SlideShare a Scribd company logo

A webinar on PCI DSS

Download as PPTX, PDF
David Strom
David Strom

This webinar is outdated and was given in 2014

Technology
1 of 28
Kennet Westby President and Co-Founder PCI DSS 3.0 Update
Enough is enough 2 Compliance Security Risk Management Compliance does not equal Security  It’s time to take a look at comprehensive risk management » What is the health of your organizations data security program? » The focus should be on protecting your relationship with your customers and their PFI » Ensure Risk Assessments are being performed and cover all card processes • Don’t follow the SAQ as a guideline for appropriate card data risk management • Are you aware of all sensitive assets involved in payment processes? • Are you aware of the threats? • If you had to look beyond the PCI DSS to mitigate risk, where would you start?
New Standards are Forcing the Issue  Major changes in the DSS 3.0 focus on continuous compliance and ongoing diligence in security operations  Don’t be compliant with your assessment; be compliant with the standards  Compliance depends on day-in, day-out adherence to control operations  Can you do more? Leverage good risk management practices to identify areas of weakness and opportunities for improvement3
PCI DSS 3.0 – Scope and Segmentation 4 It’s important to review the guidance on how to accurately determine the scope of a PCI DSS engagement and the intent of segmentation. Systems that provide security services to the CDE = “In Scope” As per the PCI SSC “Segmentation = Isolation” Scope Identification Process (for assessed organizations)
PCI DSS 3.0 – New Reporting Template 5 Guidance as to the intent of each PCI DSS requirement is now included within the standard itself. The “Guidance” column helps clarify the PCI SSC’s intent for each and every requirement. Mandatory Reporting Template For 3.0 assessments, QSAs must submit all Report on Compliance (ROCs) on the new, SSC-controlled 3.0 Reporting Template. Control Re-Numbering Many requirements have been consolidated and/or renumbered, which has cleaned up the requirements table considerably. Section-Specific Policy Requirements Security policies and daily operational procedures (formerly requirements 12.1.1 and 12.2) have been given their own requirement in each of the PCI DSS Sections (at the end of each).
Critical Changes to Existing Requirements – Requirement 3 – Protect Stored Data Restrict key access definitions and improved key management process recommendations Strengthen key access controls with split knowledge Clarify the intent of “unrecoverable data”
Critical Changes to Existing Requirements Requirement 6.6 Flexibility Added options to the interpretation of this requirement by changing “web-application firewall” to “automated technical solution that detects and prevents web-based attacks”.
Critical Changes to Existing Requirements – Requirement 7, Restrict Access to Cardholder Data Requirement 7 Flexibility Additional focus and sub controls on restricting privileged user access
PCI DSS 3.0 – Critical Changes to Existing Requirements Password Complexity Flexibility Password complexity and strength requirements have been combined into a single requirement and the PCI SSC has now allowed for some flexibility in meeting these requirements.
More Critical Changes to Existing Requirements Requirement 10, Track and Monitor Access New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs. Log Reviews for Critical Components Daily or continuous log reviews have been split into two categories: Critical systems and “Everything else”.
Renewed Emphasis on Security Management 11 • Awareness and testing of CDE Boundaries and Approved Connections (in AoC, 11.3) • Periodic Evaluation of Antivirus Controls (5.1.2) • Awareness of Access Roles and Privileges Required (7.1, 7.1.1) • Device tampering detection procedures & education (9.9) • Point-of-Interaction Inventories (9.9.1.a) • Expanded penetration tests (11.3) • Service Provider Management (DSS 12.8.x)
How Strong is your IT Risk Management Program? 12  Risk assessment should be used to identify areas of improvement beyond compliance  Take a data-centric approach to security to get greatest risk management  Defense in depth  Physical and logical access controls in place  Sufficient network segmentation  SIEM solutions  Encryption and/or tokenization What would your security controls program look like? This… Or this…
Ryan Holland – Sr Manager, Partner Solution Architects
Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints • Customers configure AWS security features • Get access to a mature vendor marketplace • Can implement and manage their own controls • Gain additional assurance above AWS controls Security is a shared responsibility between AWS and our customers
Customers retain ownership of their intellectual property and content • Customers manage their privacy objectives how they choose to • Select the AWS geographical Region and no automatic replication elsewhere • Customers can encrypt their content, retain management and ownership of keys and implement additional controls to protect their content within AWS The security of our services and customers is key to AWS • Security starts at the top in Amazon with a dedicated CISO and strong cultural focus • Dedicated internal teams constantly looking at the security of our services • AWS support personnel have no access to customer content Customers retain full ownership and control of their content
