your pci i dss program
play

your PCI I DSS program GoSec August 2019 Yves B. Desharnais, MBA, - PowerPoint PPT Presentation

Sep 04, 2022 •160 likes •481 views

Future proofing your PCI I DSS program GoSec August 2019 Yves B. Desharnais, MBA, CISSP, PCIP www.p .pcir ireso esour urces.com es.com Future-proofing your PCI DSS program GoSec August 2019 1 Agenda About Yves 1. PCI DSS &

  1. Future proofing your PCI I DSS program GoSec – August 2019 Yves B. Desharnais, MBA, CISSP, PCIP www.p .pcir ireso esour urces.com es.com Future-proofing your PCI DSS program GoSec – August 2019 1

  2. Agenda About Yves 1. PCI DSS & scoping: The PCI Resources Scoping Model and Approach 2. PCI DSS Controls: The PCI Resources PCI DSS requirements matrix 3. Combining both and ensuring maintenance of security controls Q&A Future-proofing your PCI DSS program GoSec – August 2019 2

  3. About Yves • IT/InfoSec expert generalist with experience in information security, development, Unix/Linux • B.Eng. Computer Engineering, U. de Sherbrooke • MBA, University of Notre Dame • Worked with PCI since 2012 (2.0) & QSA in 2013-2014 • Author of books on PCI DSS in French and English • 5 releases since 2015 (www.pciresources.com) • Author of NetBehave(.org) – a (NetFlow/IPFix) Network Behavioral Analysis Framework launched at Bsides Ottawa 2018 Future-proofing your PCI DSS program GoSec – August 2019 3

  4. 1. PCI DSS & scoping: The PCI Resources Scoping Model and Approach Future-proofing your PCI DSS program GoSec – August 2019 4

  5. The PCI SSC and the PCI DSS The PCI SSC (PCI council) • defines Security Standards • PCI DSS to protect Cardholder Data (CHD) The Payment Card • PA-DSS (changing by 2021) for software brands created the • PCI PIN Payment Card Industry • PCI PIN PTS Security Standards • Etc. Council (PCI SSC) in • 2006 to harmonize And manages the firms that validate the standards • information security QSA & QSAC (QSA Companies) – PCI DSS standards. • ISA – PCI DSS • PA-QSA – PA-DSS Future-proofing your PCI DSS program GoSec – August 2019 5

  6. Payment Card Industry (PCI) Payment Card Model PCI DSS applies to all entities involved in payment card processing — including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD). Source: PCI DSS 3.2.1, p.5 Future-proofing your PCI DSS program GoSec – August 2019 6

  7. GOAL: Protect Card Data Data is of 2 main types Data Elements Cardholder Data Primary Account Number (CHD) (PAN) Cardholder Name Service Code Expiration date Sensitive Full Magnetic Stripe Data Authentication CAV2/CVC2/CVV2/CID Data (SAD) PIN / PIN Block Future-proofing your PCI DSS program GoSec – August 2019 7

  8. PCI DSS Scope includes • The People (internal, external) • performing Business Processes • using Applications • running on (physical and virtual) Systems • and communicating over Networks • in physical locations • involved in the storage, processing or transmission (SPT) of card information (CHD/SAD) • Or that could affect the security of card information (connected). Future-proofing your PCI DSS program GoSec – August 2019 8

  9. Overview of PCI Resources PCI DSS Scoping Model and Approach • PCI DSS only defines 3 types of systems: • CDE (Cardholder Data Environment) • Connected • Out-of-scope • Some variations required to scope • I have disagreements over segmentation with PCI SSC & OPST • In the absence of segmentation, everything is in scope and there are no connected systems Future-proofing your PCI DSS program GoSec – August 2019 9

