Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

PCI DSS - Vigitrust

advertisement 
3rd European PCI DSS Roadshow
Dublin, March 5th 2013
Mathieu.gorge@vigitrust.com
www.vigitrust.com
Monday, 13 April 2015
(c) VigiTrust 2003-2013
1
Today’s Agenda
Start
Finish
08:30
09:00
09:00
09:10
09:10
09:55
Dublin
Registration
Welcome Note
Keynote – PCI SSC Perspective
09:55
10:10
10:10
10:30
10:30
10:50
10:50
11:20
Mobility & Retail - Impact for Payments &
Security
PCI DSS - Perspective On Continuous
Compliance
Break
Payments as part of Critical National
Operations – Risks Overview
11:20
11:50
11:50
12.00
12:00
12:15
The Positive Economist – A Perspective on
Payments
Concluding thoughts
Q&A
(c) session
VigiTrust 2003-2013
Description
Main event Registration run by VigiTrust
Provided by VigiTrust
Jeremy King, European Director, PCI SSC
Rowan Fogarty, Managing Director at
PortHand
Mathieu Gorge, CEO, VigiTrust
Tea/Coffee Break
Peadar Duffy, Chairman, RMI
Susan Hayes, founder, The Positive
Economist
VigiTrust
Moderated Q&A with speakers
Mathieu Gorge
CEO & Founder, VigiTrust
- Founded VigiTrust in 2003
- InfoSecurity Ireland Chairman
- Created PCI DSS European RS
- Independent Security Expert
for ENISA
- East West Institute working
groups
- ANSI – PHI reviewer
- Geneva Security Forum
- ISS world
Monday, 13 April 2015
• ISSA WCC (since 2008)
• ISACA NYC (since 2009)
• PCI Council SIGs (since 2011)
• Articles
– techTarget (Security)
– ISACA
– Searchstorage.com
– Computer Fraud &
Security
– SC Magazine
– ISSA Journal
(c) VigiTrust 2003-2013
– Baseline
About VigiTrust
CSMS
Compliance & Security Management Suite
SAMS
MCP
Security Accreditation
Management System
Merchant Compliance
Portal
Enterprise
Agregators
eSEC
Security eLearning
Modules
Mid-Size
5 Pillars of Security Framework™
Physical Security, People Security, Data Security, IT Security, Crisis Management
(c) VigiTrust 2003-2013
Setting PCI DSS
Global Scene
(c) VigiTrust 2003-2012
Payments Industry – a Definition
Payment security entails managing and securing payment data across
an organization’s full order lifecycle, from the point of payment
acceptance, through fraud management, fulfilment, customer service,
funding and financial reconciliation, and transaction record storage.
The presence of payment data at any of these points, whether on
organization systems, networks or visible to staff, exposes the
organization to risk.
The presence of payment data …. exposes the
organization to risk.
Therefore you need to fully understand your own
ecosystem and payments data flow
(c) VigiTrust 2003-2013
2010 to 2012 – A very busy time for PCI DSS
• US remains the most compliant territory in terms of PCI
DSS
• Europe Gaining Traction
– Appointment of Jeremy King as European Director
• PCI DSS was updated in October 2010
– PCI DSS Lifecycle Update
– Changes or lack of same in v2.0
• New Guidance papers from the Council – 2011 & 2012
– Tokenization, P2PE, Wireless, Virtualization – includes Cloud
Computing Definitions
– Cloud, Cloud, Cloud
– Mobile, Mobile, Mobile
• Visa – is the US really going Chip & PIN?
(c) VigiTrust 2003-2013
Changes to Data Protection in the EU
• Not a directive but a single regulation in the EU
– Harmonization at European level…but with challenges
• Applies to companies based outside in the EU if personal data is handled
abroad by companies that are active in the EU and offer services to EU
citizens
• Right to be forgotten
• Controllers responsibilities
– Policies & procedures, Staff Training
• Data processing impact assessment
– If any data is likely to present risks to individuals
• Security
– Both processor and controllers must put security measures in place
• Fines
• Data Breach Notification
– Within 24 hours of noticing the breach
• Data Portability (service providers) & Data Transfers
• Data Protection Officers
Monday, 13 April 2015
(c) VigiTrust 2003-2013
10
Intersection between PCI DSS compliance and the DPA
• Need for appropriate levels of security
• Compliance with PCI DSS should enable compliance with key provisions of
the DPA
• ICO in the UK made an example of Lush (Lush Cosmetics Ltd)
– "This breach should serve as a warning to all retailers that online security must be taken
seriously and that the Payment Card Industry Data Security Standard or an equivalent must
be followed at all times”
– For online retailers, the PCI DSS is clearly now best practice
– Adherence to the PCI DSS should ensure compliance with the security obligations under
the Act
– Undertaking from Lush requires them to only store minimum amount of payment data
necessary to receive payments, and keep for no longer than necessary.
