Continuous compliance through good governance

Similar documents
PCI DSS v3.0 Vulnerability & Penetration Testing

Becoming PCI Compliant

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Technology Innovation Programme

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Data Security Standards

Thoughts on PCI DSS 3.0. September, 2014

Introduction. PCI DSS Overview

Payment Card Industry Data Security Standard

PCI DSS Requirements - Security Controls and Processes

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Josiah Wilkinson Internal Security Assessor. Nationwide

Payment Card Industry Data Security Standards

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Thoughts on PCI DSS 3.0. D. Timothy Hartzell CISSP, CISM, QSA, PA-QSA Associate Director

North Carolina Office of the State Controller Technology Meeting

So you want to take Credit Cards!

Payment Card Industry Data Security Standard (PCI DSS)

PCI Compliance Top 10 Questions and Answers

Preparing for PCI DSS 3.0 & Ensuring a Seamless Transition. November 2013

Why Is Compliance with PCI DSS Important?

Vanderbilt University

PCI DATA SECURITY STANDARD OVERVIEW

New PCI Standards Enhance Security of Cardholder Data

FairWarning Mapping to PCI DSS 3.0, Requirement 10

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.1 April 2015

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Project Title slide Project: PCI. Are You At Risk?

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

PCI Compliance. Top 10 Questions & Answers

Your Compliance Classification Level and What it Means

How To Protect Your Data From Being Stolen

VMware Product Applicability Guide for. Payment Card Industry Data Security Standard

Presented By: Bryan Miller CCIE, CISSP

Adyen PCI DSS 3.0 Compliance Guide

Cyber - Security and Investigations. Ingrid Beierly August 18, 2008

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

PCI DSS v3.0. Compliance Guide

Miami University. Payment Card Data Security Policy

Checklist for Vulnerability Assessment

Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures. Version 3.0 November 2013

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 5/25/2011

GFI White Paper PCI-DSS compliance and GFI Software products

SecurityMetrics Introduction to PCI Compliance

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

Frequently Asked Questions

PCI DSS. Payment Card Industry Data Security Standard.

The Payment Card Industry Data Security Standard

PCI Compliance Overview

COLORADO STATE UNIVERSITY Financial Procedure Statements FPI 6-6

1/18/10. Walt Conway. PCI DSS in Context. Some History The Digital Dozen Key Players Cardholder Data Outsourcing Conclusions. PCI in Higher Education

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

PCI DSS Compliance Guide

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Using Skybox Solutions to Ensure PCI Compliance. Achieve efficient and effective PCI compliance by automating many required controls and processes

A MERCHANTS GUIDE TO THE PAYMENT APPLICATION DATA SECURITY STANDARD (PA-DSS)

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

Achieving Compliance with the PCI Data Security Standard

This appendix is a supplement to the Local Government Information Security: Getting Started Guide, a non-technical reference essential for elected

Overcoming PCI Compliance Challenges

UNDERSTANDING PCI 3.0 AND HOW TO REDUCE YOUR SCOPE

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

PCI DSS Quick Reference Guide Understanding the Payment Card Industry Data Security Standard version 3.1

Emory University & Emory Healthcare

Administrative Improvements. Administrative Improvements. Scoping Guidance. Clarifications for Segmentation

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Two Approaches to PCI-DSS Compliance

PCI DSS Reporting WHITEPAPER

PCI 3.1 Changes. Jon Bonham, CISA Coalfire System, Inc.

Puzzled about PCI compliance? Proactive ways to navigate through the standard for compliance

Windows Azure Customer PCI Guide

PCI Compliance: How to ensure customer cardholder data is handled with care

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

PCI v2.0 Compliance for Wireless LAN

LogRhythm and PCI Compliance

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

PCI Requirements Coverage Summary Table

PCI and PA DSS Compliance Assurance with LogRhythm

A Rackspace White Paper Spring 2010

A Compliance Overview for the Payment Card Industry (PCI)

Worldpay s guide to the Payment Card Industry Data Security Standard (PCI DSS)

Transcription:

PCI DSS Compliance: A step into the payment ecosystem and Nets compliance program Continuous compliance through good governance

Who are the PCI SSC? The Payment Card Industry Security Standard Council is an independent body providing oversight of the payment card security standards on a global basis. It was founded by American Express, Discover, JCB International, MasterCard, and Visa. The Council s main standards are: PCI Data Security Standard (PCI DSS) PCI Pin Transaction Security Standard (PCI PTS) Payment Application Data Security Standard (PA DSS) Point-to-Point Encryption Standard (P2PE)

What is PCI DSS? PCI is not government legislation. It is an industry regulation. PCI DSS was developed to enhance cardholder security and to provide a baseline to protect cardholder data. PCI DSS applies to any entity that stores, processes, or transmits cardholder data. The cardholder data environment is comprised of people, processes and technologies. For Nets, PCI DSS is like our license to operate. Without it we cannot conduct businesses.

PCI DSS standards overview The PCI DSS is based on six primary goals. 1. Build and maintain a secure network and systems 2. Protect Cardholder Data 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy Each goal contains a set of requirements across 12 domains with a total of 350+ requirements.

What is card holder data? PCI DSS applies wherever account data is stored, processed, or transmitted. Account Data consists of Cardholder Data and/or Sensitive Authentication Data, as depicted in the chart on this screen. Account data should be properly protected in compliance with PCI DSS or not stored at all. Sensitive authentication data must not be stored.