  10. PCI DSS Scoping Model and Approach PCI Scoping Type Decision tree 1. CDE • 1.1 CDE/CHD • 1.2 Segmentation • 1.3 CDE/Contaminated • 1.4 Validate with data discovery 2. Connected • 2.1 Use ACLs to identify communicating systems • 2.2 Connected/security • 2.3 3P connected systems (12.8.*) • 2.4 Connected/ communicating • 2.5 Connected/Indirectly Future-proofing your PCI DSS program GoSec – August 2019 10

  11. Network Segmentation - Overview • "If network segmentation is in • Systems that provide the (generally network) segmentation and place and being used to reduce the scope of the PCI DSS assessment, prevent "contamination" of CDE the assessor must verify that the systems through "controlled segmentation is adequate to access" reduce the scope of the • Typically, these are firewall devices, assessment.” PCI DSS 3.2.1, p.10 but others are possible, generally • Network segmentation testing is an at level 3 of the ISO model annual (#11.3.4) or bi-annual • May be accomplished by a (#11.3.4.1 for service providers) combination of devices and requirement systems, but the more complex this gets, the better the documentation your assessor will require Future-proofing your PCI DSS program GoSec – August 2019 11

  12. 2. PCI DSS Controls: The PCI Resources PCI DSS requirements matrix Future-proofing your PCI DSS program GoSec – August 2019 12

  13. PCI DSS 3.2.1 12 High-Level Requirements, > 250 requirements, > 400 tests Goals PCI DSS Requirements Short Name Build and Maintain a 1. Install and maintain a firewall configuration to protect cardholder data Firewall Secure Network 2. Do not use vendor-supplied defaults for system passwords and other Hardening security parameters Protect Cardholder Data 3. Protect stored data Storage 4. Encrypt transmission of cardholder data across open, public networks Transmission Maintain a Vulnerability 5. Use and regularly update anti-virus software Antivirus Management Program 6. Develop and maintain secure systems and applications Secure Systems & Apps Implement Strong 7. Restrict access to cardholder data by business need-to-know Need-to-know, RBAC Access Control 8. Assign a unique ID to each person with computer access Authentication Measures 9. Restrict physical access to cardholder data Physical Security Regularly Monitor and 10. Track and monitor all access to network resources and cardholder data Logging/Monitoring Test Networks 11. Regularly test security systems and processes Testing Maintain an Information Policy 12. Maintain a policy that addresses information security Security Policy Future-proofing your PCI DSS program GoSec – August 2019 13

  14. PCI Resources approach to PCI DSS controls Matrix … by layer (stack) and function Scope Access Vulnerability Logging and Management Control Management Monitoring Governance Policy User Data App Operating System Network Architecture Physical * From PCI DSS made easy, section 3.15; note, no mapping is ever perfect, some overlap expected… Future-proofing your PCI DSS program GoSec – August 2019 14

  15. PCI Resources approach to PCI DSS controls Top layers: Governance and Policies Vulnerability Logging and Scope Management Access Control Management Monitoring • • • • Infosec Responsibilities HR Background Risk Assessments Detect failures of • Governance Third-Party Management Checks critical security • controls (BaU) 1 Scope & Diagrams • • • • Infosec & Acceptable Use Security Awareness Pentests Logging • • Policy Training, including on Vuln. Management Monitoring • • • Data Retention and passwords Change Control Incident Response • • Disposal Policy Roles Change defaults Policy • Policy: No PAN via email, settings • chat, etc. System Config Standards • Router/Firewall Config & Changes • User Identification User & Authentication • No shared account 1 Service provider only in 3.2.1 Future-proofing your PCI DSS program GoSec – August 2019 15

  16. PCI Resources approach to PCI DSS controls Middle layers: systems and applications Vulnerability Logging and Scope Management Access Control Management Monitoring • • • Storage of: SAD, PAN DB Separation of All individual user • Cryptographic Key Duties (SoD) & accesses to Data Management programmatic cardholder data methods • • • • Secure transmission on RBAC Secure SDLC Secure (centralize) • open public networks Secure Application logs • App (TLS, VPN) Development Log Retention • • Mask PAN when Protect web apps displayed • • • • Inventory of system Personal Firewall Antimalware Sync clocks (NTP) • • components Patching Change Operating • Vuln. scans Detection/File System Integrity Monitoring Future-proofing your PCI DSS program GoSec – August 2019 16