Every customer has access to the same security capabilities AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Security • ISO 27001 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-2 • HIPAA and MPAA capable Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant (Level 1 is >300,000 transactions/year, the highest level) 14 services in scope (Aug 2013): – EC2, EBS, S3, VPC, RDS, ELB, IAM, Glacier, Direct Connect, DynamoDB, SimpleDB, Elastic Map Reduce, and new in 2013: CloudHSM, Redshift Covers public services; no special configuration/options Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) – can support forensic investigations Includes all global regions Yearly refresh cycle
PCI DSS Level 1 Service Provider AWS Provides customers and customer’s auditors with: – Attestation of Compliance – PCI Responsibility Summary
AWS partners can help you build secure solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability + = AWS partner solutions These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management Your secure AWS solutions
PREVENT LOSS OF SENSITIVE DATA, COMPLETE PCI AUDITS, AT A LOWER TCO WITH HIGHLY SECURE SERVER ENCRYPTION AND KEY MANAGEMENT. PROVEN PCI 3.0 COMPLIANCE WITH STRONGER DATA SECURITY Sol Cates Chief Security Officer Vormetric
Vormetric Protects Cardholder Information Requirement 3 Protect stored cardholder data Requirement 7 Restrict access to cardholder data by business need to know Requirement 10 Track and monitor all access to network resources and cardholder data
Vormetric Data Security Platform Simple, efficient solution for the lowest TCO data-at-rest security Vormetric Transparent Encryption Big Data Vormetric Application Encryption Structured Databases Unstructured Files • File and Volume Level Encryption • Access Control Applications Big Data • Field Level Data Encryption Vormetric Key Management • KMIP Compliant • Oracle and SQL Server TDE • Certificate Storage Vormetric Security Intelligence • Splunk • HP ArcSight • IBM QRadar • LogRhythm Vormetric Data Security Manager • Key and Policy Manager
Encryption and Key Management DSM in the cloud or on the customer premise supporting Requirement 3 Policies & Logs Vormetric Data Security Manager Keys Virtual or Physical Servers Enforce separation of provider and enterprise responsibilities Extensible to multiple cloud providers and traditional servers Pay as you grow, deploy licenses on demand Customer is always the custodian of policies and keys Enterprise Data Center Environment VPN Link
*$^!@#)( -|”_}?$%- :>> Encrypted John Smith 401 Main Street Clear Text Vormetric Transparent Encryption Simplified encryption and access control for Requirement 7 Storage Database Application User File Systems Volume Managers Vormetric Security Intelligence Logs to SIEM Big Data, Databases or Files Allow/Block Encrypt/Decrypt Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance Approved Processes and Users Privileged Users Cloud Provider / Outsource Administrators *$^!@#)( -|”_}?$%- :>> • Encryption • Access Control • Security Intelligence DSM
Vormetric Security Intelligence Supporting Requirement 10 of breaches took months, or even years, to discover.66% Verizon 2013 data breach investigations report Log and audit data access, in support: Alarm abnormal access patterns Identify compromised users, administrators and applications Accelerate APT and malicious insider recognition Supports compliance and contractual mandate reporting of breaches were spotted by an external party – 9% were spotted by customers. 69%
attempted to read and was denied access Admin Dirk Snowman imitated user steve this file because he violated this policy
Implement with Confidence Vormetric Data Security is quick and easy to administer, while having negligible impact on performance. It’s the perfect solution for meeting PCI DSS requirements. One of the tipping points for us was Vormetric’s management console. It makes creating encryption profiles -- which contain unique guard points, security policies, and keys -- a snap. It’s one of the easiest products to implement I’ve ever used. i i Daryl Belfry, Director of IT, TAB Bank Jim Fallon, Security Ops manager, Airlines Reporting Corporation Coalfire White Paper: Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS Vormetric.com -> Resources -> White Papers
Vormetric Data Security Platform Delivers the Lowest Total Cost of Ownership Simplicity Intuitive, consistent, repeatable, organization-wide policy management reduces cost, resources and errors Transparent deployment, application-layer when necessary Efficiency One platform – many use cases – ready for “what’s next” Preserve SLAs and use fewer servers w/high-performance encryption and HA Better Security and Faster Compliance File to field data-at-rest encryption, key management, privileged users access control, and gathering of security intelligence Accelerate the detection of insider abuse and APT

