Академический Документы
Профессиональный Документы
Культура Документы
Bob Russo
PCI SECURITY STANDARDS
COUNCIL
Development
Management
Education
Awareness
PCI Security Standards
Protection of Cardholder Payment Data
Merchants &
Software Service
Manufacturers
Developers Providers
PCI PTS PCI Security
PCI PA-DSS PCI DSS & Compliance
Pin Entry
Payment Secure
Devices
Applications Environments
P2PE
3
PCI Update
4
Submit feedback today
2012: Feedback Year https://programs.pcissc.org/
Implementation
Feedback
Formal
Feedback
Draft Revisions
Feedback
POI Security Requirements V3.1
Errata
Standard 12-18 months after
initial publication
9
PCI Bridge of Compliance
Compliance
What is a PCI Lifecycle Approach
Lack of awareness by IT
practitioners
Incentive to keep security a primary
focus
Quickly evolving technology
landscape
Rapid development and distribution
of new solutions
Still unnecessary exposure of CHD
Eliminate the Simple
92% 96%
17
Reduce the Attack Surface
Meet regularly
Maintain a CHD with those able to
DLP Methodology
Dataflow Diagram create cardholder
data pathways
Partner with Trusted Experts
Engage
Engage
IT inIT
theinthreat
the threat Incentive to attend training
Security as Business Goal
modeling
modeling
processprocess annually
If your engineers do not know what constitutes a security bug, they will find
none when reviewing their work
Building a PCI Leadership Team
Keep it simple
Fail-safe default
Open design
Separation of privilege
Minimize shared
resources
Localize Security
Prevent New Types of Exposure
Create a threat model for cardholder data
Using that threat model as a gap analysis before your QSA or PA-QSA assessment
Defining and Following Best Practices
Have Clear Asset Identification of Payment Account Data
Enterprise
DLP ASV
Application Use Policy
Methodology Scanning
Store
Testing the Policy
Have
Test the Re-evaluate the environmental
documentation policies values
changed?
Test the Strategy
33
May Discover Ways to Simplify the Process
Reduce number of
Any exposure of cardholder
departments and individuals
data beyond acceptance?
with direct access
Simplify the Environment
Remove
unnecessary
systems
Use compliant
service providers
and partners
Simplify Payment Application
Development
Development team
aware of need to
protect data
Lab Validated
Applications
Simplify the Implementation
Installation
consistently aligns
with policy
Installed to
specification by a
qualified professional
Use of Trusted Devices
Lab Accredited
Devices
Aware of skimming
attacks
What the Council is Doing to Help
1 Creating P2PE requirements
Eliminate by:
Outsourcing
Eliminate by:
Outsourcing
Removing
Eliminate by:
Outsourcing
Removing
Encrypting
Eliminate by:
Outsourcing
Removing
Encrypting
3rd Party Validation
Point-of- Payment
Sale Device Application
Eliminate by:
Outsourcing
Removing
Encrypting
3rd Party Validation
Point-of-
Sale Device
46
New Guidance - Technologies in Payments
Telephone-based Virtualization
Payment Card Data
https://www.pcisecuritystandards.org/training/index.php
Special Interest Groups (SIGs)
sigs@pcisecuritystandards.org
Email today
to join!
Community Meetings
Compliance
Information Officers
Chief Security Forensic
Security Technologists
Officers Investigators
Professionals Join! Becomea
Participating
Organizationtoday
Data Security
IT Managers Risk Managers Legal Experts
Experts
Chief
Information
Officers
Questions?