Actors across the payment ecosystem

Malicious actor

The Actors Defined Cardholder Customer purchasing goods/services as card present or card not present transactions Issuer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard, Visa) Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB) Merchant Organization accepting the payment card during a purchase Acquirer Teller, subsidiary of Nets Group Entity the merchant uses to process the payment card transactions Receive authorization requests from merchant and forward to issuer for approval Provide authorization, clearing, and settlement services to merchants Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB) Payment processor / payment brank network Nets Group

Which entities are in PCI scope? Issuer Merchant Acquirer Bank or other organization issuing a payment card on behalf of a Payment Brand (e.g. MasterCard, Visa) Payment brand issuing a payment card directly (e.g. Amex, Discover, JCB) Organization accepting the payment card during a purchase Bank or entity the merchant uses to process the payment card transactions Receive authorization requests from merchant and forward to issuer for approval Provide authorization, clearing, and settlement services to merchants Also referred to as: merchant bank or Payment Brand (Amex, Discover, JCB) Payment processor / payment brank network Nets Group

PCI Governance at Nets

What to avoid

Governance structure 2016+ This governance structure should be applicable to any kind of compliance management, but in this case PCI DSS compliance management is used as the example. Future scaling to multi-framework compliance management is more a matter of resourcing than anything else.

PCI Compliance Annual Timeline The audit is a snapshot in time. PCI compliance must be achieved 365 days a year. Example evidence deliverable dates Example audit deadlines ROC Signature Pre-Audit Final Audit Pre-Audit 2016 2017 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr Evidence Collection & Issue Remediation Evidence is collected prior to and during the audit, and previously identified issues remediated. Evidence Validation & Issue Closure The audit looks back 12 months to verify compliance in the previous year.

PCI Compliance Wheel for BAU ANNUALLY Change SEMI-ANNUALLY cryptographic keys for keys that have reached the end of their cryptoperiod (PCI 3.6.4). Review QUARTERLY firewall and router rule sets at least every six months (PCI 1.1.7). DAILY/WEEKLY/MONTHLY Review Identify public-facing and securely web delete applications stored cardholder via manual data or that automated exceeds application defined Review retention vulnerability the periods following security that assessment at are least required daily tools (PCI for or 10.6.1): legal, methods, regulatory, least and/or annually business and after - requirements any All changes security events (PCI (PCI 6.6). 3.1). - Logs of all system components that store, process, or transmit CHD and/or SAD Perform Maintain periodic logs of all evaluations media and to conduct identify media and evaluate inventory evolving (PCI 9.7.1) malware threats - in Logs order of to all confirm critical system whether components systems continue to not require anti-virus - software Perform Logs internal all (PCI servers 5.1.2). and and external system penetration components testing that perform at least annually security functions and after (for any significant example, firewalls, infrastructure intrusion-detection or application systems/intrusion-prevention upgrade or modification (PCI 11.3.1 systems Remove/disable & 11.3.2). (IDS/IPS), inactive authentication user accounts servers, within e-commerce 90 days (PCI redirection 8.1.4). servers, etc.). Change Perform user penetration passwords/passphrases tests at least annually at least and once after every any 90 changes days (PCI to 8.2.4). Install segmentation applicable controls/methods critical vendor-supplied to verify security that the patches segmentation within methods one month are of release Test operational for (PCI the and presence 6.2.a). effective, of wireless and isolate access all points out-of-scope (802.11), systems and detect from and systems in identify the CDE all (PCI authorized 11.3.4). and unauthorized wireless access points (PCI 11.1). Use intrusion-detection and/or intrusion-prevention techniques to detect and/or Perform Review prevent the quarterly security intrusions internal policy into and vulnerability the update network. the scans policy and when rescans the as environment needed, until all Monitor high-risk changes (PCI all vulnerabilities traffic 12.1.1). at the perimeter (as identified of the in cardholder Requirement data 6.1) environment are resolved. as Scans well as must at critical be performed points in by the qualified cardholder personnel data environment, (PCI 11.2.1). and alert personnel to suspected Perform risk compromises. assessments on the following situations (PCI 12.2): Keep Perform - at least all intrusion-detection quarterly annually and external upon vulnerability and significant prevention changes scans, engines, via to the an baselines, Approved environment and Scanning signatures (for up Vendor example, to date (ASV) acquisition, (PCI approved 11.4). merger, by the relocation, Payment Card etc.), Industry Security Standards Council - on identifies (PCI SSC). critical Perform assets, rescans threats, as and needed, vulnerabilities, until passing and scans are achieved Keep (PCI - create 11.2.2). system a formal, configuration/settings documented analysis updated. of risk. Educate personnel on cardholder data security (PCI 12.6.1).. Monitor service provider compliance (PCI 12.8.4). Test incident response plan at least annually (PCI 12.10.2). Review and update service documentation.

PCI Compliance Wheel for Infosec Compliance Management Final Assessment Pre-Assessment

BAU vs. Compliance Management Wheel BU/GU responsibility: Compliance requirement fullfillment for corresponding area of responsibility Finding remediation Evidence collection (from recurring tasks completion & finding remediation) InfoSec s responsibility: PCI assessment cycle PCI audit management PCI finding remediation follow-up

Key Takeaways PCI is NOT just an IT issue A well-defined governance structure with key roles & responsibilities must be in place to support compliance across the organization PCI Compliance validation is a review of the last 12 months thus cramming for the audit is not an option Requires continuous compliance 365 days a year with demonstrable evidence of compliant processes and procedures to achieve certification

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information