Recommended

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023
David Strom
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity Job
David Strom
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
David Strom
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?
David Strom
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
David Strom
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacy
David Strom
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fears
David Strom
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking back
David Strom
 

Recommended

Spark Twitter fails Mar2023
Spark Twitter fails Mar2023Spark Twitter fails Mar2023
Spark Twitter fails Mar2023
David Strom
 
Getting Your First Cybersecurity Job
Getting Your First Cybersecurity JobGetting Your First Cybersecurity Job
Getting Your First Cybersecurity Job
David Strom
 
Understanding passwordless technologies
Understanding passwordless technologiesUnderstanding passwordless technologies
Understanding passwordless technologies
David Strom
 
What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?What endpoint protection solutions are available on the market today?
What endpoint protection solutions are available on the market today?
David Strom
 
Fears and fulfillment with IT security
Fears and fulfillment with IT securityFears and fulfillment with IT security
Fears and fulfillment with IT security
David Strom
 
Protecting your digital and online privacy
Protecting your digital and online privacyProtecting your digital and online privacy
Protecting your digital and online privacy
David Strom
 
AI and cyber security: new directions, old fears
AI and cyber security: new directions, old fearsAI and cyber security: new directions, old fears
AI and cyber security: new directions, old fears
David Strom
 
The legalities of hacking back
The legalities of hacking backThe legalities of hacking back
The legalities of hacking back
David Strom
 
How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media world
David Strom
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
David Strom
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackers
David Strom
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches
David Strom
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)
David Strom
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
David Strom
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
David Strom
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
David Strom
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
David Strom
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
David Strom
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and now
David Strom
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakes
David Strom
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your network
David Strom
 
Big data analytics
Big data analyticsBig data analytics
Big data analytics
David Strom
 
Emerging computing trends 2015
Emerging computing trends 2015Emerging computing trends 2015
Emerging computing trends 2015
David Strom
 
Keeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sKeeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco's
David Strom
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies
David Strom
 
Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaire
David Strom
 
Virtual machine security products
Virtual machine security productsVirtual machine security products
Virtual machine security products
David Strom
 
Next generation firewalls: ready or not
Next generation firewalls: ready or notNext generation firewalls: ready or not
Next generation firewalls: ready or not
David Strom
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 

More Related Content

More from David Strom

More from David Strom (20)

How to market your book in today's social media world
How to market your book in today's social media worldHow to market your book in today's social media world
How to market your book in today's social media world
 
​Understanding the Internet of Things
​Understanding the Internet of Things​Understanding the Internet of Things
​Understanding the Internet of Things
 
How to make your mobile phone safe from hackers
How to make your mobile phone safe from hackersHow to make your mobile phone safe from hackers
How to make your mobile phone safe from hackers
 
Implications and response to large security breaches
Implications and response to large security breaches Implications and response to large security breaches
Implications and response to large security breaches
 
Using social networks to find your next job (2017)
Using social networks to find your next job (2017)Using social networks to find your next job (2017)
Using social networks to find your next job (2017)
 
