1 Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition November 2013
2 Introductions Brian Serra PCI Practice Director Nick Puetz Managing Director - Strategic Services 2013 FishNet Security Inc. All rights reserved.
3 Agenda FishNet Security & PCI Compliance Services Overview Key Dates General Observations Clarified Requirements Additional Guidance Flexibility Best Practices & New Requirements Final Recommendations FishNet Security Inc. All rights reserved.
4 Established employees (over 300 focused on service delivery) US and EMEA presence 5,000 customers (over half of Fortune 500 and Fortune 100) Vital Statistics 50+ Experienced QSAs and Operational PCI Security Experts Consultants average 7 years of experience Sr. Consultants and Principles average 13 years of experience Certifications include: PCI-QSA, PA-QSA, ASV-QSA, CISSP, ISSEP, IAM, GCIA, CISA, CISM, OSCP, CCNP, CCSE, Security+, MCSE, etc. Active Members on All PCI Special Interest Groups (SIG) ROC assessments/year Hundreds of PCI engagements annually 2013 FishNet Security Inc. All rights reserved.
5 FishNet Security s 4 Pillars of PCI Compliance Pre- Assessment Services PCI Executive Workshops PCI Data Discovery and Lifecycle Mapping DLP PCI Scope Reduction Strategies PCI Remediation Services PCI Policy and Procedure Development Network Architecture Review Technology Solution Deployment Firewalls, IDS/IPS, SIEM, etc. Vulnerability Management Program Development PCI Certification Services PCI DSS Gap Analysis and Certification Services PA DSS Gap Analysis and Certification Services Continuous PCI Compliance Services PCI Vulnerability Scanning Services Penetration Testing Services PCI Data Discovery and Lifecycle Mapping DLP Secure Code Review egrc Technology Deployment FishNet Security Inc. All rights reserved.
6 The FishNet Security Advantage Information Security Provider Focus Payment Card Industry Compliance Methodology Deep Knowledge of Requirements Breadth and Depth of Experience Relationship with Visa and MasterCard Remediation Expertise Multiple Discipline Engagement Approach Proven Project Management Program FishNet Security Inc. All rights reserved.
7 v3.0 Key Dates Jan. 1, 2014: v3.0 can be used Dec. 31, 2014: v2.0 will still be active up to this date Jan. 1, 2015: v3.0 must be used moving forward July 15, 2015 : Effective date for the new controls that were marked best practices Nov. 2013: Final DSS 3.0 released FishNet Security Inc. All rights reserved.
8 General Observations There is a focus on some new topics: Sensitive Authentication Data (SAD) Integration of the PCI standards into the day-to-day business practices of organizations aka Business-As-Usual (BAU) POS terminal physical security For QSAs & ISAs: Reporting guidance right within the ROC Sampling guidance Renumbering of requirements and testing procedures FishNet Security Inc. All rights reserved.
9 Sensitive Authentication Data (SAD) Push to ensure that sensitive authentication data (SAD), formerly known as track data, is properly: Secured prior to authorization. Promptly and securely deleted once authorization/decline has been received. This is being driven by BlackPOS, vskimmer and similar memory scraping threats FishNet Security Inc. All rights reserved.
10 Business As Usual (BAU) Incorporate continuous compliance into your security program. Examples of BAU: Monitoring of security controls (FW, IDS/IPS, FIM, AV, etc.) Ensuring security control failures are identified, rectified and a root cause analysis (RCA) is performed Review changes to the environment, i.e. change management Impact on PCI DSS Scope Impact on Cardholder Data Environment (CDE) Update CDE and Scope if necessary Changes to organizational structure, i.e. merger/acquisition Impact on PCI DSS Scope Impact on Cardholder Data Environment (CDE) Update CDE and Scope if necessary FishNet Security Inc. All rights reserved.
11 Examples of Business As Usual (BAU) Periodic reviews and communication regarding PCI DSS compliance: All facilities retail outlets, data centers, etc. Verify that requirements are still compliant. Periodic is defined based on the size and complexity of the environment. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity s security requirements, including PCI DSS. Consider implementing separation of duties for their security functions so that security and/or audit functions are separated from operational functions. For example, responsibility for configuration and responsibility for approving changes could be assigned to separate individuals FishNet Security Inc. All rights reserved.