  17. PCI Resources approach to PCI DSS controls Bottom layers: Physical and Network Scope Vulnerability Logging and Access Control Management Management Monitoring • • • • ACL documentation MFA (CDE & Implicit in Risk Test or Monitor • ACL review (every 6 external) Assessment for • months) Segmentation Unauthorized • Firewall between: Pentest (CDE) wireless Network Architecture • - CDE/untrusted networks • • - CDE/internet IDS / IPS • Secure wireless networks • • • Physical Access Implicit in some POS Device Control and testing Tampering • Implicit in RoC Physical Monitoring procedures checks template • Visitor management • Media Controls Future-proofing your PCI DSS program GoSec – August 2019 17

  18. 3. Combining both and ensuring maintenance of security controls Future-proofing your PCI DSS program GoSec – August 2019 18

  19. PCI DSS version history over time * 4.0 expected late-2020 or later Future-proofing your PCI DSS program GoSec – August 2019 19 19

Recommend

UN Environment Program UN Environment Program UN Environment Program UN Environment Program UN

UN Environment Program UN Environment Program UN Environment Program UN Environment Program UN

UN Environment Program UN Environment Program UN Environment Program UN Environment Program UN Environment Program I show and tell data stories. Census microdata 1950-2015 91 million rows The Guardian I make data tangible and relatable .

846 views • 43 slides
October 26, 2016 Programs Math Program ELA Program Leadership Program Boys and

October 26, 2016 Programs Math Program ELA Program Leadership Program Boys and

October 26, 2016 Programs Math Program ELA Program Leadership Program Boys and Girls Club Program Science Program Wolf Pack Program Counseling Program Sports and Extra Curricular Programs Program - a plan or

689 views • 13 slides
The TA Mentorship Program What is the TA Mentorship Program? The TA Mentorship program offers

The TA Mentorship Program What is the TA Mentorship Program? The TA Mentorship program offers

The TA Mentorship Program What is the TA Mentorship Program? The TA Mentorship program offers discipline-specific support in teaching and learning The program employs experienced TAs who act as mentors, passing on their knowledge,

702 views • 9 slides
Overview of PA ABLE Savings Program 1 PA ABLE Savings Program (PA ABLE) PA ABLE Savings Program

Overview of PA ABLE Savings Program 1 PA ABLE Savings Program (PA ABLE) PA ABLE Savings Program

Overview of PA ABLE Savings Program 1 PA ABLE Savings Program (PA ABLE) PA ABLE Savings Program Presented by: Ryan Buxton Field Representative Pennsylvania Treasury Bureau of Savings Programs 2 PA ABLE Savings Program Agenda What is

482 views • 24 slides
Spine Management Program NIA Magellan & Presbyterian Health Plan Training Program 2 Program

Spine Management Program NIA Magellan & Presbyterian Health Plan Training Program 2 Program

Spine Management Program NIA Magellan & Presbyterian Health Plan Training Program 2 Program Agenda Program 1. Authorization Process 2. Other Program Components 3. Provider Tools and Contact Information RadMD Demo Questions and

501 views • 21 slides
New CTE Program Development Process Stage 1: Program Abstract Proposal The Program Abstract

New CTE Program Development Process Stage 1: Program Abstract Proposal The Program Abstract

1 New CTE Program Development Process Stage 1: Program Abstract Proposal The Program Abstract is the first step for those individuals or teams interested in proposing a new career and technical education (CTE) program. When complete,

546 views • 6 slides
Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice

Slices Chapter 10 SL1 Program slice What is a program slice? SL2 Program slice Informally What is a program slice? A program slice is a set of program statements that contributes to or affects the value of a variable at

