pcishrinktofitpresentation 151125162550-lva1-app6891
TRANSCRIPT
PCI: SHRINK TO FIT
Expectations
THE STANDARD
6 Goals
12 Requirements
288 Controls
THE STRUCTURE
The PCI DSS standard is based upon the following 6 core principles and 12 requirements: 288 controls
Build and Maintain a Secure NetworkRequirement 1: Install and maintain a firewall configuration to protect cardholder data.Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder DataRequirement 3: Protect stored cardholder data.Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management ProgramRequirement 5: Use and regularly update anti-virus software.Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control MeasuresRequirement 7: Restrict access to cardholder data by business need-to-know.Requirement 8: Assign a unique ID to each person with computer access.Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test NetworksRequirement 10: Track and monitor all access to network resources and cardholder data.Requirement 11: Regularly test security systems and processes.
Maintain an Information Security PolicyRequirement 12: Maintain a policy that addresses information security
THE APPROACH
• Risk-based prioritisation of implementation of the controls
• Milestone 1: Identify what you have, where you have it and write policies to protect it.
• Milestone 2: Network integrity• Milestone 3: Code integrity• Milestone 4: Logs & records• Milestone 5: Incidents• Miles 6: Auditing & testing
THE SCOPE
• Any systems that process, store or transmit cardholder data (credit or debit)
• Any systems that connect to them
DISCOVER & DOCUMENT
IDENTIFY LEAKAGE
Endpoint
Social Engineering
Data-In-Motion
Data-At-Rest
Physical
Data Loss
Laptop / DesktopServerCD / DVD
USB iPodMemory Stick
PCMCIAMemory Card Readers
Communication
BluetoothInfraredFirewireSerial / Parallel Ports
Virtual Machine
Other Threat Vectors
Screen ScrapersTrojansKey LoggersPhishing / Spear Phishing
PiggybackingDumpster (Skip) Diving
ContractorsRoad Apple
Eavesdropping
E-MailHTTP/S
SSHFTP
IMVoIPP2P
Blogs
DatabasesFile Systems
File ServersNAS
SANs / iSCSI StorageVoice Mail
Video Surveillance
PrintersBackup Tapes / CD / DVDLaptop / Desktop / ServerFaxPhotocopierMobile Phone / PDADigital Camera (incl. Mobile Phone Cameras)Incorrect DisposalPrinted Reports
#2 DESTROY & DE-SCOPE
Both hard & soft copies If you don’t need it – delete it. Take your time. Use your CDE map. Stakeholders sign off Remember: VoIP & mail servers, MS Outlook archives,
fax, scanner & copier memory cards Include 3rd parties & back up systems Be ruthless (without Ruth)
#3 OUTSOURCE & OVERSIGHT
• What can you outsource?• Risk transference vs. risk mitigation• Compliance requirement in SLA• Should not be cost plus• See proof (ask for copy of their RoC)• Conduct annual onsite audit• Still need program • The liability is still yours
#4 SEPARATE & SEGMENT
Led by “need to know” Always ask: Why? Should not be vendor led Firewall, VLAN, software… Subnets Wireless networks 3rd party suppliers!
“Any systems connected” to the CDE
POINT-2-POINT ENCRYPTION
ENCRYPTION
• Card brand specific technology requirements• PoS configuration requirements• Bank-owned vs. Merchant-owned devices• Compliance requirement in contract & SLA• Who’s responsible for a breach?• Still have compliance validation requirement
#5 TOKENISE
• Can significantly downsize scope• Card data replaced by “token” (surrogate value)• Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in
scope• Servers processing, storing or transmitting surrogate values not
in scope
MODEL
TOKENISATION
• Where tokens and card data meet = in scope• Tokenisation hosting solution critical• Be careful of “hybrid” solutions• See PCI Standards Council site for guidance• Test the solution!• This is no silver bullet • Validation still required
5 WAYS TO REDUCE PCI
Discover & DocumentDestroy & De-scope
Outsource & OversightSeparate & Segment
Tokenisation
BEST WAY
Understand that the PCI DSS is a “risk management framework”
Not a checklist
www.riskfactory.com0800 978 8139
A DIFFERENT PERSPECTIVE FROM:
www.riskfactory.com0800 978 8139