Embed Size (px)
Citation preview
PCI DSS 3.0 – Making Compliance
Business As Usual By Kishor Vaswani – CEO, ControlCase
Agenda
• About PCI DSS
• Overview of changes
• PCI BAU by requirement number
• Implementation tips
• ControlCase solution
• Q&A
1
About PCI DSS
What is PCI DSS?
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting payment card account data
• Established by leading payment card brands
• Maintained by the PCI Security Standards Council (PCI SSC)
2
PCI DSS Requirements
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
3
Timeline of PCI DSS 3.0
4
• The new PCI DSS 3.0 have been published
• Effective Jan 1st, 2014
• Must comply to PCI DSS 3.0 starting 2015
Overview of changes
Overview
5
Segmentation
• Adequacy of segmentation
• Penetration test
Third parties/Service providers
• Must validate PCI DSS compliance; OR
• Must participate in customers PCI DSS compliance audit
Overview contd…
6
PCI DSS as Business as Usual
• Monitoring of security controls
• Review changes to environment
• Review changes to org structure
• Periodic review of controls vs. during audit
• Separation of duties (operational vs. security)
Physical protection of POS, ATM and Kiosks
• Maintain inventory
• Periodic inspection for tampering
• Train personnel
PCI DSS 3.0 Business As Usual by
Requirement Number
PCI Council Guidance on BAU
7
Monitoring of security controls
• Firewalls
• IDS/IPS
• File Integrity Monitoring (FIM)
• Anti Virus
Ensuring failures in security controls are detected and responded
• Restoring the security control
• Identifying the root cause
• Identifying any security issues because of the failure
• Mitigation
• Resume monitoring of security control
• Segregation of duties between detective and preventive controls
PCI Council Guidance on BAU
8
Review changes to environment
• Addition of new systems
• Changes or organizational structure
• Impact of change to PCI DSS scope
• Requirement applicable to new scope
• Implement any additional security controls because of change
• New hardware and software (and older ones) continue to be supported and do not impact compliance
Periodic reviews
• Configuration
• Physical security
• Patches and Anti Virus
• Audit logs
• Access rights
Firewalls
9
People- PCI project manager to
escalate non-compliance- Segregation of duties
between operations performing change and compliance personnel reviewing change
Process- PCI impact analysis as part of
firewall change management process
Technology- Automated/Periodic ruleset
reviews- Weekly port scans from CDE
to Internet to verify no outbound connections
Configuration Standards
10
People- PCI project manager to
escalate non-compliance
Process- Periodic update to
configuration standards- New infrastructure
onboarding process to include PCI configuration standards check
Technology- Automated/Periodic
configuration scans- Reminders to update
configuration standards quarterly
- Technology to flag new assets that have not formally undergone PCI configuration standards check
Protect Stored Cardholder Data
11
People- PCI project manager to
escalate non-compliance to highest levels within organization
Process- Periodic false positive
management- Search for cardholder data
during roll out tests/quality assurance
Technology- Automated/Periodic
cardholder data scans- Alerts in case of new
cardholder data found
Protect Cardholder Data in Transmission
12
People- Training to ensure personnel
do not email/chat clear text card data
- Personnel allocated to review outbound data at random
Process- Periodic review of modes of
transmission i.e. wireless, chat, email etc.
Technology- Automated technology to
monitor transmission of card data through perimeter (e.g. email, chat monitoring)
Antivirus and Malware
13
People- PCI project manager to
escalate non-compliance
Process- Process to ensure all assets
are protected by antivirus- Process to implement
antivirus and anti-malware on all new systems being deployed
Technology- Technology to detect any
systems that do not have anti virus/anti malware installed
Secure Applications
14
People- Segregation of development
and security duties- Periodic training of
developers to security standards such as OWASP
Process- Continuous scanning of
applications- Scanning of applications as
part of SDLC- Code review as part of SDLC- Review of QA/test cases on a
periodic basis to ensure all of them have a security checkpoint and approval
Technology- Application scanning software- Code review software- Identification of instances
where changes have occurred to applications
- Application firewalls
Access Control and User IDs
15
People- Segregation of personnel
provisioning IDs and review of user access
Process- Periodic review of user access- Attestation of user access- Onboarding procedures- Termination procedures
Technology- Role based access control- Single sign on- Use of LDAP/AD/TACACS for
password management
Physical Security
16
People- Designation of a person at
every site as a site coordinator
Process- Periodic walkthroughs and
random audits of physical security
- Weekly review of CCTV and badge logs
- Periodic review of scope
Technology- Alarms to report malfunction
of devices such as cameras and badge access readers
Logging and Monitoring
17
People- Personnel to actively monitor
logs 24/7/365
Process- Periodic review of asset inventory- Periodic review of scope- Process to ensure logs from all
assets are feeding the SIEM solution- Restoration of logs from 12 months
back every week/month
Technology- Security and Event
Management (SIEM)- Technology to identify new
assets not covered within SIEM
Vulnerability Management
18
People- Segregation of personnel
responsible for scanning vs remediation of anomalies
- PCI project manager to escalate non-compliance
Process- Ongoing review of target
assets vs asset inventory for appropriateness/change
- Periodic testing of IDS/IPS effectiveness through random penetration tests/vulnerability scans
Technology- Automated scanning
technology- Technology to manage false
positives and compensating controls
- Asset management repository- File Integrity Monitoring (FIM)
technology
Policies and Procedures
19
People- Coordination between
procurement and compliance personnel
Process- PCI DSS requirements tied to
procurement process- PCI anomalies to be tracked
within vendor/third party management solution
Technology- Vendor management/Third
party management solution
PCI DSS Requirements
20
Control Objectives Requirements
Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public
networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security
Key Implementation Tips
Key Themes
21
Segregation of duties
Technology operating effectively
AutomationDedicated PCI project manager
Repeatability
Periodic Reviews
Dashboard for tracking activities
22
Calendar of reminders/tracking back to controls
23
ControlCase Solutions
ControlCase Cloud GRC
24
• Out of box tracking of PCI Controls
• Out of box reminders for key BAU activities
• Out of box dashboard for key compliance
tasks to be done periodically
• Out of box tracking of BAU anomalies
To Learn More About PCI Compliance…
• Visit www.controlcase.com
• Call +1.703.483.6383 (US)
• Call +91.9820293399 (India)
25
Thank You for Your Time