517 views • 18 slides
CIP PARTNERS ACADEMY CPE PROGRAM OVERVIEW COURSE OBJECTIVES CPE Program Background 1

CIP PARTNERS ACADEMY CPE PROGRAM OVERVIEW COURSE OBJECTIVES CPE Program Background 1

CIP PARTNERS ACADEMY CPE PROGRAM OVERVIEW COURSE OBJECTIVES CPE Program Background 1 CPE Program Purpose 2 Program Use & Administration 3 Scoring Criteria & Evaluation Guidelines 4 Strategies for Improving

710 views • 24 slides
Introduction of COMS Program Introduction of COMS Program September 2006 COMS Program Office

Introduction of COMS Program Introduction of COMS Program September 2006 COMS Program Office

Introduction of COMS Program Introduction of COMS Program September 2006 COMS Program Office Korea Aerospace Research Institute KARI Proprietary Material 1 Long-term Plan for National Space Program 2006 2001 2005 Scientific Satellite 2

390 views • 16 slides
WHAT DID THE DATA SAY? JK 8 MATH PROGRAM PREK12 WORLD LANGUAGE PROGRAM PREK

WHAT DID THE DATA SAY? JK 8 MATH PROGRAM PREK12 WORLD LANGUAGE PROGRAM PREK

WHAT DID THE DATA SAY? JK 8 MATH PROGRAM PREK12 WORLD LANGUAGE PROGRAM PREK 6 LITERACY PROGRAM ROLE OF STAKEHOLDERS Board of Trustees $$$$$ Master Teacher Program Professional development Commitment to change Head

1.01k views • 44 slides
District 211 One-to-One Program One-to-One: Program Background 2012-2013 2016-2017 One-to-One

District 211 One-to-One Program One-to-One: Program Background 2012-2013 2016-2017 One-to-One

District 211 One-to-One Program One-to-One: Program Background 2012-2013 2016-2017 One-to-One Program Pilot Program Launched Evaluation 2014-2015 1 st Year of Full Implementation One-to-One: Impact in the Classroom One-to-One in Action:

176 views • 14 slides
Nicor Gas Energy Efficiency Program Business Customer Offerings Agenda General Program

Nicor Gas Energy Efficiency Program Business Customer Offerings Agenda General Program

Nicor Gas Energy Efficiency Program Business Customer Offerings Agenda General Program Overview Prescriptive Program Custom Program June 1 and Beyond Program Effective Dates Pilot launched May 1, 2010 Runs through May 31,

691 views • 30 slides
Review: Program Execution Registers program counter, stack pointer, . . . Memory

Review: Program Execution Registers program counter, stack pointer, . . . Memory

Threads and Concurrency 1 Review: Program Execution Registers program counter, stack pointer, . . . Memory program code program data program stack containing procedure activation records CPU fetches and executes

699 views • 24 slides
Low Income Program Application 2021 + ESA Program Design Concept CARE/FERA Program Updates

Low Income Program Application 2021 + ESA Program Design Concept CARE/FERA Program Updates

Low Income Program Application 2021 + ESA Program Design Concept CARE/FERA Program Updates LIOB Meeting September 16, 2019 Draft Material - Content Subject to Change For Discussion Purposes Only ESA Program 2021- Path to Innovation

852 views • 21 slides
INTRODUCTION Background PROGRAM DIAGNOSIS EVALUATION LINK NCA PROGRAM PROGRAM

INTRODUCTION Background PROGRAM DIAGNOSIS EVALUATION LINK NCA PROGRAM PROGRAM

Link NCA Paris, November 28th, 2017 Marion Junca | Link NCA Project Coordinator Gwenaelle Luc | Link NCA Technical Advisor INTRODUCTION Background PROGRAM DIAGNOSIS EVALUATION LINK NCA PROGRAM PROGRAM IMPLEMENTATION FORMULATION DAC

415 views • 20 slides
From Program Synthesis to Optimal Program . . . Optimal Program Synthesis Logical Interpretation

From Program Synthesis to Optimal Program . . . Optimal Program Synthesis Logical Interpretation

Need for Data . . . Program Synthesis Wave Algorithm for . . . Boolean Logic . . . From Program Synthesis to Optimal Program . . . Optimal Program Synthesis Logical Interpretation . . . A Seemingly Natural . . . Counter-Example to . . .

