BRAND-NAME is What COUNTS!!! USE PCI-DSS and make a name for your business Amit Jain Lead Solution Architect Aug 2015
Who We Are WHO WE ARE Company facts and figures ESTABLISHED TRUSTED 1995 BY MORE THAN 3 MILLION BUSINESSES Selected by more enterprises for compliance chosen more often than the next 10 service providers combined GROWING GLOBAL INNOVATING MORE THAN 1,300 EMPLOYEES CUSTOMERS IN 96 COUNTRIES MORE THAN 50 PATENTS & COUNTING Global Threat Database feeds technologies and services with threat intelligence Industry s most holistic portfolio of security technologies delivered through TrustKeeper *+30 patents granted; +20 patents pending
Introduction to PCI-DSS
PCI BASICS PCI DSS Defined The Payment Card Industry Data Security Standard (PCI DSS) is a set of 12 requirements designed to protect cardholder data It is applied to ALL merchants, service providers, systems, networks and applications that process, store, and/or transmit card numbers PCI Data Security Standard High Level Overview Build and Maintain a Secure Network and Systems (2) Protect Cardholder Data (2) Maintain a Vulnerability Management Program (2) Implement Strong Access Control Measures (3) Regularly Monitor and Test Networks (2) Maintain an Information Security Policy (1)
PCI DSS COMPLIANCE Sound Business Practice Fundamental Best Security Practices Avoid fraud Helps to understand own system better Clarifies where data is stored Upholds Brand Name Adds value to name Increases consumer confidence Non-compliant, compromised business could expect Damage to their brand/reputation Investigation costs Remediation costs Fines and fees
Requirements for HOSTING PROVIDERS
Requirement No. 9 Restrict physical access to cardholder data Implement facility entry controls to limit and monitor physical access to systems and data. video cameras (3 months retention) restrict physical access to public network jacks, Wireless APs, etc. Visitor controls: distinguish between employees and visitors (visitor and employee badges) data centre visitor log Physically secure all paper and electronic media that contain cardholder information Backup media in safe or secure room Restrict access hardcopy media Clean desk policy Maintain, control and audit all movement of media containing cardholder data (paper & electronic) Secure media destruction (cross-cut shred, degauss etc.)
Requirement No. 12 Maintain a policy that addresses information security Formalise, maintain and publish Information Security Policy Formalise operational security procedures Develop acceptable usage policies for remote access systems Ensure information security responsibilities are clearly defined and assigned. Security Awareness Programme HR Screening Policies and Procedures Contractual obligations for 3rd parties Incident Response Plan
PEN TEST REQUIREMENT Compliance point of view Penetration testing definitions tightened: Pen testing must adhere to industry methodology and/or standards NIST given as an example Qualified personnel performing the test. Independence within the organization or external body. Include review of threats and vulnerabilities experienced in the past Includes testing of CDE perimeter
Vulnerability Scanning Requirement Compliance : - Is a critical component of maintaining PCI-DSS status over the course of year - Used by assessors and auditors to regularly validate PCI DSS Security : - Provides a hacker s insight into network assets, both inside and outside the firewall - Regular scanning and reporting documents vulnerabilities, assigns risk and verifies remediation through patching : Reducing the number and severity of vulnerabilities
Why Trustwave? Every PCI assessment requires to use an ASV (approved scanning vendor). Every PCI assessment requires Internal/External Vulnerability Scan to be performed. Every PCI assessment requires Pen test to be performed. Every PCI assessment for Level 1 Service Providers requires onsite validation Every PCI assessment for Level 1 Service providers requires Policies and Procedures to be properly documented in the Report on Compliance. Trustwave provides complete spectrum of PCI services and solutions that help a customer achieve compliance and more importantly maintain the status going forward. We help customers make COMPLIANCE as a BUSINESS AS USUAL activity.
PCI Compliance Credentials QSA since 2001 Visa CISP (2001) MasterCard SDP (2003) Discover DISC (2004) AMEX (2006) ASV (2003) PA QSA (2005) PFI (2005) P2PE (2012) QSA PA QSA
UNDISPUTED LEADERS IN PCI-DSS Who do customers trust to assess & validate their compliance Source: Visa Registry of Global Service Providers (Jan 2013)
THANK YOU.