PCI Self-Assessment: PCI DSS 3.0



Similar documents
Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

New PCI Standards Enhance Security of Cardholder Data

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

<COMPANY> P01 - Information Security Policy

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Transitioning from PCI DSS 2.0 to 3.1

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

PCI Compliance. PCI DSS v3.1. Dan Lobb CRISC. Lisa Gable CISM

North Carolina Office of the State Controller Technology Meeting

PCI Compliance 3.1. About Us

Simplifying Payment Card Industry Compliance

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

PCI Compliance for Cloud Applications

How To Protect Your Data From Being Stolen

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

Credit Card Processing Overview

PCI Data Security Standard 3.0

PCI DSS COMPLIANCE DATA

HOW SECURE IS YOUR PAYMENT CARD DATA?

Customer PCI 3.0 Changes = New Opportunity For You. Giles Witherspoon-Boyd SecurityMetrics

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

CardControl. Credit Card Processing 101. Overview. Contents

SECURING YOUR REMOTE DESKTOP CONNECTION

Becoming PCI Compliant

CONTENTS. PCI DSS Compliance Guide

PCI DSS 3.0 Overview. OSU Business Affairs Business Affairs PIT Crew - Project, Improvement, & Technology Robin Whitlock

Give Vendors Access to the Data They Need NOT Access to Your Network

Ecom Infotech. Page 1 of 6

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

A Rackspace White Paper Spring 2010

PCI Requirements Coverage Summary Table

Payment Card Industry Security Standards PCI DSS, PCI-PTS and PA-DSS

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Technical breakout session

Technology Innovation Programme

Did you know your security solution can help with PCI compliance too?

How To Comply With The Pci Ds.S.A.S

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

The Relationship Between PCI, Encryption and Tokenization: What you need to know

FairWarning Mapping to PCI DSS 3.0, Requirement 10

PCI DSS 2.0 and PA-DSS 2.0 SUMMARY OF CHANGES - HIGHLIGHTS

Continuous compliance through good governance

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

What s New in PCI DSS Cisco and/or its affiliates. All rights reserved. Cisco Systems, Inc 1

mobile payment acceptance Solutions Visa security best practices version 3.0

PCI Compliance Top 10 Questions and Answers

MasterCard PCI & Site Data Protection (SDP) Program Update. Academy of Risk Management Innovate. Collaborate. Educate.

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Payment Application Data Security Standard

PCI DSS Top 10 Reports March 2011

Microsoft s Compliance Framework for Online Services

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 3.0 to 3.1

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

Payment Card Industry - Achieving PCI Compliance Steps Steps

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

White Paper On. PCI DSS Compliance And Voice Recording Implications

Payment Card Industry Data Security Standards.

PCI Compliance. Top 10 Questions & Answers

How To Achieve Pca Compliance With Redhat Enterprise Linux

HOW SECURE IS YOUR PAYMENT CARD DATA? COMPLYING WITH PCI DSS

Breach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security

PCI Data Security Standards (DSS)

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

PCI Security Compliance

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI Compliance: Protection Against Data Breaches

PCI Compliance: How to ensure customer cardholder data is handled with care

PCI Requirements Coverage Summary Table

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Transcription:

PCI Self-Assessment: PCI DSS 3.0 Achieving PCI DSS 3.0 Compliance with our PCI Self-Assessment tool (Author: Heinrich Van Der Westhuizen, Director) Requirement PCI DSS update Purpose/need Addressed 1 Have a current To clarify that diagram that shows documented cardholder cardholder data flows. data flows are an important component of network diagrams. pci-selfassessment.com solution Policy upload feature Clients will be able to upload and maintain network diagrams including card holder dataflow. 2 Maintain an inventory of system components in scope for PCI DSS. To support effective scoping practices. Policy review dates All policies uploaded will be forced to be reviewed within 3, 6 or 12 months. By default, all policies must be reviewed at least once a year. PCI compliance strategy The cardholder data flow diagram will form part of the PCI compliance strategy that forms part of the PCI scope. No new assets will be allowed to be registered outside the compliance strategy. Asset register All PCI assets are maintained on our PCI asset register and associated to an owner. All risks associated with the asset fall under the responsibility of the asset owner to resolve. Asset location All assets are linked to specific locations and configured as such in compliance with the PCI compliance strategy. This is to translate the PCI compliance strategy into day to day operation. Asset type All asset locations will have asset types that are expected to be located in them and this makes it easier to group assets and align them with the PCI