Security v. Privacy: the great debate
Security v. Privacy: the great debateSecurity v. Privacy: the great debate
Security v. Privacy: the great debate
 
Using OpenStack to Control VM Chaos
Using OpenStack to Control VM ChaosUsing OpenStack to Control VM Chaos
Using OpenStack to Control VM Chaos
 
Notable Twitter fails
Notable Twitter failsNotable Twitter fails
Notable Twitter fails
 
How to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computingHow to make the move towards hybrid cloud computing
How to make the move towards hybrid cloud computing
 
Listen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better SupportListen to Your Customers: How IT Can Provide Better Support
Listen to Your Customers: How IT Can Provide Better Support
 
Network security practice: then and now
Network security practice: then and nowNetwork security practice: then and now
Network security practice: then and now
 
Biggest startup mistakes
Biggest startup mistakesBiggest startup mistakes
Biggest startup mistakes
 
Picking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your networkPicking the right Single Sign On Tool to protect your network
Picking the right Single Sign On Tool to protect your network
 
Big data analytics
Big data analyticsBig data analytics
Big data analytics
 
Emerging computing trends 2015
Emerging computing trends 2015Emerging computing trends 2015
Emerging computing trends 2015
 
Keeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco'sKeeping the customer in mind: a lesson for Telco's
Keeping the customer in mind: a lesson for Telco's
 
Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies Marcus Ranum on Bad Idea Zombies
Marcus Ranum on Bad Idea Zombies
 
Navigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaireNavigating the PCI Self-Assessment questionaire
Navigating the PCI Self-Assessment questionaire
 
Virtual machine security products
Virtual machine security productsVirtual machine security products
Virtual machine security products
 
Next generation firewalls: ready or not
Next generation firewalls: ready or notNext generation firewalls: ready or not
Next generation firewalls: ready or not
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Recently uploaded (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