725 views • 24 slides
TOGETHER AT LAST Ravi Chugh, Brian Hempel, Mitchell Spradlin, Jacob Albers Program 2 Program 2

TOGETHER AT LAST Ravi Chugh, Brian Hempel, Mitchell Spradlin, Jacob Albers Program 2 Program 2

PROGRAMMATIC AND DIRECT MANIPULATION TOGETHER AT LAST Ravi Chugh, Brian Hempel, Mitchell Spradlin, Jacob Albers Program 2 Program 2 Changed Program Program 2 Changed Program Program 2 Changed Changed Program Program Program

1.81k views • 166 slides
Oral Presentation Program This is a preliminary program and changes are still possible. The lates

Oral Presentation Program This is a preliminary program and changes are still possible. The lates

Oral Presentation Program This is a preliminary program and changes are still possible. The lates version can always be found at: www.ecmh.eu. Only the first author (=presenter) is mentioned here in the program. In the conference abstract book all

396 views • 5 slides
Natural Resource Program Rebecca Reeves September 25, 2015 Program Description This program

Natural Resource Program Rebecca Reeves September 25, 2015 Program Description This program

Natural Resource Program Rebecca Reeves September 25, 2015 Program Description This program includes projects that are designed to identify concerns and communicate information about water quality, physical processes and riverine communities,

512 views • 29 slides
Governors Honors Program 2018-19 What is GHP? The Georgia Governors Honors Program

Governors Honors Program 2018-19 What is GHP? The Georgia Governors Honors Program

Governors Honors Program 2018-19 What is GHP? The Georgia Governors Honors Program (GHP) is a residential summer program for gifted and talented high school students who will be rising juniors and seniors during the program. The

264 views • 10 slides
2012 Dealer Program 2012 Dealer Program Program Benefits Marketing Rewards Enhanced

2012 Dealer Program 2012 Dealer Program Program Benefits Marketing Rewards Enhanced

2012 Dealer Program 2012 Dealer Program Program Benefits Marketing Rewards Enhanced Maintenance Program Marketing Development Funds (EMP) and VIP Program Website Dealer Listing Promotions Dealer Portal Access EnPower

346 views • 18 slides
S2S Research Activities at NOAAs Climate Program Office (CPO) Dan Barrie, Program Manager,

S2S Research Activities at NOAAs Climate Program Office (CPO) Dan Barrie, Program Manager,

Climate Program Office S2S Research Activities at NOAAs Climate Program Office (CPO) Dan Barrie, Program Manager, NOAA Climate Program Office September 2016 MAPP Program: Annarita Mariotti (director), Heather Archambault (program manager),

176 views • 13 slides
Physical Therapist Assistant Program Informational Meeting New Applicant Orientation to Program

Physical Therapist Assistant Program Informational Meeting New Applicant Orientation to Program

Physical Therapist Assistant Program Informational Meeting New Applicant Orientation to Program 5/24/2017 1 Welcome Welcome Program 2 year (5 semester) program Faculty 3 full time faculty Dr. Dawn D. Bancsi Program

655 views • 38 slides
SALES AND USE TAX EXCLUSION PROGRAM Public Workshop on STE Program Development and the

SALES AND USE TAX EXCLUSION PROGRAM Public Workshop on STE Program Development and the

SALES AND USE TAX EXCLUSION PROGRAM Public Workshop on STE Program Development and the Incorporation of Assembly Bill 199 March 16, 2016 1 Agenda CAEATFA Overview and Legislative Background Existing STE Program Structure and Utilization

706 views • 45 slides

More recommend