2014 North American

Community Meeting 2015 Middle East Forum

2015 Middle East Forum

Middle East

Perspective on

Payments Security

SISA

2014 North American

Community Meeting 2015 Middle East Forum

Introduction

Qualifications: PCI QSA, PA-QSA, CISA, CISSP, CEH, FCA, ISO 27001 Implementer, CEH, OCTAVE (SEI-CMU)

Authorized Trainer and Advisor, SANS Certified Web Application Pen Tester (GWAPT), Microsoft Certified

Professional (MCP),

SISA Information Security operates from Dubai and Bahrain as part of its middle east

operations. SISA in America, Asia and Middle East. SISA Middle East was set up in 2008 and

since then has worked with more than 100 organizations as a QSA, PA-QSA and ASV. SISA

has trained over 5,000 professionals on payment security with its flagship certifiation CPISI.

Dharshan was the proposer and lead for the PCI DSS Risk Assessment Group that authored

the PCI DSS Risk Assessment guidance document.

Dharshan Shanthamurthy,

Founder and Chief Executive Officer

Email: dbs@sisainfosec.com Linkedin: dharshanshanthamurthy

SISA

2014 North American

Community Meeting 2015 Middle East Forum

Session Agenda:

PCI DSS Adoption

PCI DSS Gap Assessment – What's common between them?

Challenges

PCI Success Plan

3

SISA

2014 North American

Community Meeting 2015 Middle East Forum

PCI DSS Adoption

4

0

10

20

30

40

50

60

2011 2012 2013 2014

Merchant

Service Provider

Note :- Statistics based on SISA database, VISA and Master Card Service Provider List

SISA

2014 North American

Community Meeting 2015 Middle East Forum

Gaps across requirements

5

0

20

40

60

80

100

Not Applicable

Non Compliant

Compliant

1

1

2 3 3 4

5

6

7

8 9

7

Note :- Statistics Based on Approx. 100+ Assessment Conducted by SISA In Middle East

SISA

2014 North American

Community Meeting 2015 Middle East Forum

Challenges

TECHNICAL

Applications

Segmentation

PCI DSS Risk Assessment

Out of support systems

Sustenance

6

IMPLEMENTATION

Project Management

Driven by one or few teams

Training to implementers/decision

makers

Not on boarding right partners or

investing in the right solutions

SISA

2014 North American

Community Meeting 2015 Middle East Forum

PCI Success Plan*

1. Get highest level of sponsorship for the program

2. Get the right team/person behind the program

3. Put a proper project plan and budget sufficient time to get it right

4. Conduct 3 types of training:

a. PCI DSS training implementers

b. PCI DSS training for decision makers

c. PCI DSS training for developers

5. Creation of a cross functional PCI Steering Committee

6. Identify cardholder data in the environment

7

* Extract of the SISA PCI Success Plan

SISA

2014 North American

Community Meeting 2015 Middle East Forum

PCI Success Plan*

7. Conduct PCI DSS Risk Assessment

8. Conduct self assessment on PA-DSS for critical applications at the earliest

9. Gaps Discussion and Agreement between QSA and internal stakeholders

10. Remediation as per the plan and inform key stakeholders of any delay

11. Periodic steering committee meetings to take decisions

12. Milestone review calls to discuss technical challenges and agreement with QSA

8

* Extract of the SISA PCI Success Plan

SISA

2014 North American

Community Meeting 2015 Middle East Forum

2015 Middle East Forum

Email: dbs@sisainfosec.com Linkedin: dharshanshanthamurthy

SISA