Card Data Discovery and PCI DSS
-
Upload
kimberly-simon -
Category
Technology
-
view
210 -
download
2
Transcript of Card Data Discovery and PCI DSS
![Page 1: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/1.jpg)
Data Discovery and PCI DSSBy Kishor Vaswani, CEO - ControlCase
![Page 2: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/2.jpg)
Agenda
• About Data Discovery
• PCI DSS Requirements and need for Data Discovery in
the context of PCI DSS
• Challenges in the Data Discovery space
• Live Demo of ControlCase Data Discovery
• Q&A
1
![Page 3: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/3.jpg)
About Data Discovery
![Page 4: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/4.jpg)
Current Technology Environment
• Servers – Windows, Unix etc.• Databases – SQL Server, Oracle etc.• Email• File systems
2
![Page 5: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/5.jpg)
What is Data Discovery
• Ability to identify and pinpoint sensitive data across› File Shares› Servers› Databases› Email› Log files› Etc.
3
![Page 6: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/6.jpg)
Why is it important
• GRC focuses on confidentiality, integrity and availability
• Confidentiality is always focused on “Data”• Data that is sensitive must be protected, however
the first step of that is to know where the data resides
• Hence, it is important to identify where sensitive data resides
4
![Page 7: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/7.jpg)
PCI DSS Requirements and Data Discovery
![Page 8: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/8.jpg)
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card issuers• Maintained by the PCI Security Standards Council
(PCI SSC)
5
![Page 9: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/9.jpg)
PCI DSS RequirementsControl Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
6
![Page 10: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/10.jpg)
Requirement 3: Protect Stored Cardholder Data
You must ensure stored data is encrypted and protected.
7
![Page 11: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/11.jpg)
PCI Council Advisory…
• Importance of Updating Scope for PCI DSS Assessments
There have been a number of high profile data compromises in the press recently. These reports serve as a daily reminder of the damage caused by compromises and of the need to keep business environments secure. Businesses evolve and change over time, and the scope of an entity's cardholder data environment must be reviewed and verified each time a PCI DSS assessment is undertaken. As has always been the case, many compromises are the result of businesses having data they weren't aware of. Please remember that scoping an assessment includes verifying that no cardholder data exists outside of the defined cardholder data environment. By ensuring the scope of an assessment is appropriate, the risk of data compromise is greatly reduced - a benefit to everyone involved.
8
![Page 12: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/12.jpg)
Challenges in Data Discovery
![Page 13: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/13.jpg)
Challenges
• Deployment and agents› Can get expensive› Technologically complicated› Long deployment cycles› Databases are a challenge
• False Positives› Luhn’s formula narrows down but is not full proof› Many schemes use Luhn’s formula to generate numbers› Separators and delimiters change
9
![Page 14: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/14.jpg)
Challenges
• Performance within production environments› Database load› Large number of records in databases› Active directory scanning› Emails storing cardholder data
• Tokenization› Differentiation between tokens and real card numbers
• Exclusions› Directories› Files› Extension types› Tables/Columns
10
![Page 15: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/15.jpg)
Features to look for – Agentless/Credential Based
11
![Page 16: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/16.jpg)
Features to look for – Database Search Capability
12
![Page 17: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/17.jpg)
Features to look for – Remediation support
13
![Page 18: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/18.jpg)
Features to look for – Delimiter definition
14
![Page 19: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/19.jpg)
Features to look for – Performance tuning
15
![Page 20: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/20.jpg)
Features to look for – Token exclusion capability
16
![Page 21: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/21.jpg)
Features to look for – File/Directory Exclusion
17
![Page 22: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/22.jpg)
Why Choose ControlCase?
• Global Reach
› Serving more than 400 clients in 40 countries and rapidly
growing
• Certified Resources
› PCI DSS Qualified Security Assessor (QSA)
› QSA for Point-to-Point Encryption (QSA P2PE)
› Certified ASV vendor
18
![Page 23: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/23.jpg)
To Learn More About PCI Compliance or Data Discovery…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
• Kishor Vaswani (CEO) –
19
![Page 24: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/24.jpg)
Demo of ControlCase Solution
![Page 25: Card Data Discovery and PCI DSS](https://reader035.fdocuments.net/reader035/viewer/2022062822/58b88c341a28ab3e3a8b4c27/html5/thumbnails/25.jpg)
Thank You for Your Time