12 Sampling Guidance QSA/ISA can sample systems to assess during the ROC Assessment Must be a representative sample of each system type You CANNOT apply the DSS requirements to only that sample QSA/ISA cannot only review a sample of relevant requirements QSA/ISA can sample locations to assess compliance Must be a representative sample of each business function type While it is acceptable for an assessor to sample systems as part of their review of an entity s PCI DSS compliance, it is not acceptable for an entity to apply PCI DSS requirements to only a sample of their CDE or for an assessor to only review a sample of PCI DSS requirements for compliance. PCI Security Standards Council FishNet Security Inc. All rights reserved.
13 Clarified Requirements Current diagram that shows all cardholder data flows across systems and networks 2.4 Maintain an inventory of system components that are in scope for PCI DSS. Examine system inventory to verify that a list of hardware and software components is maintained and includes a description of function/use for each For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to confirm whether such systems continue to not require antivirus software FishNet Security Inc. All rights reserved.
14 Clarified Requirements 5.3 Ensure that antivirus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period. Note: Antivirus solutions may be temporarily disabled only if there is legitimate technical need, as authorized by management on a case-bycase basis. If anti-malware protection needs to be disabled for a specific purpose, it must be formally authorized. Additional security measures may also need to be implemented for the period of time during which anti-malware protection is not active FishNet Security Inc. All rights reserved.
15 Clarified Requirements Define access needs for each role, including: System components and data resources that each role needs to access for their job function. Level of privilege required (for example, user, administrator, etc.) for accessing resources FishNet Security Inc. All rights reserved.
16 Clarified Requirements 8.6 Use of authentication mechanisms such as physical security tokens, smart cards and certificates must be assigned to an individual account as follows: Authentication mechanisms must be assigned to an individual account and not shared among multiple accounts. Physical and/or logical controls must be in place to ensure only the intended account can use that mechanism to gain access FishNet Security Inc. All rights reserved.
17 Clarified Requirements 9.3 Control physical access for onsite personnel to the sensitive areas as follows: Access must be authorized and based on individual job function. Access is revoked immediately upon termination, and all physical access mechanisms, such as keys, access cards, etc., are returned or disabled Need to maintain an inventory of authorized wireless devices including justification Implement a process to respond to any alerts generated by the change-detection solution Maintain information about which PCI DSS requirements are managed by each service provider and which are managed by the entity FishNet Security Inc. All rights reserved.
18 Additional Guidance Requirement 8: ID and Authentication is Restructured Requirements in 8.1 are focused on user identification. Requirements in 8.2 are focused on user authentication. 8.3 still regards two-factor authentication. 8.4 becomes communicating authentication processes to personnel, contractors and vendors. 8.5 becomes do not use shared/generic credentials. 8.7 regards database credentials. 8.8 regards personnel being aware of all authentication policies, standards and procedures FishNet Security Inc. All rights reserved.
19 Flexibility Passwords/phrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/phrases must have complexity and strength at least equivalent to the parameters specified above. For cases where this minimum cannot be met due to technical limitations, entities can use equivalent strength to evaluate their alternative. NIST SP defines entropy as a measure of the difficulty of guessing or determining a password or key FishNet Security Inc. All rights reserved.
20 Notable Clarifications Cardholder data is explicitly not allowed to be stored anywhere with direct access to the Internet or untrusted networks. 3.2 Sensitive authentication data (SAD) is to be rendered unrecoverable once a transaction is completed. Also clarified testing procedures for issuers that retain SAD FishNet Security Inc. All rights reserved.
21 Notable Clarifications When using whole disk encryption, the key management process must be separate and independent from the underlying OS. 4.1 Defined open, public networks to include: The Internet Wireless technologies, including and Bluetooth Cellular technologies, for example, Global System for Mobile communications (GSM), Code division multiple access (CDMA) General Packet Radio Service (GPRS) Satellite communications FishNet Security Inc. All rights reserved.
