available from PCI SCC April 28th 2016 PCI DSS Version 3.1 will be retired All Assessments after this date must be with Version 3.2 (ROC/AOC/SAQ) October 31st 2016 FINAL DATE to implement “Evolving Requirements” February 1st 2018
  • 21. EVOLVING REQUIREMENT This requirements are best practice until January 31, 2018, after which they become a requirement.
  • 22. NEW REQUIREMENTS FOR PCI DSS 3.2 PCI DSS requirement 3.3 - to ensure that only the minimum number of digits are displayed as necessary to perform a specific business function. PCI DSS requirement 6.4.6 - Ensure security controls are in place following a change in the cardholder data environment  have a process to analyze how changes may impact the environment and the security controls that organizations rely on to protect cardholder data PCI DSS requirement 8.3 - Multi-factor authentication as a requirement for any personnel with non-console administrative access to the systems handling card data, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information Both for Merchants and Service Providers
  • 23. NEW REQUIREMENTS FOR PCI DSS 3.2 PCI DSS requirement 3.5.1 – service providers to maintain a documented description of the cryptographic architecture. PCI DSS requirement 10.8 – outline that service providers need to detect and report on failures of critical security control systems PCI DSS requirement 11.3.4.1 - indicates that service providers need to perform penetration testing on segmentation controls every six months. PCI DSS requirement 12.4 - for executive management of service providers to establish responsibilities and a PCI DSS compliance program. PCI DSS requirement 12.11 - asks that service providers perform quarterly reviews to confirm that personnel are following security policies and operational procedures For Service Providers only
  • 24. IMPLEMENTATION AND REVIEW Examples in Enforcing Requirements
  • 25. ASSESSOR’S APPROACH FOR REVIEW Market Update Draft Version Internal Review and Feedback New Release Requirements Sampling Guidelines BAU Update
  • 26. IMPLEMENTER’S APPROACH Gap Analysis – Second Step (if necessary) Documentation Update Assessments per BU & Action Plan Gap Analysis - First Step Against other Standards Against Corporate Global Docs. New Version gets Published Review Changes Identify Potential Gaps
  • 27. TYPES OF CHANGES WITH EXAMPLES • Agree on Understanding and Evidence • Confirm status • Evidence for Implementation Changes already addressed (ex. Change Management) • Agree on Understanding and Evidence • Action Plan • Evidence for Implementation Small Changes (ex. Crypto Architecture) • Agree on Understanding and Evidence • Action Plan • Secure Budget and Resources • Evidence for Implementation Bigger Changes (ex. 2FA, Pen Tests)
  • 29. TAKE AWAYS Internal SMEs & Training Up to Date with standards Work Together with the auditors and not against them Compliance like Security requires time, people and budget Compliance like Security is an ongoing and never ending process