5 Evaluate evolving malware threats for systems not commonly affected by malware. 6 Update list of common vulnerabilities in alignment with OWASP, NIST, SANS, etc., for inclusion in secure coding practices. 8 Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certificates. 9 Protect POS terminals and devices from tampering or substitution. To promote ongoing awareness and due diligence to protect systems from malware. To keep current with emerging threats. To address feedback that requirements for securing authentication methods other than passwords need to be included. To address need for physical security of payment terminals. compliance strategy. Asset policies and procedures With Asset location and asset types defined, we align the appropriate policies and procedures to them as a result, all new assets will inherit the policies and procedures Technical compliance baselines All assets will have a minimum technical baseline applicable to all assets in the PCI zone and this will include malware protection updates. Technical risk board we mandate the inclusion of technical risk review board to be included in the PCI compliance strategy. Policies and procedures software coding policies will be enforced and included as part of the strategy. PCI Change management all change requests where software is identified will be required to comply with the PCI software coding policy and required to be located in the pre-approved PCI zone, thereby inheriting the other policies and procedures. PCI Change management all change requests where authentication is identified will be required to comply with the PCI authentication policy as a baseline and required to be mandated on all projects and assets. PCI Asset register Each PCI asset will be assessed in order to ensure that they comply with all PCI security policies. PCI Asset register Each PCI asset, including POS terminals, their locations and will be assessed in order to ensure that

11 Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective. 12 Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity. Service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements General General Clarified that sensitive authentication data must not be stored after authorization even if PAN not present Added guidance for implementing security into business as usual (BAU) activities and best practices fir maintaining on going PCI DSS compliance. To address requests for more details for penetration tests, and for more stringent scoping verification. To address feedback from 3 rd party Security Assurance SIG To ensure better understanding of protection of sensitive authentication data To address compromises where the organisation had been PCI DSS compliant but did not maintain that status. Recommendation focus is on helping organisations take a proactive approach to protect cardholder data that focuses on security, not compliance and they comply with all PCI security policies. PCI policy and procedure Penetration testing is included as part of the policies required and updated quarterly. Segmentation is included as part of the PCI compliance technical strategy that is adopted. PCI 3 rd party register we maintain a PCI 3rd party register which includes all the assets and projects managed by the 3rd party. It also allows the 3 rd party to maintain a risk register in order to ensure any risks associated with Privacy Impact Assessment All 3rd parties are required to undergo Privacy impact assessment and this includes privacy risks associated with the PCI estate. PCI risk assessment each project and asset undergoes a PCI risk assessment and risks associated managed via the risk register. PCI policies we reuse existing policies and procedures and incorporate PCI requirements in order to make them manageable

Multiple Incorporate security policy/procedure requirements into each requirement 2 Clarified that changing default password is required for application/service accounts as well as user accounts 3 Provided flexibility with more options for secure storage of cryptographic keys, and clarified principles of split knowledge and dual control. 8 Provided increased flexibility in password strength and complexity to allow for variations that are equivalent. Revised password policies to include guidance for users on choosing strong passwords, protecting their credentials, and changing passwords upon suspicion of Compromise. makes PCI DSS a business as usual practice. To address feedback that policy topics should closely align with the related technical PCI DSS requirement To address gaps in basic password security practices that are leading to compromises To clarify common misunderstandings about key management. To address feedback on improving password security. Changes focus on increased flexibility and user guidance rather than new requirements. PCI roles and responsibilities - PCI compliance policies Our suite of policies adopts current security policies and procedures into the PCI requirements. Password baseline All systems will inherit password baseline that will be made available to all systems and assets to adopt, it will include confirmation of default password changes. PCI Compliance strategy The technical baseline will mandate the gathering daily logs from systems and make them available to systems for the identification of suspicious activities. Password baseline All systems will inherit password baseline that will be made available to all systems and assets to adopt.

10 Clarified the intent and scope of daily log reviews. To help entities focus log-review efforts on identifying suspicious activity and allow flexibility for review of less-critical logs events, as defined by the entity s risk management strategy. PCI Compliance strategy The technical baseline will mandate the gathering daily logs from systems and make them available to systems for the identification of suspicious activities. Introduction to pci-selfassessment.com Inherent compliance strategy: Ground up approach

Scope definition PCI Asset type definition

PCI compliance dashboard PCI risk assessment

Policy register

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information