PCI Compliance for Cloud Applications



Similar documents
Sarbanes-Oxley Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

Becoming PCI Compliant

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

Payment Card Industry Data Security Standard

Josiah Wilkinson Internal Security Assessor. Nationwide

PCI Requirements Coverage Summary Table

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

University of Sunderland Business Assurance PCI Security Policy

Payment Card Industry Data Security Standards.

PCI Requirements Coverage Summary Table

Frequently Asked Questions

Two Approaches to PCI-DSS Compliance

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

PCI Compliance. Top 10 Questions & Answers

PCI Compliance Top 10 Questions and Answers

CITY OF SAN DIEGO ADMINISTRATIVE REGULATION Number PAYMENT CARD INDUSTRY (PCI) COMPLIANCE POLICY. Page 1 of 9.

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

Varonis Systems & The Payment Card Industry Data Security Standard (PCI DSS)

Thoughts on PCI DSS 3.0. September, 2014

Payment Card Industry Data Security Standard (PCI DSS) Q & A November 6, 2008

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

IT Security & Compliance. On Time. On Budget. On Demand.

Automate PCI Compliance Monitoring, Investigation & Reporting

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

University of Dayton Credit / Debit Card Acceptance Policy September 1, 2009

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

How To Protect Your Business From A Hacker Attack

Project Title slide Project: PCI. Are You At Risk?

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Achieving Compliance with the PCI Data Security Standard

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

PCI Data Security Standards

Introduction to PCI DSS

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Third-Party Access and Management Policy

PCI-DSS: A Step-by-Step Payment Card Security Approach. Amy Mushahwar & Mason Weisz

Security Breaches and Vulnerability Experiences Overview of PCI DSS Initiative and CISP Payment Application Best Practices Questions and Comments

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

HOW SECURE IS YOUR PAYMENT CARD DATA?

How To Protect Your Credit Card Information From Being Stolen

Are You Ready For PCI v 3.0. Speaker: Corbin DelCarlo Institution: McGladrey LLP Date: October 6, 2014

LogRhythm and PCI Compliance

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

North Carolina Office of the State Controller Technology Meeting

PCI DSS Reporting WHITEPAPER

PCI DSS Top 10 Reports March 2011

WHITE PAPER. PCI Basics: What it Takes to Be Compliant

74% 96 Action Items. Compliance

Case 2:13-cv ES-JAD Document Filed 12/09/15 Page 1 of 116 PageID: Appendix A

TNHFMA 2011 Fall Institute October 12, 2011 TAKING OUR CUSTOMERS BUSINESS FORWARD. The Cost of Payment Card Data Theft and Your Business

PCI Compliance: How to ensure customer cardholder data is handled with care

Payment Card Industry Data Security Standard

Technical breakout session

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

GFI White Paper PCI-DSS compliance and GFI Software products

PCI DATA SECURITY STANDARD OVERVIEW

Don Roeber Vice President, PCI Compliance Manager. Lisa Tedeschi Assistant Vice President, Compliance Officer

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI DSS COMPLIANCE DATA

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

Why Is Compliance with PCI DSS Important?

PCI DSS Requirements - Security Controls and Processes

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

La règlementation VisaCard, MasterCard PCI-DSS

PCI DSS Overview. By Kishor Vaswani CEO, ControlCase

PCI Compliance. What is New in Payment Card Industry Compliance Standards. October cliftonlarsonallen.com CliftonLarsonAllen LLP

PCI Compliance at The University of South Carolina. Failure is not an option. Rick Lambert PMP University of South Carolina

PCI DSS Compliance Guide

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE GUIDE For Merchants and Service Members

Cyber Security: Secure Credit Card Payment Process Payment Card Industry Standard Compliance

Dartmouth College Merchant Credit Card Policy for Processors

March

MEETING PCI COMPLIANCE WITH SONICWALL GLOBAL MANAGEMENT SYSTEM

PCI DSS Compliance Information Pack for Merchants

Did you know your security solution can help with PCI compliance too?

