www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 1

Simplifying Payment Card Industry Compliance

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 2

Simplifying Payment Card Industry Compliance

Agenda: • What is PCI?

• Why do I need to worry about this?

• What changed in DSS 3.0?

• Are there Best Practices?

• Simplifying Compliance into Business-as-Usual

• Q&A

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 3

What is PCI?

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 4

• 12 requirements • Affects applications that store, process, or transmit

cardholder data

Source: PCI Security Standards Council: PCI DSS Quick Reference Guide

What is PCI?

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 5

Who Must Comply with PCI?

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 6

• Sensitive authentication data cannot be stored • Requirements apply when outsourcing payment

operations or management • Organizations outsourcing payment operations to third

parties are responsible for ensuring account data is protected

Did you know?

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 7

New requirements cover: • 6.5.6 – Insecure handling of PAN and

SAD in memory • 6.5.11 – Broken authentication and

session management • 8.5.1 – Unique authentication

credentials for Service providers with access to customer environments

• 9.9 – Protecting of point-of-sale (POS) devices from tampering

• 11.3 – Developing and implementing a methodology for penetration testing

• 12.9 – Additional requirement for service providers on data security

PCI DSS 3.0 – New Requirements

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 8

1. Monitoring of security controls to ensure they are operating effectively and as intended.

2. Ensuring that all failures in security controls are detected and responded to in a timely manner.

3. Review changes to the environment prior to completion of the change.

4. Review the impact to PCI DSS scope and requirements.

5. Periodic reviews and communications should be performed to confirm that PCI DSS requirements are in place.

6. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.

Best Practices for Implementing PCI DSS into Business-as-Usual

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 9

Simplifying PCI Compliance

1. Monitor security controls

2. Detect &respond to failures

3. Review changes prior to completion of the change.

4. Review impact to scope and requirements.

5. Periodic reviews to confirm PCI DSS requirements.

6. Review hardware and software periodically to confirm that it meets security requirements.

1. Monitor security controls

2. Detect &respond to failures

3. Review changes prior to completion of the change.

4. Review impact to scope and requirements.

5. Periodic reviews to confirm PCI DSS requirements.

6. Review hardware and software periodically to confirm that it meets security requirements.

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 10

1. Monitor security controls

2. Detect and respond to failures

3. Review changes prior to completion of the change.

4. Review impact to scope and requirements.

5. Periodic reviews to confirm PCI DSS requirements.

6. Review hardware and software periodically to confirm that it meets security requirements.

Simplifying PCI Compliance

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 11

1. Monitor security controls

2. Detect &respond to failures

3. Review changes prior to completion of the change.

4. Review impact to scope and requirements.

5. Periodic reviews to confirm PCI DSS requirements.

6. Review hardware and software periodically to confirm that it meets security requirements.

Simplifying PCI Compliance

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 12

1. Monitor security controls

2. Detect &respond to failures

3. Review changes prior to completion of the change.

4. Review impact to scope and requirements.

5. Periodic reviews to confirm PCI DSS requirements.

6. Review hardware and software periodically to confirm that it meets security requirements.

Simplifying PCI Compliance

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 13

1. Monitor security controls

2. Detect &respond to failures

3. Review changes prior to completion of the change.

4. Review impact to scope and requirements.

5. Periodic reviews to confirm PCI DSS requirements.

6. Review hardware and software periodically to confirm that it meets security requirements.

• If your data is located in the DMZ -- even temporarily -- it is easier for an external attacker to access this information.

• PCI DSS requirements require that all data must reside in "an internal network zone, segregated from the DMZ and other untrusted networks" (para. 1.3.7).

Simplifying PCI Compliance

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 14

Summary

To Simplify PCI Compliance:

1. Implement PCI DSS into Business-as-Usual – PCI compliance is a process, not an event.

2. Reduce scope – consolidate processes, where possible.

3. Select applications that easily integrate with authentication protocols and designed to satisfy PCI stipulations.

4. Work with vendors and partners who understand PCI requirements and stay current with changes

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 15

Any Questions?

www.globalscape.com © 2014 Globalscape, Inc. All Rights Reserved. 16

Thank You!