130 likes | 255 Views
10 Tips for PCI Compliance programs. Christopher Heinz, CISSP. Overview. Understand Impact Know the landscape Reduce scope Consider alternatives Data storage considerations Be transparent Be prepared Top attack vectors Ongoing process is required Have a plan (or two).
E N D
10 Tips for PCI Compliance programs Christopher Heinz, CISSP
Overview • Understand Impact • Know the landscape • Reduce scope • Consider alternatives • Data storage considerations • Be transparent • Be prepared • Top attack vectors • Ongoing process is required • Have a plan (or two)
Understand the impact of PCI • Reputation • Financial (processing fees, fines) • Reporting requirements • Understand that mitigating risk to card data is the goal • Potential benefits of program
Know the landscape • Define compliance ownership • Involve legal team to determine scope • Use multiple sources to build consensus
Reduce scope • Move systems out of scope if possible • Consider third party solutions where possible • Map actual data flows • Stop when it makes sense
Consider alternatives • Third party processors • Encryption/hashing • Do not forget PA-DSS for third party software vendors
Data storage considerations • CVV/CID (NEVER!) • Is there a business need to store data? • Limit risk by limiting data stored • Data store should be reduced/removed wherever possible
Be transparent • Obfuscation of situation only hurts, never helps • Define reporting mechanisms • Clarity of information/responses should be paramount • Internal reporting/approvals should be retained
Be prepared • Compliance packets are helpful • Ease assessment pain, which limits cost • Build confidence in program • Thorough, easy to parse documentation • Use comments in configs/code anywhere possible
Top Attack Vectors • Improper Patching • Insecure code practices • Default username/password • Insecure remote access • Nothing new under the sun (because there doesn’t need to be)
Ongoing process is required • Self assess internally as frequently as practical • Avoid checkbox mentality • Apply the Security wheel model (Secure -> Monitor -> Test -> Improve) • Scanning required quarterly, but meaningless if remediation action not taken • Compensating controls should be reduced/eliminated
Have a plan (or two) • Considerable amount of time/effort to maintain compliance • Have a backup plan (DR, adding new systems, breach) • Analyze plan, evaluate application of each process • Consider lessons learned, otherwise they're not "learned"