Embed Size (px)
DESCRIPTION
Securing Your Business Beyond PCI DSS. Greg Rosenberg, QSA CISA September 14, 2011. About Trustwave PCI DSS Review How Compliance Works Continuous Compliance Questions. Agenda. About Trustwave. - PowerPoint PPT Presentation
Citation preview
© 2010
Securing Your Business Beyond PCI DSS
Greg Rosenberg, QSA CISASeptember 14, 2011
© 2010
Agenda About Trustwave PCI DSS Review How Compliance Works Continuous Compliance Questions
© 2010
About Trustwave
Trustwave is a global provider of information security solutions that enable organizations to manage and enforce real-time compliance. Since the inception of their data security programs almost a decade ago, Trustwave has worked with the card brands to protect cardholder data.
© 2010
PCI DSS Review
© 2010
Payment Card AcceptanceThe Payment Card Industry’s Data Security
Standard states:PCI Data Security Requirements apply to allmembers, merchants, and service providersthat store, process or transmit cardholder data
© 2010
Visa and MasterCard Levels and ReportingLevel Criteria Requirements
1Over 6 million Visa or MasterCard transactions in a 12 month period
•Onsite Assessment performed by QSA•Quarterly network scans
2
Between 1 and 6 million Visa or MasterCard transactions in a 12 month period
•Self-Assessment Questionnaire (SAQ). Onsite Assessment performed by accredited internal staff or QSA after June 30, 2011.•Quarterly network scans
3Between 20,000 and 1 million Visa or MasterCard e-commerce transactions in a 12 month period
•Self-Assessment Questionnaire (SAQ)•Quarterly network scans
4Less than 20,000 e-commerce or less than 1 million transactions with one card brand in a 12 month period
•Self-Assessment Questionnaire (SAQ)•Quarterly network scans
© 2010
Develop and maintain secure systems and applications
Use and regularly update anti-virus software or programs
PCI DSS Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Build and Maintain a Secure Network
Protect cardholder
data
Maintain a vulnerability management
program
Restrict physical access to cardholder data
Implement strong access control
measures
Regularly test security systems and processes
Track and monitor all access to network resources and cardholder data
Regularly monitor and
test networks
Maintain a policy that addresses information security for employees and contractors
Maintain an information
security policy
© 2010
Continuous Compliance
© 2010
Challenges The PCI DSS is NOT a checklist, and being
compliant does not necessarily equate with being secure– Achieving PCI DSS compliance is based on a snapshot of
the level of security at the time of an audit– PCI DSS is a baseline (or prescription) for security, not the
pinnacle
Many merchants make a last-minute “rush to compliance” in order to satisfy audit criteria– This last minute rush may produce a perfect compliance
snapshot—but not produce ongoing security
© 2010
Continuous Compliance The PCI DSS helps businesses address
security and risk.
Merchants should:– Know their risk profile and level of compliance
daily– Be ready to adapt to any requirement changes– Ensure employees are following security policies
at all times
© 2010
Creating Continuous ComplianceThe process of compliance is ongoing.
1. Assess− Identify gaps− Inventory IT assets and business processes for payment cards
2. Remediate− Fix vulnerabilities
3. Report− Submission of paperwork/records to proper groups, such as
acquiring banks− Paperwork includes audit results, such as Report on
Compliance (ROC) or Self-Assessment Questionnaire (SAQ)
© 2010
How to Assess Study the PCI DSS standards Inventory IT Assets and processes
– Identify all systems, personnel and processes involved with the transmission, processing or store of cardholder data
Identify Vulnerabilities– You Self-Assessment Questionnaire guides the assessment
Validate with Third-party Experts– Depending on the complexity of the network environment,
a Qualified Security Assessor (QSA) may be required to conduct a proper assessment
© 2010
How to Remediate Remediation is the process of fixing
vulnerabilities, and may include:– Network scans to analyze infrastructure and
identify known vulnerabilities– Review and remediate vulnerabilities uncovered
by an on-site assessment or SAQ process– Prioritizing remediation to address most to least
serious– Patches, fixes and any changes to processes and
workflow– Re-scanning to confirm remediation
© 2010
How to Report Conduct regular vulnerability scanning
– All merchants need to submit quarterly scan reports, completed by an approved ASV
Some businesses may need to enlist a QSA to conduct an annual on-site assessment
Each payment brand has its own reporting guidelines
© 2010
Checklist for Continuous Compliance Don’t just “get” compliant, stay compliant:
Use the technologies and procedures implemented for compliance to reduce risk, making PCI DSS the basis for your policies
Establish a cycle of risk management analysis and response
Continue to reduce scope where possibleWork towards making the process of staying
compliant easierCompliance is the baseline for your information
security program
© 2010
ResourcesTrustKeeper login: https://login.trustwave.comSupport: [email protected]
PCI Security Standards Council:https://www.pcisecuritystandards.org/index.shtml
Visa CISP:http://www.visa.com/cisp
MasterCard SDP:http://www.mastercard.com/sdp
© 2010
Questions?