(c) VigiTrust 2003-2013
Jeremy King PCI SSC
Rowan Fogarty
PortHand
Perspectives on
Continous Compliance
(c) VigiTrust 2003-2013
PCI DSS & GRC Process
SOX
SAS 70 II
EU Data
Protection
PCI DSS
HIPAA
Others
Regulatory, Legal and Corporate Governance Frameworks
Policies & Procedures
Education
&
Security
Awareness
Network & Hardware Security
Self-Governed
PreAssessment
Official
Assessors &
Auditors
Remediation
Work
Application Security
Specialized Skills Transfer
Step 1
Step 2
Step 3
Continuous Compliance Process
GRC Process
(c) VigiTrust 2003-2013
Step 4
Step 5
Understanding Your Ecosystem
(c) VigiTrust 2003-2013
Scoping your ecosystem for PCI DSS
• Scope your network’s perimeter to determine the ecosystem’s size
– Traditional Perimeter – either in or out of the firewall
– Cloud
•
Private / Public / Hybrid
– Wireless networks – also part of your ecosystem
– Mobile & I/O devices are also part of your ecosystem
•
Must be referenced in your asset inventory
• Diagrams are key
– Must cover your WHOLE ecosystem
– Must be kept up to date
• Flow of data between all ecosystem sub-areas must be clear
– Know where the data comes from, where it might transit through,
where it may be stored/copied, where it ends up
(c) VigiTrust 2003-2013
Required Documentation
•
•
•
•
•
•
•
•
•
•
•
Diagrams and Data Flows
– Ecosystem Diagrams
– Data Flow Diagrams
– Network Diagrams
Asset Inventory
Acceptable Usage Policy for staff
Access Control Policy
Firewall Rules and Business Justification for Rules
AV, Anti-Spam and Intrusion Detection-Prevention Policy
Incident Response Plan
Hardening, Log and Patch Management Policy
Back-Up and Media Storage Policy
Security Assessment, Application Security & Vulnerability Management Policy
Management of Third Parties Policy
(c) VigiTrust 2003-2013
Technical Solutions typically required for PCI DSS
•
•
•
•
•
•
•
•
•
•
Anti-Virus / Anti-Spam
Firewalls & VPNs
IDS/IPS
Web Filtering / Mail Filtering
IM monitoring
File Integrity
SIEM – Central Log solutions
Asset Management
PSD Mgt/Control
Encryption
• Onsite vs Managed Services Vs Cloud services?
(c) VigiTrust 2003-2013
Building & Maintaining PCI DSS Teams (1)
An effective PCI DSS project team is
essential to the success of your PCI
compliance process in terms of raising
security awareness, enforcing security
policies and implementing technical
solutions. The first step in creating a
project team is to decide which staff
members to include on the team.
IT
Human
Resources
PCI
Project
Manager
/Security
Officer
Who should be part of my PCI DSS team?
Basically anyone who falls within the scope
of PCI DSS may be a member of your PCI
project team. A typical PCI DSS project
team might consist of:
•
•
•
•
•
In-scope
employees
Development
Fraud
Operations
IT Department staff/ IT Manager
Development staff
Human Resources staff
Operations management
Security staff
(c) VigiTrust 2003-2013
Building & Maintaining PCI DSS Teams (2)
In order to determine what role each member of the PCI
Project team should have, we should first consider the
elements that make up a security strategy. Typically
there are five key elements:
•
•
•
•
•
Physical Security
People Security
Data Security
IT Security
Disaster Recovery and Business Continuity
Building & Maintaining PCI DSS Teams (3)
User Awareness
Technical Solutions
Policy Work
January 2012
April 2012
July 2012
October 2012
January 2013
Finalise DR
Scenarios + ERPs
April 2013
July 2013
Develop and Roll out
Storage Policy
Develop and Roll-out
Change Management
procedures
Roll out Encrypted Email usage policy
Deploy new version of Anti-Virus on All
Gateways
Review all Firewall
Configuration
settings
Awareness
Strategic Session
with HR Manager
Install Laptop Encryption Software for
all laptop & PDA users
Decommissioning of old Helpdesk system + Rollout of new Helpdesk and CRM integrated solution
Install and test all back-up systems at DR site
Staff Awareness Program – Phase 1
Security
Awareness
presentation
to the Board
Install Laptop Encryption Software for
managers
Design helpdesk
Support & Shared
Knowledge Base
Policy
Test all back-up Tape Units + Upgrade B-up S/w
Roll-out VPN to all
remote branches
Fine Tune Internet &
Web Content Filters
January 2014
Roll out Tele-Working
Policy
Disseminate AUPs
Finalise AUPs
October 2013
HR Training on
how to deal with
Security Incidents
Senior Managers
Refresher
Program Program
Staff Awareness Campaign – Posters, Flyers, Security Events
E-mail Etiquette
Training to Sales Satff
Staff Awareness Program – Phase 2
(c) VigiTrust 2003-2013
Staff Re-Fresher Sessions
Finally Getting Some attention…User Awareness
• PCI DSS Requirement 12.6 states:
– “The company needs to implement a formal security awareness
program, and educate employees upon hire at least once annually on
the importance of cardholder data security. “
– PCI DSS requires every member of staff involved inbe trained as to
what PCI DSS is about, why and how to protect card holder storing,
transmitting or processing cardholder data to data as well as best
practice security.