A webinar on PCI DSS

  • 1. Kennet Westby President and Co-Founder PCI DSS 3.0 Update
  • 2. Enough is enough 2 Compliance Security Risk Management Compliance does not equal Security  It’s time to take a look at comprehensive risk management » What is the health of your organizations data security program? » The focus should be on protecting your relationship with your customers and their PFI » Ensure Risk Assessments are being performed and cover all card processes • Don’t follow the SAQ as a guideline for appropriate card data risk management • Are you aware of all sensitive assets involved in payment processes? • Are you aware of the threats? • If you had to look beyond the PCI DSS to mitigate risk, where would you start?
  • 3. New Standards are Forcing the Issue  Major changes in the DSS 3.0 focus on continuous compliance and ongoing diligence in security operations  Don’t be compliant with your assessment; be compliant with the standards  Compliance depends on day-in, day-out adherence to control operations  Can you do more? Leverage good risk management practices to identify areas of weakness and opportunities for improvement3
  • 4. PCI DSS 3.0 – Scope and Segmentation 4 It’s important to review the guidance on how to accurately determine the scope of a PCI DSS engagement and the intent of segmentation. Systems that provide security services to the CDE = “In Scope” As per the PCI SSC “Segmentation = Isolation” Scope Identification Process (for assessed organizations)
  • 5. PCI DSS 3.0 – New Reporting Template 5 Guidance as to the intent of each PCI DSS requirement is now included within the standard itself. The “Guidance” column helps clarify the PCI SSC’s intent for each and every requirement. Mandatory Reporting Template For 3.0 assessments, QSAs must submit all Report on Compliance (ROCs) on the new, SSC-controlled 3.0 Reporting Template. Control Re-Numbering Many requirements have been consolidated and/or renumbered, which has cleaned up the requirements table considerably. Section-Specific Policy Requirements Security policies and daily operational procedures (formerly requirements 12.1.1 and 12.2) have been given their own requirement in each of the PCI DSS Sections (at the end of each).
  • 6. Critical Changes to Existing Requirements – Requirement 3 – Protect Stored Data Restrict key access definitions and improved key management process recommendations Strengthen key access controls with split knowledge Clarify the intent of “unrecoverable data”
  • 7. Critical Changes to Existing Requirements Requirement 6.6 Flexibility Added options to the interpretation of this requirement by changing “web-application firewall” to “automated technical solution that detects and prevents web-based attacks”.
  • 8. Critical Changes to Existing Requirements – Requirement 7, Restrict Access to Cardholder Data Requirement 7 Flexibility Additional focus and sub controls on restricting privileged user access
  • 9. PCI DSS 3.0 – Critical Changes to Existing Requirements Password Complexity Flexibility Password complexity and strength requirements have been combined into a single requirement and the PCI SSC has now allowed for some flexibility in meeting these requirements.
  • 10. More Critical Changes to Existing Requirements Requirement 10, Track and Monitor Access New Logging Events Enhanced logging requirement to include stopping or pausing of the audit logs. Log Reviews for Critical Components Daily or continuous log reviews have been split into two categories: Critical systems and “Everything else”.
  • 11. Renewed Emphasis on Security Management 11 • Awareness and testing of CDE Boundaries and Approved Connections (in AoC, 11.3) • Periodic Evaluation of Antivirus Controls (5.1.2) • Awareness of Access Roles and Privileges Required (7.1, 7.1.1) • Device tampering detection procedures & education (9.9) • Point-of-Interaction Inventories (9.9.1.a) • Expanded penetration tests (11.3) • Service Provider Management (DSS 12.8.x)
  • 12. How Strong is your IT Risk Management Program? 12  Risk assessment should be used to identify areas of improvement beyond compliance  Take a data-centric approach to security to get greatest risk management  Defense in depth  Physical and logical access controls in place  Sufficient network segmentation  SIEM solutions  Encryption and/or tokenization What would your security controls program look like? This… Or this…
  • 13. Ryan Holland – Sr Manager, Partner Solution Architects
  • 14. Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Client-side Data Encryption Server-side Data Encryption Network Traffic Protection Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer content Customers • Culture of security and continual improvement • Ongoing audits and assurance • Protection of large-scale service endpoints • Customers configure AWS security features • Get access to a mature vendor marketplace • Can implement and manage their own controls • Gain additional assurance above AWS controls Security is a shared responsibility between AWS and our customers
  • 15. Customers retain ownership of their intellectual property and content • Customers manage their privacy objectives how they choose to • Select the AWS geographical Region and no automatic replication elsewhere • Customers can encrypt their content, retain management and ownership of keys and implement additional controls to protect their content within AWS The security of our services and customers is key to AWS • Security starts at the top in Amazon with a dedicated CISO and strong cultural focus • Dedicated internal teams constantly looking at the security of our services • AWS support personnel have no access to customer content Customers retain full ownership and control of their content