22 Notable Clarifications Flipped requirements 6.1 and 6.2: 6.1 now regards risk rankings and 6.2 regards patching. 6.5.x updated to reflect the changes in application software risks. 6.6 web application firewall terminology replaced with automated technical solution. 9.2 visitor ID badges are not the only option. Requirements 9.5 through 9.8 are restructured and reorganized FishNet Security Inc. All rights reserved.
23 Notable Clarifications now includes logging of pausing and/or stopping audit logging changes include: Intent of log reviews is to identify anomalies or suspicious activity. Provides guidance about scope of daily log reviews FishNet Security Inc. All rights reserved.
24 Notable Clarifications 10.6 changes: Allowing more flexibility for review of certain logs events periodically, as defined by the entity s risk management strategy. Notifications or alerts that identify suspicious or anomalous activities Logs from critical system components Logs from systems that perform security functions, such as firewalls, IDS/IPS, file-integrity monitoring (FIM) systems and so on FishNet Security Inc. All rights reserved.
25 Notable Clarifications 11.2 changes include: Explicitly allows multiple scanning reports to be combined to meet the quarterly requirement. Rescanning must be performed until all high vulnerabilities are resolved now allows for any mechanism to be used that can detect critical file changes no longer requires that mobile devices be labeled FishNet Security Inc. All rights reserved.
26 Best Practices until June 30, 2015 The following slides discuss the six new requirements that are considered best practices until June 30, After which these become requirements FishNet Security Inc. All rights reserved.
27 Coming June 30, Broken Authentication and Session Management Service providers with access to customer environments must use a unique authentication credential (such as a password/phrase) for each customer environment. 9.9 Protect point-of-sale (POS) devices that capture payment card data via direct physical interaction with the card from tampering and substitution FishNet Security Inc. All rights reserved.
28 Coming June 30, Develop and implement a methodology for penetration testing that: Is based on industry-accepted penetration testing approaches (for example, NIST SP ). Includes coverage for the entire CDE perimeter and critical systems. Includes testing from both inside the network and from outside of the network attempting to get in. Includes testing to validate any segmentation and scope-reduction controls. Defines application-layer penetration tests to include, at a minimum, the vulnerabilities listed in Requirement 6.5. Defines network-layer penetration tests to include components that support network functions as well as operating systems. Includes review and consideration of threats and vulnerabilities experienced in the last 12 months. Specifies retention of penetration testing results and remediation activities results FishNet Security Inc. All rights reserved.
29 Coming June 30, Additional requirement for service providers: Service providers acknowledge in writing to customers that they will maintain all applicable PCI DSS requirements to the extent the service provider handles, has access to or otherwise stores, processes or transmits the customer s cardholder data or sensitive authentication data or manages the customer's cardholder data environment on behalf of a customer FishNet Security Inc. All rights reserved.
30 Final Recommendations Review the v3.0 DSS closely with your QSA to determine if a gap analysis is recommended. Incorporate Business-as-Usual to maintain security and compliance. Maintain a documented CDE inventory and network diagrams with data flows. Ensure in-house developed payment apps securely handle PAN/SAD in memory. Physically secure and inspect POS terminals periodically, including validating any third-parties authorization to access devices. If CHD is shared with a third-party, ensure they are contractually aware of what controls they are responsible for FishNet Security Inc. All rights reserved.
31 Thank You Brian Serra, CISSP, PCIP PCI Practice Director FishNet Security Nick Puetz Managing Director Strategic Services FishNet Security FishNet Security Inc. All rights reserved.
