Simplifying Payment Card Industry Compliance

Size: px

Start display at page:

Download "Simplifying Payment Card Industry Compliance"

Egbert Floyd
10 years ago
Views:

2 Simplifying Payment Card Industry Compliance Agenda: What is PCI? Why do I need to worry about this? What changed in DSS 3.0? Are there Best Practices? Simplifying Compliance into Business-as-Usual Q&A 2014 Globalscape, Inc. All Rights Reserved. 2

4 What is PCI? 12 requirements Affects applications that store, process, or transmit cardholder data Source: PCI Security Standards Council: PCI DSS Quick Reference Guide 2014 Globalscape, Inc. All Rights Reserved. 4

6 Did you know? Sensitive authentication data cannot be stored Requirements apply when outsourcing payment operations or management Organizations outsourcing payment operations to third parties are responsible for ensuring account data is protected 2014 Globalscape, Inc. All Rights Reserved. 6

outsourcing payment operations or management Organizations outsourcing

7 PCI DSS 3.0 New Requirements New requirements cover: Insecure handling of PAN and SAD in memory Broken authentication and session management Unique authentication credentials for Service providers with access to customer environments 9.9 Protecting of point-of-sale (POS) devices from tampering 11.3 Developing and implementing a methodology for penetration testing 12.9 Additional requirement for service providers on data security 2014 Globalscape, Inc. All Rights Reserved. 7

9 Protecting of point-of-sale (POS) devices from tampering 11.

8 Best Practices for Implementing PCI DSS into Business-as-Usual 1. Monitoring of security controls to ensure they are operating effectively and as intended. 2. Ensuring that all failures in security controls are detected and responded to in a timely manner. 3. Review changes to the environment prior to completion of the change. 4. Review the impact to PCI DSS scope and requirements. 5. Periodic reviews and communications should be performed to confirm that PCI DSS requirements are in place. 6. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity s security requirements, including PCI DSS Globalscape, Inc. All Rights Reserved. 8

Review the impact to PCI DSS scope and requirements. 5. Periodic reviews and communications should be performed to confirm that PCI DSS requirements are in place. 6.

Simplifying PCI Compliance 1. Monitor security controls 2. Detect &respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5.

9 Simplifying PCI Compliance 1. Monitor security controls 2. Detect &respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5. Periodic reviews to confirm PCI DSS requirements. 6. Review hardware and software periodically to confirm that it meets security requirements Globalscape, Inc. All Rights Reserved. 9

5. Periodic reviews to confirm PCI DSS requirements. 6.

Simplifying PCI Compliance 1. Monitor security controls 2. Detect and respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5.

10 Simplifying PCI Compliance 1. Monitor security controls 2. Detect and respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5. Periodic reviews to confirm PCI DSS requirements. 6. Review hardware and software periodically to confirm that it meets security requirements Globalscape, Inc. All Rights Reserved. 10

11 Simplifying PCI Compliance 1. Monitor security controls 2. Detect &respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5. Periodic reviews to confirm PCI DSS requirements. 6. Review hardware and software periodically to confirm that it meets security requirements Globalscape, Inc. All Rights Reserved. 11

12 Simplifying PCI Compliance 1. Monitor security controls 2. Detect &respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5. Periodic reviews to confirm PCI DSS requirements. 6. Review hardware and software periodically to confirm that it meets security requirements Globalscape, Inc. All Rights Reserved. 12

13 Simplifying PCI Compliance 1. Monitor security controls 2. Detect &respond to failures 3. Review changes prior to completion of the change. 4. Review impact to scope and requirements. 5. Periodic reviews to confirm PCI DSS requirements. 6. Review hardware and software periodically to confirm that it meets security requirements. If your data is located in the DMZ -- even temporarily -- it is easier for an external attacker to access this information. PCI DSS requirements require that all data must reside in "an internal network zone, segregated from the DMZ and other untrusted networks" (para ) Globalscape, Inc. All Rights Reserved. 13

Review hardware and software periodically to confirm that it meets security requirements.

14 Summary To Simplify PCI Compliance: 1. Implement PCI DSS into Business-as-Usual PCI compliance is a process, not an event. 2. Reduce scope consolidate processes, where possible. 3. Select applications that easily integrate with authentication protocols and designed to satisfy PCI stipulations. 4. Work with vendors and partners who understand PCI requirements and stay current with changes 2014 Globalscape, Inc. All Rights Reserved. 14

Reduce scope consolidate processes, where possible. 3.

Accelerating PCI Compliance

Accelerating PCI Compliance PCI Compliance for B2B Managed Services March 8, 2016 What s the Issue? Credit Card Data Breaches are Expensive for Everyone The Wall Street Journal OpenText Confidential. 2016