  • 16. Every customer has access to the same security capabilities AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Security • ISO 27001 Certification • Certified PCI DSS Level 1 Service Provider • FedRAMP (FISMA), ITAR, FIPS 140-2 • HIPAA and MPAA capable Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations
  • 17. PCI DSS Level 1 Service Provider PCI DSS 2.0 compliant (Level 1 is >300,000 transactions/year, the highest level) 14 services in scope (Aug 2013): – EC2, EBS, S3, VPC, RDS, ELB, IAM, Glacier, Direct Connect, DynamoDB, SimpleDB, Elastic Map Reduce, and new in 2013: CloudHSM, Redshift Covers public services; no special configuration/options Leverage the work of our QSA AWS will work with merchants and designated Qualified Incident Response Assessors (QIRA) – can support forensic investigations Includes all global regions Yearly refresh cycle
  • 18. PCI DSS Level 1 Service Provider AWS Provides customers and customer’s auditors with: – Attestation of Compliance – PCI Responsibility Summary
  • 19. AWS partners can help you build secure solutions Facilities Physical security Compute infrastructure Storage infrastructure Network infrastructure Virtualization layer (EC2) Hardened service endpoints Fine-grained IAM capability + = AWS partner solutions These products and more are available on the AWS marketplace - WAF, VPN, IPS, AV, API gateways, data encryption, user management Your secure AWS solutions
  • 20. PREVENT LOSS OF SENSITIVE DATA, COMPLETE PCI AUDITS, AT A LOWER TCO WITH HIGHLY SECURE SERVER ENCRYPTION AND KEY MANAGEMENT. PROVEN PCI 3.0 COMPLIANCE WITH STRONGER DATA SECURITY Sol Cates Chief Security Officer Vormetric
  • 21. Vormetric Protects Cardholder Information Requirement 3 Protect stored cardholder data Requirement 7 Restrict access to cardholder data by business need to know Requirement 10 Track and monitor all access to network resources and cardholder data
  • 22. Vormetric Data Security Platform Simple, efficient solution for the lowest TCO data-at-rest security Vormetric Transparent Encryption Big Data Vormetric Application Encryption Structured Databases Unstructured Files • File and Volume Level Encryption • Access Control Applications Big Data • Field Level Data Encryption Vormetric Key Management • KMIP Compliant • Oracle and SQL Server TDE • Certificate Storage Vormetric Security Intelligence • Splunk • HP ArcSight • IBM QRadar • LogRhythm Vormetric Data Security Manager • Key and Policy Manager
  • 23. Encryption and Key Management DSM in the cloud or on the customer premise supporting Requirement 3 Policies & Logs Vormetric Data Security Manager Keys Virtual or Physical Servers Enforce separation of provider and enterprise responsibilities Extensible to multiple cloud providers and traditional servers Pay as you grow, deploy licenses on demand Customer is always the custodian of policies and keys Enterprise Data Center Environment VPN Link
  • 24. *$^!@#)( -|”_}?$%- :>> Encrypted John Smith 401 Main Street Clear Text Vormetric Transparent Encryption Simplified encryption and access control for Requirement 7 Storage Database Application User File Systems Volume Managers Vormetric Security Intelligence Logs to SIEM Big Data, Databases or Files Allow/Block Encrypt/Decrypt Vormetric Data Security Manager on Enterprise premise or in cloud virtual or physical appliance Approved Processes and Users Privileged Users Cloud Provider / Outsource Administrators *$^!@#)( -|”_}?$%- :>> • Encryption • Access Control • Security Intelligence DSM
  • 25. Vormetric Security Intelligence Supporting Requirement 10 of breaches took months, or even years, to discover.66% Verizon 2013 data breach investigations report Log and audit data access, in support: Alarm abnormal access patterns Identify compromised users, administrators and applications Accelerate APT and malicious insider recognition Supports compliance and contractual mandate reporting of breaches were spotted by an external party – 9% were spotted by customers. 69%
  • 26. attempted to read and was denied access Admin Dirk Snowman imitated user steve this file because he violated this policy
  • 27. Implement with Confidence Vormetric Data Security is quick and easy to administer, while having negligible impact on performance. It’s the perfect solution for meeting PCI DSS requirements. One of the tipping points for us was Vormetric’s management console. It makes creating encryption profiles -- which contain unique guard points, security policies, and keys -- a snap. It’s one of the easiest products to implement I’ve ever used. i i Daryl Belfry, Director of IT, TAB Bank Jim Fallon, Security Ops manager, Airlines Reporting Corporation Coalfire White Paper: Using Encryption and Access Control for PCI DSS 3.0 Compliance in AWS Vormetric.com -> Resources -> White Papers
  • 28. Vormetric Data Security Platform Delivers the Lowest Total Cost of Ownership Simplicity Intuitive, consistent, repeatable, organization-wide policy management reduces cost, resources and errors Transparent deployment, application-layer when necessary Efficiency One platform – many use cases – ready for “what’s next” Preserve SLAs and use fewer servers w/high-performance encryption and HA Better Security and Faster Compliance File to field data-at-rest encryption, key management, privileged users access control, and gathering of security intelligence Accelerate the detection of insider abuse and APT