TRIPWIRE NERC SOLUTION SUITE

Miami University. Payment Card Data Security Policy

PCI Compliance. How to Meet Payment Card Industry Compliance Standards. May cliftonlarsonallen.com CliftonLarsonAllen LLP

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

Transcription:

What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage of credit card data in the rapidly evolving threat landscape. Who Should Care Any business entity, in any industry sector, involved in the processing, storage, and transmission of credit card transactions or cardholder data. If your business is in one way or another accepting, receiving, processing, transmitting, storing or issuing credit card data on your behalf or on behalf of other entities, or if you are subcontracting these activities to other entities, then you are responsible for complying with the standards. Why Comply The Contractual Angle PCIDSS is not a regulation, such as HIPAA, FISMA or NERC, nor is it a guideline such as Council on CyberSecurity Top 20 or OWASP; but a contractual obligation associated with financial penalties in case of non-compliance and breaches. Complying with the standard allows organizations to minimize, or even nullify, these penalties - especially important since they grow proportionally with the number of cards compromised. 1

The Trust Factor More than just a contractual obligation, PCI DSS is vehicle to implement security best practices. Complying with PCI DSS demonstrates an adequate level of protection of the customer s data. Additionally, PCI DSS is increasingly being used as a minimum bar to demonstrate that proper security controls are in place with key business partners and external stakeholders. Finally, PCI compliance can help instill trust in your organizations ability to protect their customers sensitive information. What is Required PCIDSS encompasses 12 core security requirements covering various aspects of network, system, and application security and data protection while in transit and at rest. The only exceptions are business disaster recovery and business continuity that are of no interest for PCI as these areas are unrelated to credit card fraud. The 12 Requirements Topic covered Install and maintain a firewall configuration to protect cardholder data Network security (Firewall/DMZ/Router) Do not use vendor-supplied defaults for system passwords and other security parameters Secure configuration and hardening of servers Protect stored cardholder data Data at rest protection (Encryption, retention, destruction) Encrypt transmission of cardholder data across open, public networks Data in transit (Encryption) Protect all systems against malware Anti-malware Develop and maintain secure systems Patch management, secure coding and development 2

The 12 Requirements Topic covered Restrict access to cardholder data by business need to know Access restriction/ assignment process (Need-to-know, least privileges) Identify and authenticate access to system components Access control and access management Restrict physical access to cardholder data Physical security Track and monitor all access to network resources and cardholder data Logging and monitoring Regularly test security systems and processes Wireless security, vulnerability scans, penetration tests, Change detections (File integrity) Maintain an Information Security Policy Policies, procedures, organizations, risk analysis Organizations must comply with the requirements pertaining to their merchant type. This merchant type indicates how the organization collects, handles and processes card data. Each merchant type is associated to a self-assessment questionnaire (SAQ). You can find out more with your acquiring bank. Validating Compliance Compliance validation should be an annual process, and its methods defined by the organization level - determined by the number of transactions or cards received, processed, stored or transmitted on an annual basis and for each card brand. 3

According to their level, organizations are subjected to annual audits by qualified assessors or annual self-assessment questionnaire (SAQ). Additionally, service providers must undergo an annual on-site audit independently of the number of cards. Determining Scope Wherever there is a credit card, there is a component in scope. The PCI scope consists of all system components included in, or connected to, the Cardholder Data Environment (CDE). This CDE is defined as the people, processes and system components that store, process, handle or transmitcardholder data. If card data is stored and/or processed in a cloud environment, PCI DSS applies to that environment Responsibilities for PCI compliance are shared between the cloud provider and the client depending on the cloud service model (Iaas, Paas, Saas) 4