Payment Card Industry (PCI) Data Security Standard Summary of s from Version 2.0 to 3.0 November 2013 Introduction This document provides a summary of changes from v2.0 to v3.0. Table 1 provides an overview
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor firstname.lastname@example.org January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
The PCI DSS Lifecycle 1 The PCI DSS follows a three-year lifecycle PCI DSS 3.0 will be released in November 2013 Optional (but recommended) in 2014; Required in 2015 PCI SSC Community Meeting Update: PCI
December 2013 New PCI Standards Enhance Security of Cardholder Data By Angela K. Hipsher, CISA, QSA, Jeff A. Palgon, CPA, CISSP, QSA, and Craig D. Sullivan, CPA, CISA, QSA Payment cards a favorite target
PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS CIVICA Conference 22 January 2015 WELCOME AND AGENDA Change is here! PCI-DSS 3.0 is mandatory starting January 1, 2015 Goals of the session
UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE April 30 th, 2014 Sean Mathena CISSP, CISA, QSA Trustwave Managing Consultant WELCOME AND AGENDA PCI-DSS 3.0 Review the high-level areas that have changed
PCI v 3.0 What you should know! Emily Coble UNC Chapel Hill Robin Mayo East Carolina University Session Etiquette Please turn off all cell phones. Please keep side conversations to a minimum. If you must
ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE AGENDA PCI DSS Basics Case Studies of PCI DSS Failure! Common Problems with PCI DSS Compliance
PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics About Us Matt Halbleib CISSP, QSA, PA-QSA Manager PCI-DSS assessments With SecurityMetrics for 6+ years SecurityMetrics Security
VMware Product Applicability Guide for Payment Card Industry Data Security Standard (PCI DSS) version 3.0 February 2014 V3.0 DESIGN DO CU MENT Table of Contents EXECUTIVE SUMMARY... 4 INTRODUCTION... 5
Are You Ready For PCI v 3.0 Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice 847.413.6319
TABLE OF CONTENTS INTRODUCTION: - Section 1: PCI DSS Version 3.0 Changes - Section 2: Can IDS and WAF Techniques Replace Systems with PCI DSS 3.0? PREPARATION: - PCI DSS 3.0 Reporting and Auditing REQUIREMENTS:
PCI DSS v3.0 Control Gap Commentary on the Changes to the PCI Data Security Standard v3.0 All Rights Reserved. Do Not Distribute. 2013-11-13 2013-11-13 Control Gap Inc. All Rights Reserved. Do Not Distribute.
PCI DSS 3.0 and You Are You Ready? 2014 STUDENT FINANCIAL SERVICES CONFERENCE Linda Combs email@example.com Ron King firstname.lastname@example.org AGENDA PCI and Bursar Office Role Key Themes in v3.0 Timelines Changes
Payment Card Industry (PCI) Data Security Standard Summary of s from PCI DSS Version 1.2.1 to 2.0 October 2010 General General Throughout Removed specific references to the Glossary as references are generally
PCI DSS Security Awareness Training North Carolina Office of the State Controller Technology Meeting April 30, 2014 agio.com A Note on Our New Name Secure Enterprise Computing was acquired as the Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:
SAQ D Compliance Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP Ground Rules WARNING: Potential Death by PowerPoint Interaction Get clarification Share your institution s questions, challenges,
PCI Compliance 3.1 University of Hawaii About Us Helping organizations comply with mandates, recover from security breaches, and prevent data theft since 2000. Certified to conduct all major PCI compliance
Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 1 of 116 PageID: 4879 Appendix A Case 2:13-cv-01887-ES-JAD Document 282-2 Filed 12/09/15 Page 2 of 116 PageID: 4880 Payment Card Industry (PCI)
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
Thoughts on PCI DSS 3.0 September, 2014 Speaker Today Jeff Sanchez is a Managing Director in Protiviti s Los Angeles office. He joined Protiviti in 2002 after spending 10 years with Arthur Andersen s Technology
PCI compliance: v3.1 Key Considerations Corbin Del Carlo Director, National Leader PCI Services October 5, 2015 Today s Presenter Corbin Del Carlo QSA, PA QSA Director, National Leader PCI Services Practice
PCI DSS 3.0 Overview OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock 01/16/2015 Purpose of Today s Presentation To provide an overview of PCI 3.0 based
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
Three Critical Success Factors for PCI Assessment Seth Peter NetSPI April 21, 2010 Introduction Seth Peter NetSPI Chief Technology Officer and Founder 15 year history of application, system, and network
SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...
