1 / 17

Securing Your Business Beyond PCI DSS

Securing Your Business Beyond PCI DSS. Greg Rosenberg, QSA CISA September 14, 2011. About Trustwave PCI DSS Review How Compliance Works Continuous Compliance Questions. Agenda. About Trustwave.

ryu
Download Presentation

Securing Your Business Beyond PCI DSS

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Your Business Beyond PCI DSS Greg Rosenberg, QSA CISA September 14, 2011

  2. About Trustwave PCI DSS Review How Compliance Works Continuous Compliance Questions Agenda

  3. About Trustwave Trustwave is a global provider of information security solutions that enable organizations to manage and enforce real-time compliance. • Since the inception of their data security programs almost a decade ago, Trustwave has worked with the card brands to protect cardholder data.

  4. PCI DSS Review

  5. Payment Card Acceptance The Payment Card Industry’s Data Security Standard states: PCI Data Security Requirements apply to allmembers, merchants, and service providersthat store, process or transmit cardholder data 5

  6. Visa and MasterCard Levels and Reporting

  7. PCI DSS Requirements Track and monitor all access to network resources and cardholder data Install and maintain a firewall configuration to protect cardholder data Use and regularly update anti-virus software or programs Regularly test security systems and processes Do not use vendor-supplied defaults for system passwords and other security parameters Develop and maintain secure systems and applications Implement strong access control measures Build and Maintain a Secure Network Maintain a vulnerability management program Regularly monitor and test networks Maintain an information security policy Protect cardholder data Restrict access to cardholder data by business need-to-know Encrypt transmission of cardholder data across open, public networks Maintain a policy that addresses information security for employees and contractors Assign a unique ID to each person with computer access Protect stored cardholder data Restrict physical access to cardholder data

  8. Continuous Compliance

  9. Challenges • The PCI DSS is NOT a checklist, and being compliant does not necessarily equate with being secure • Achieving PCI DSS compliance is based on a snapshot of the level of security at the time of an audit • PCI DSS is a baseline (or prescription) for security, not the pinnacle • Many merchants make a last-minute “rush to compliance” in order to satisfy audit criteria • This last minute rush may produce a perfect compliance snapshot—but not produce ongoing security

  10. Continuous Compliance • The PCI DSS helps businesses address security and risk. • Merchants should: • Know their risk profile and level of compliance daily • Be ready to adapt to any requirement changes • Ensure employees are following security policies at all times

  11. Creating Continuous Compliance The process of compliance is ongoing. • Assess • Identify gaps • Inventory IT assets and business processes for payment cards • Remediate • Fix vulnerabilities • Report • Submission of paperwork/records to proper groups, such as acquiring banks • Paperwork includes audit results, such as Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ)

  12. How to Assess • Study the PCI DSS standards • Inventory IT Assets and processes • Identify all systems, personnel and processes involved with the transmission, processing or store of cardholder data • Identify Vulnerabilities • You Self-Assessment Questionnaire guides the assessment • Validate with Third-party Experts • Depending on the complexity of the network environment, a Qualified Security Assessor (QSA) may be required to conduct a proper assessment

  13. How to Remediate • Remediation is the process of fixing vulnerabilities, and may include: • Network scans to analyze infrastructure and identify known vulnerabilities • Review and remediate vulnerabilities uncovered by an on-site assessment or SAQ process • Prioritizing remediation to address most to least serious • Patches, fixes and any changes to processes and workflow • Re-scanning to confirm remediation

  14. How to Report • Conduct regular vulnerability scanning • All merchants need to submit quarterly scan reports, completed by an approved ASV • Some businesses may need to enlist a QSA to conduct an annual on-site assessment • Each payment brand has its own reporting guidelines

  15. Checklist for Continuous Compliance • Don’t just “get” compliant, stay compliant: • Use the technologies and procedures implemented for compliance to reduce risk, making PCI DSS the basis for your policies • Establish a cycle of risk management analysis and response • Continue to reduce scope where possible • Work towards making the process of staying compliant easier • Compliance is the baseline for your information security program

  16. Resources TrustKeeper login: https://login.trustwave.com Support: support@trustwave.com PCI Security Standards Council: https://www.pcisecuritystandards.org/index.shtml Visa CISP: http://www.visa.com/cisp MasterCard SDP: http://www.mastercard.com/sdp

  17. Questions?

More Related