CloudLock Security Fabric Supports Your PCI Compliance in the Cloud Meeting internal or external compliance regulations can be a tremendous challenge for any IT organization using software as a Service (SaaS) applications. CloudLock provides the visibility and control you need to quickly detect and respond to risks of data that is sensitive, toxic, and/or subject to PCI DSS regulations, while confidently working in the cloud. CloudLock supports your compliance in the cloud with the following PCI requirements Requirement 3: Protect stored cardholder data PCI requires that storage and retention time of specific card data elements - cardholder s name, primary account number (PAN), expiration date and service code - be limited to what is required for legal, regulatory, and business requirements. Processes must be in place for identifying and securely deleting stored cardholder data that exceeds defined retention. Storage of other card data elements is forbidden: Full magnetic stripe, card verification code or value and PIN or PIN block. Identify and monitor in real-time PCI card data nested within your cloud apps. Enforce and enable strong encryption of documents containing card data. Notify and educate users to encrypt sensitive information based on policy violations of over shared or inappropriately stored data. 5

Requirement 4: Encrypt transmission of cardholder data across open, public networks This requirement addresses the protection of cardholder data during transmission over networks that are easily accessed by malicious individuals. In particular, it enforces the use of strong cryptography to safeguard sensitive cardholder data during transmission over open, public networks. Empower your end-users to selectively encrypt sensitive information as a service and securely share the encryption keys with authorized parties. Leverage industry best encryption and key management technology, using AES-256 password-based encryption. Requirement 6: Develop and maintain secure applications This requirement addresses necessary measures minimizing the risk of compromise of cardholder data by malicious individuals and malicious software. Discover and control more than 77,000 cloud and third-party apps that matter. Gain insight into which apps pose a risk to your organizations. Requirement 7: Restrict access to cardholder data by business need to know This requirements ensures that systems and processes are in place to limit access to cardholder data based on a need to know basis and according to job responsibilities. Enforce proper access controls for all relevant apps and data in the cloud. Provide ongoing verification and control of access rights. Protect your organization from malicious data extraction. 6

Requirement 10: Track and monitor all access to network resources and cardholder data This requirement addresses the need for auditing access to your cloud apps and associated data. Monitor user activity to detect and surface potential anomalies, including suspicious logins. Use audited data as evidence of compliance to regulations and internal policies. Feed time-sensitive and critical security events into your company-wide SIEM solutions for a consolidated security view. Gain real-time insight into the health of your public cloud applications in one unified dashboard. Leverage out-of-the box security and compliance reports to meet regulatory requirements with internal and external auditors. Requirement 11: Regularly test security systems and processes This requirement addresses in particular the deployment of change detection mechanisms. Detect, monitor and alert changes to your sensitive cloud data (e.g. documents including cardholder data) based on defined policies. Provide audit trail in the case that new processes are introduced and write PCI-related data to cloud application. Requirement 12: Maintain a policy that addresses information security for all personnel This requirement addresses the need for information security policies, the awareness of personnel of the sensitivity of data and their responsibilities for protecting it, as well as the establishment of security incident response procedures to ensure timely and effective handling of all situations. 7

1. Institute and enforce security policies Leverage centralized custom policies to identify data subject to risk, governance, and security violations across your public cloud applications. Use CloudLock s rich policy templates to safeguard your most critical assets. Specify content and context criteria to customize your policies. 2. Manage security incidents effectively Centrally manage all incidents based on unified policies. Investigate flagged content and potentially toxic data in files and documents. Easily view and filter incidents based on severity level, object type, cloud app, status, date, and other criteria. Prioritize and track incidents based on business impact to your organization. Create incident reports. Automate response actions and notifications to your end users with CloudLock s fully automated remediation management capabilities. Integrate CloudLock s incident management service with your own enterprise systems, e.g. IT support and SIEM solutions. 3. Increase end user awareness Notify and educate users to encrypt sensitive information based on policy violations of over shared or inappropriately stored data. Reference Materials: PCI DSS Computing Guidelines Read More 8

The Cloud Security Fabric CloudLock offers the cloud security fabric enabling enterprises to protect their data in the cloud, reduce risk, achieve compliance, manage threats, and increase productivity. Learn More By analyzing 750 million files for more than 6 million end users daily. CloudLock delivers the only complete, risk-appropriate, and people-centric approach to cloud security. www.cloudlock.com info@cloudlock.com (781) 996-4332

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information