• Qualified Security Assessors (QSAs) verify that
awareness training is being delivered by randomly
questioning employees about their security
awareness levels for cardholder data. Organizations
must be able to demonstrate compliance with 12.6.
(c) VigiTrust 2003-2013
PCI DSS – Integration with other standards
• PCI DSS can be mapped to other standards
– E.g HIPPA Security & Administrative Rules
– E.g. ISO 27001
• http://www.iso27001security.com/ISO27k_Mapping_ISO_27001_
to_PCI-DSS_V1.2.pdf
Comparison Criteria
ISO27k
PCI DSS
Defined by the entity
Cardholder Data
Choice of Controls
Wide
Very prescriptive
Flexibility in Implementation of
Controls
High
Low
Very granular and well documented
Not flexible and not comprehensive
Scope
Ongoing Management of Compliance
Status
(c) VigiTrust 2003-2012
Corporate Culture & Risk Management – The
overall Picture
Corporate
Values
Corporate
Ecosystem
Risk
Management
& Safeguards
Residual Risk Surface which needs to be managed by your
Organization
Risk Management Strategy for Internal and/or external
Risk Management Teams
DPA, PCI DSS & ISO 27001 compliance
Best Practices - Achieve and Maintain
compliance with PCI DSS
• What first steps can you take?
– Remember the five accreditation process steps
•
•
•
•
•
Education
Pre-assessment (internal)
Remediation
Actual Assessment
Continuous compliance
– Mix of 3 key elements
• Policies & procedures
• Technical Solutions
• Awareness Training
– What do you next then?
• Policies & procedures: draw up a list of P&Ps in place @ your org.
• Technical Solutions: update your network diagram + pen test
• Awareness Training: identify in-scope employees and start the education process
(c) VigiTrust 2003-2013
Recommended Reading
www.pcisecuritystandards.org
www.vigitrust.com
http://searchcompliance.techtarget.com/tip/Does-using-ISO-27000-to-comply-with-PCI-DSSmake-for-better-security
http://searchsecurity.techtarget.co.uk/news/2240036890/PCI-virtualisation-With-newguidelines-compliance-may-be-harder
http://searchsecurity.techtarget.co.uk/tip/Employee-information-awareness-training-PCIpolicy-templates
http://searchsecurity.techtarget.co.uk/expert/Mathieu-Gorge
ENISA http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-riskassessment
NIST
http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf
(c) VigiTrust 2003-2013
Networking
Break
Peadar Duffy
RMI
Susan Hayes
The Positive
Economist
Concluding Thoughts on how to
Achieve and Maintain compliance with PCI DSS
• PCI DSS is evolving – PCI DSS v3.0 is long awaited
• Mobility is here & the market welcomes the new guidance#
– However we need the PCI SSC to invest its accumulated funds into
helping the market with this new major challenge
• PCI DSS adoption growth rate is driven by Data Protection in
the EU – this will continue
• PCI DSS adoption growth rate is driven by PHI and State PII in
the US – this will continue and a Federal law will come in
You need to start preparing now for
upcoming changes in the standard and in
legal frameworks incorporating PCI DSS
(c) VigiTrust 2003-2013
3rd European PCI DSS Roadshow
Dublin, March 5th 2013
Mathieu.gorge@vigitrust.com
http://www.linkedin.com/in/mgorge
www.vigitrust.com
Monday, 13 April 2015
(c) VigiTrust 2003-2013
32
Related documents
Cubilis by Stardekk
Cubilis by Stardekk
PCI DSS - National Bank of Dominica
PCI DSS - National Bank of Dominica
Credit Card Security
Credit Card Security
Leading Causes of a Data Breach
Leading Causes of a Data Breach
(DSS) vs. Information Management (MIS)
(DSS) vs. Information Management (MIS)
Presentation Materials - Introduction
Presentation Materials - Introduction
The PCI DSS - Protect IU
The PCI DSS - Protect IU
MANAGEMENT SUPPORT SYSTEM : AN OVERVIEW Pertemuan-1
MANAGEMENT SUPPORT SYSTEM : AN OVERVIEW Pertemuan-1
Download
advertisement