View
133
Download
5
Tags:
Embed Size (px)
Citation preview
2014 North American
Community Meeting 2015 Middle East Forum
2015 Middle East Forum
Middle East
Perspective on
Payments Security
SISA
2014 North American
Community Meeting 2015 Middle East Forum
Introduction
Qualifications: PCI QSA, PA-QSA, CISA, CISSP, CEH, FCA, ISO 27001 Implementer, CEH, OCTAVE (SEI-CMU)
Authorized Trainer and Advisor, SANS Certified Web Application Pen Tester (GWAPT), Microsoft Certified
Professional (MCP),
SISA Information Security operates from Dubai and Bahrain as part of its middle east
operations. SISA in America, Asia and Middle East. SISA Middle East was set up in 2008 and
since then has worked with more than 100 organizations as a QSA, PA-QSA and ASV. SISA
has trained over 5,000 professionals on payment security with its flagship certifiation CPISI.
Dharshan was the proposer and lead for the PCI DSS Risk Assessment Group that authored
the PCI DSS Risk Assessment guidance document.
Dharshan Shanthamurthy,
Founder and Chief Executive Officer
Email: [email protected] Linkedin: dharshanshanthamurthy
SISA
2014 North American
Community Meeting 2015 Middle East Forum
Session Agenda:
PCI DSS Adoption
PCI DSS Gap Assessment – What's common between them?
Challenges
PCI Success Plan
3
SISA
2014 North American
Community Meeting 2015 Middle East Forum
PCI DSS Adoption
4
0
10
20
30
40
50
60
2011 2012 2013 2014
Merchant
Service Provider
Note :- Statistics based on SISA database, VISA and Master Card Service Provider List
SISA
2014 North American
Community Meeting 2015 Middle East Forum
Gaps across requirements
5
0
20
40
60
80
100
Not Applicable
Non Compliant
Compliant
1
1
2 3 3 4
5
6
7
8 9
7
Note :- Statistics Based on Approx. 100+ Assessment Conducted by SISA In Middle East
SISA
2014 North American
Community Meeting 2015 Middle East Forum
Challenges
TECHNICAL
Applications
Segmentation
PCI DSS Risk Assessment
Out of support systems
Sustenance
6
IMPLEMENTATION
Project Management
Driven by one or few teams
Training to implementers/decision
makers
Not on boarding right partners or
investing in the right solutions
SISA
2014 North American
Community Meeting 2015 Middle East Forum
PCI Success Plan*
1. Get highest level of sponsorship for the program
2. Get the right team/person behind the program
3. Put a proper project plan and budget sufficient time to get it right
4. Conduct 3 types of training:
a. PCI DSS training implementers
b. PCI DSS training for decision makers
c. PCI DSS training for developers
5. Creation of a cross functional PCI Steering Committee
6. Identify cardholder data in the environment
7
* Extract of the SISA PCI Success Plan
SISA
2014 North American
Community Meeting 2015 Middle East Forum
PCI Success Plan*
7. Conduct PCI DSS Risk Assessment
8. Conduct self assessment on PA-DSS for critical applications at the earliest
9. Gaps Discussion and Agreement between QSA and internal stakeholders
10. Remediation as per the plan and inform key stakeholders of any delay
11. Periodic steering committee meetings to take decisions
12. Milestone review calls to discuss technical challenges and agreement with QSA
8
* Extract of the SISA PCI Success Plan
SISA
2014 North American
Community Meeting 2015 Middle East Forum
2015 Middle East Forum
Email: [email protected] Linkedin: dharshanshanthamurthy
SISA