Simplifying - Globalscapedynamic.globalscape.com/files/webinar_SimplifyingPCICompliance.pdf · 5....
Transcript of Simplifying - Globalscapedynamic.globalscape.com/files/webinar_SimplifyingPCICompliance.pdf · 5....
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 1
Simplifying Payment Card Industry Compliance
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 2
Simplifying Payment Card Industry Compliance
Agenda: • What is PCI?
• Why do I need to worry about this?
• What changed in DSS 3.0?
• Are there Best Practices?
• Simplifying Compliance into Business-as-Usual
• Q&A
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 3
What is PCI?
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 4
• 12 requirements • Affects applications that store, process, or transmit
cardholder data
Source: PCI Security Standards Council: PCI DSS Quick Reference Guide
What is PCI?
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 5
Who Must Comply with PCI?
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 6
• Sensitive authentication data cannot be stored • Requirements apply when outsourcing payment
operations or management • Organizations outsourcing payment operations to third
parties are responsible for ensuring account data is protected
Did you know?
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 7
New requirements cover: • 6.5.6 – Insecure handling of PAN and
SAD in memory • 6.5.11 – Broken authentication and
session management • 8.5.1 – Unique authentication
credentials for Service providers with access to customer environments
• 9.9 – Protecting of point-of-sale (POS) devices from tampering
• 11.3 – Developing and implementing a methodology for penetration testing
• 12.9 – Additional requirement for service providers on data security
PCI DSS 3.0 – New Requirements
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 8
1. Monitoring of security controls to ensure they are operating effectively and as intended.
2. Ensuring that all failures in security controls are detected and responded to in a timely manner.
3. Review changes to the environment prior to completion of the change.
4. Review the impact to PCI DSS scope and requirements.
5. Periodic reviews and communications should be performed to confirm that PCI DSS requirements are in place.
6. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.
Best Practices for Implementing PCI DSS into Business-as-Usual
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 9
Simplifying PCI Compliance
1. Monitor security controls
2. Detect &respond to failures
3. Review changes prior to completion of the change.
4. Review impact to scope and requirements.
5. Periodic reviews to confirm PCI DSS requirements.
6. Review hardware and software periodically to confirm that it meets security requirements.
1. Monitor security controls
2. Detect &respond to failures
3. Review changes prior to completion of the change.
4. Review impact to scope and requirements.
5. Periodic reviews to confirm PCI DSS requirements.
6. Review hardware and software periodically to confirm that it meets security requirements.
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 10
1. Monitor security controls
2. Detect and respond to failures
3. Review changes prior to completion of the change.
4. Review impact to scope and requirements.
5. Periodic reviews to confirm PCI DSS requirements.
6. Review hardware and software periodically to confirm that it meets security requirements.
Simplifying PCI Compliance
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 11
1. Monitor security controls
2. Detect &respond to failures
3. Review changes prior to completion of the change.
4. Review impact to scope and requirements.
5. Periodic reviews to confirm PCI DSS requirements.
6. Review hardware and software periodically to confirm that it meets security requirements.
Simplifying PCI Compliance
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 12
1. Monitor security controls
2. Detect &respond to failures
3. Review changes prior to completion of the change.
4. Review impact to scope and requirements.
5. Periodic reviews to confirm PCI DSS requirements.
6. Review hardware and software periodically to confirm that it meets security requirements.
Simplifying PCI Compliance
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 13
1. Monitor security controls
2. Detect &respond to failures
3. Review changes prior to completion of the change.
4. Review impact to scope and requirements.
5. Periodic reviews to confirm PCI DSS requirements.
6. Review hardware and software periodically to confirm that it meets security requirements.
• If your data is located in the DMZ -- even temporarily -- it is easier for an external attacker to access this information.
• PCI DSS requirements require that all data must reside in "an internal network zone, segregated from the DMZ and other untrusted networks" (para. 1.3.7).
Simplifying PCI Compliance
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 14
Summary
To Simplify PCI Compliance:
1. Implement PCI DSS into Business-as-Usual – PCI compliance is a process, not an event.
2. Reduce scope – consolidate processes, where possible.
3. Select applications that easily integrate with authentication protocols and designed to satisfy PCI stipulations.
4. Work with vendors and partners who understand PCI requirements and stay current with changes
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 15
Any Questions?
www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 16
Thank You!