Mapping PCI DSS 3.0 to Instant PCI Policy Below are the requirements from the PCI Data Security Standard, version 3.0. Each requirement is followed by a bullet point that tells exactly where that requirement
Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Merchants with Payment Application Systems Connected to the Internet No Electronic Cardholder
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015 I. PURPOSE The purpose of this policy is to establish guidelines for processing charges on Payment Cards to protect
PCI DSS Ver. 3.0 Noteworthy Changes for Petro Retailer A Data Security Committee Work Product Jointly developed by Paul Dalberth The Pantry Phil Schwartz Valero Jim Shepard Phillips 66 Nancy Tosto BP 5-Mar-2014
HOW SECURE IS YOUR PAYMENT CARD DATA? October 27, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director PCI Practice Leader Kevin Villanueva,, CISSP,
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
Appendixes Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1) 1.0 Scope All credit card data and its storage
Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements
FACT SHEET Technology Innovation Programme The Visa Europe Technology Innovation Programme () was designed to complement the Payment Card Industry (PCI) Data Security Standard (DSS) by reflecting the risk
PCI DSS PCI Prioritized DSS Approach for for PCI DSS.0 The Prioritized Approach to Pursue PCI DSS Compliance The Payment Card Industry Data Security Standard (PCI DSS) provides a detailed, 1 requirements
PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1 For merchants and other entities involved in payment card processing Contents PCI DSS Quick Reference
HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS August 23, 2011 MOSS ADAMS LLP 1 TODAY S PRESENTERS Presenters Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security
White Paper PCI DSS: An Evolving Standard PCI 3.0 and 3.1 Key Requirements Explained 2015 SecurityMetrics PCI DSS: An Evolving Standard 2 PCI DSS An Evolving Standard The Payment Card Industry Data Security
WHITEPAPER Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4 An in-depth look at Payment Card Industry Data Security Standard Requirements 10, 11,
PCI Compliance PCI DSS v3.1 Dan Lobb CRISC Lisa Gable CISM Dan Lobb, CRISC o Introduction Dan has an MIS degree from the University of Central Florida. He began his career at Accenture and for the past
CHEAT SHEET: PCI DSS 3.1 COMPLIANCE WHAT IS PCI DSS? Payment Card Industry Data Security Standard Information security standard for organizations that handle data for debit, credit, prepaid, e-purse, ATM,
Did you know your security solution can help with PCI compliance too? High-profile data losses have led to increasingly complex and evolving regulations. Any organization or retailer that accepts payment
THE FIVE NEW PCI COMPLIANCE RULES YOU NEED TO KNOW By Stephen Cobb, ESET senior security researcher. If your business accepts credit or debit cards, then you know that PCI DSS stands for Payment Card Industry
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
Beef O Brady's Security Review Powered by Why install a Business Class Firewall? Allows proper segmentation of Trusted and Untrusted computer networks (PCI Requirement) Restrict inbound and outbound traffic
Leveraging PCI to Manage Risks of Accepting Credit Cards Not-for-Profit Webinar Series March 10, 2015 Steve Earley, CISA, CISSP, CRISC, CFSA, ITILv3, MCP Senior Manager, IT Audit, Internal Audit and Risk
Any physical access to devices or data held in an Melbourne datacentre that houses a customer s cardholder data must be controlled and restricted only to approved individuals. PCI DSS Requirements Version
PCI Compliance - A Realistic Approach Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM email@example.com What What is PCI A global forum launched in September 2006 for ongoing enhancement
How Secure is Your Payment Card Data? Complying with PCI DSS SLIDE 1 PRESENTERS Francis Tam, CPA, CISA, CISM, CITP, CRISC, PCI QSA Managing Director, IT Security Practice PCI Practice Leader Francis has
PCI DSS Compliance Guide 2009 Rapid7 PCI DSS Compliance Guide What is the PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business. As a result,
General Standards for Payment Card Environments at Miami University 1. Install and maintain a firewall configuration to protect cardholder data and its environment Cardholder databases, applications, servers,
Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry
Checklist for Vulnerability Assessment Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on
Josiah Wilkinson Internal Security Assessor Nationwide Payment Card Industry Overview PCI Governance/Enforcement Agenda PCI Data Security Standard Penalties for Non-Compliance Keys to Compliance Challenges
Top 10 PCI Concerns Jeff Tucker Sr. Security Consultant, Foundstone Professional Services About Jeff Tucker QSA since Spring of 2007, Lead for the Foundstone s PCI Services Security consulting and project
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire A-EP and Attestation of Compliance Partially Outsourced E-commerce Merchants Using a Third-Party Website for Payment Processing
The Payment Card Industry Data Security Standard PCI DSS v3.0 March 2015 Contents Compliance Guide 01 02 03 04 05 06 07 08 What is PCI DSS? 1 Who Needs to be PCI Compliant and Why? 2 Compliance Validation
January 31, 2014 11:30am 12:30pm Central Hosted by: Texas.gov Presented by: Jayne Holland Barbara Brinson Payment Card Industry Compliance Overview Securing Government Payments Audio Dial In: 866-740-1260
BRAND-NAME is What COUNTS!!! USE PCI-DSS and make a name for your business Amit Jain Lead Solution Architect Aug 2015 Who We Are WHO WE ARE Company facts and figures ESTABLISHED TRUSTED 1995 BY MORE THAN
AISA Sydney 15 th April 2009 Where PCI stands today: Who needs to do What, by When Presented by: David Light Sense of Security Pty Ltd Agenda Overview of PCI DSS Compliance requirements What & When Risks
Simplifying Payment Card Industry Compliance 2014 Globalscape, Inc. All Rights Reserved. 1 Simplifying Payment Card Industry Compliance Agenda: What is PCI? Why do I need to worry about this? What changed
PCI 3.1 Changes Jon Bonham, CISA Coalfire System, Inc. Agenda Introduction of Coalfire What does this have to do with the business office Changes to version 3.1 EMV P2PE Questions and Answers Contact Information
PCI DSS Scope Misconceptions Focusing Compliance Efforts Where it Matters Most M. Yousuf Faisal Principal Consultant GRC & PCI Practice Lead PCI-QSA, PCIP, CISSP, CISM, CISA. 26 September 2014 Agenda >
SECURELY ENABLING BUSINESS PCI Data Security Standard 3.0 Training Strategies That Work Presented by Doug Hall May 20, 2014 AGENDA PCI DSS 3.0 Training Strategies That Work PCI DSS 3.0 Overview PCI Training
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security & VideoSurveillance Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 The
PCI 3.0 Making Payment Security Business As Usual Katie Todd, Office of the Treasurer, Columbia University Ruth Harpool, Managing Director, Treasury Operations, Indiana University Joseph Goodman, Outreach
PCI DSS v3.0 Compliance Guide December 2013 PCI DSS v3.0 Compliance Guide What is PCI DSS? Negative media coverage, a loss of customer confidence, and the resulting loss in sales can cripple a business.
Strengthening Processor Security Webinar 10:00 AM 11:00 AM PT October 16, 2013 Strengthening Processor Security Webinar October 16, 2013 Visa Public 1 Strengthening Processor Security Webinar Welcome and
Strategies To Effective PCI Scoping ISACA Columbus Chapter Presentation October 2008 Matthew T. Davis SecureState, LLC firstname.lastname@example.org SecureState Founded in 2001, Based on Cleveland Specialized
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.1 April 2015 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
Information Security Services Achieving PCI compliance with Dell SecureWorks security services Executive summary In October 2010, the Payment Card Industry (PCI) issued the new Data Security Standard (DSS)
Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures Version 3.0 November 2013 Document Changes Date Version Description Pages October 2008 1.2 July 2009 1.2.1
Requirement 1: Install and maintain a firewall configuration to protect cardholder data 1.1 Establish and implement firewall and router configuration standards that include the following: 1.1.1 A formal
Procedure Credit Card Handling and Security for Departments/Divisions and Elected/Appointed Offices Last Update: January 19, 2016 References: Credit Card Payments Policy Purpose: To comply with the Payment
PCI Compliance Overview 1 PCI DSS Payment Card Industry Data Security Standard Standard that is applied to: Merchants Service Providers (Banks, Third party vendors, gateways) Systems (Hardware, software)
Auditing PCI Compliance Tim Marley CPA, CIA, CISA, GSNA, CISSP, CIPP, CISM, PCI ISA, PCIP IT Audit Director, University of Oklahoma September 30, 2015 Introductions Introductions Me Harold s MIS, October