1 / 32

3 rd European PCI DSS Roadshow Dublin, March 5 th 2013

3 rd European PCI DSS Roadshow Dublin, March 5 th 2013. Mathieu.gorge@vigitrust.com www.vigitrust.com. Today’s Agenda. (c) VigiTrust 2003-2013. Mathieu Gorge CEO & Founder, VigiTrust. ISSA WCC (since 2008) ISACA NYC (since 2009) PCI Council SIGs (since 2011) Articles

jeff
Download Presentation

3 rd European PCI DSS Roadshow Dublin, March 5 th 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 3rd European PCI DSS Roadshow Dublin, March 5th 2013 Mathieu.gorge@vigitrust.com www.vigitrust.com (c) VigiTrust2003-2013

  2. Today’s Agenda (c) VigiTrust 2003-2013

  3. Mathieu Gorge CEO & Founder, VigiTrust ISSA WCC (since 2008) ISACA NYC (since 2009) PCI Council SIGs (since 2011) Articles techTarget (Security) ISACA Searchstorage.com Computer Fraud & Security SC Magazine ISSA Journal Baseline - Founded VigiTrust in 2003 - InfoSecurity Ireland Chairman - Created PCI DSS European RS - Independent Security Expert for ENISA - East West Institute working groups - ANSI – PHI reviewer - Geneva Security Forum - ISS world (c) VigiTrust2003-2013

  4. AboutVigiTrust CSMS Compliance & Security Management Suite 5 Pillars of Security Framework™ Physical Security, People Security, Data Security, IT Security, Crisis Management (c) VigiTrust 2003-2013

  5. Setting PCI DSS Global Scene (c) VigiTrust 2003-2012

  6. Payments Industry – a Definition Payment security entails managing and securingpayment data across an organization’s full order lifecycle, from the point of payment acceptance, through fraud management, fulfilment, customer service, funding and financial reconciliation, and transaction record storage. The presence of payment data at any of these points, whether on organization systems, networks or visible to staff, exposes the organization to risk. The presence of payment data …. exposes the organization to risk. Therefore you need to fully understand your own ecosystem and payments data flow (c) VigiTrust 2003-2013

  7. 2010 to 2012 – A very busy time for PCI DSS • US remains the most compliant territory in terms of PCI DSS • Europe Gaining Traction • Appointment of Jeremy King as European Director • PCI DSS was updated in October 2010 • PCI DSS Lifecycle Update • Changes or lack of same in v2.0 • New Guidance papers from the Council – 2011 & 2012 • Tokenization, P2PE, Wireless, Virtualization – includes Cloud Computing Definitions • Cloud, Cloud, Cloud • Mobile, Mobile, Mobile • Visa – is the US really going Chip & PIN? (c) VigiTrust 2003-2013

  8. Changes to Data Protection in the EU • Not a directive but a single regulation in the EU • Harmonization at European level…but with challenges • Applies to companies based outside in the EU if personal data is handled abroad by companies that are active in the EU and offer services to EU citizens • Right to be forgotten • Controllers responsibilities • Policies & procedures, Staff Training • Data processing impact assessment • If any data is likely to present risks to individuals • Security • Both processor and controllers must put security measures in place • Fines • Data Breach Notification • Within 24 hours of noticing the breach • Data Portability (service providers) & Data Transfers • Data Protection Officers (c) VigiTrust2003-2013

  9. Intersection between PCI DSS compliance and the DPA • Need for appropriate levels of security • Compliance with PCI DSS should enable compliance with key provisions of the DPA • ICO in the UK made an example of Lush (Lush Cosmetics Ltd) • "This breach should serve as a warning to all retailers that online security must be taken seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times” • For online retailers, the PCI DSS is clearly now best practice • Adherence to the PCI DSS should ensure compliance with the security obligations under the Act • Undertaking from Lush requires them to only store minimum amount of payment data necessary to receive payments, and keep for no longer than necessary. (c) VigiTrust 2003-2013

  10. Jeremy King PCI SSC

  11. Rowan Fogarty PortHand

  12. Perspectives on Continous Compliance (c) VigiTrust 2003-2013

  13. PCI DSS & GRC Process (c) VigiTrust 2003-2013

  14. Understanding Your Ecosystem (c) VigiTrust 2003-2013

  15. Scoping your ecosystem for PCI DSS • Scope your network’s perimeter to determine the ecosystem’s size • Traditional Perimeter – either in or out of the firewall • Cloud • Private / Public / Hybrid • Wireless networks – also part of your ecosystem • Mobile & I/O devices are also part of your ecosystem • Must be referenced in your asset inventory • Diagrams are key • Must cover your WHOLE ecosystem • Must be kept up to date • Flow of data between all ecosystem sub-areas must be clear • Know where the data comes from, where it might transit through, where it may be stored/copied, where it ends up (c) VigiTrust 2003-2013

  16. Required Documentation • Diagrams and Data Flows • Ecosystem Diagrams • Data Flow Diagrams • Network Diagrams • Asset Inventory • Acceptable Usage Policy for staff • Access Control Policy • Firewall Rules and Business Justification for Rules • AV, Anti-Spam and Intrusion Detection-Prevention Policy • Incident Response Plan • Hardening, Log and Patch Management Policy • Back-Up and Media Storage Policy • Security Assessment, Application Security & Vulnerability Management Policy • Management of Third Parties Policy (c) VigiTrust 2003-2013

  17. Technical Solutions typically required for PCI DSS • Anti-Virus / Anti-Spam • Firewalls & VPNs • IDS/IPS • Web Filtering / Mail Filtering • IM monitoring • File Integrity • SIEM – Central Log solutions • Asset Management • PSD Mgt/Control • Encryption • Onsite vs Managed Services Vs Cloud services? (c) VigiTrust 2003-2013

  18. Building & Maintaining PCI DSS Teams (1) PCI Project Manager /Security Officer (c) VigiTrust 2003-2013 An effective PCI DSS project team is essential to the success of your PCI compliance process in terms of raising security awareness, enforcing security policies and implementing technical solutions. The first step in creating a project team is to decide which staff members to include on the team. Who should be part of my PCI DSS team? Basically anyone who falls within the scope of PCI DSS may be a member of your PCI project team. A typical PCI DSS project team might consist of: • IT Department staff/ IT Manager • Development staff • Human Resources staff • Operations management • Security staff

  19. Building & Maintaining PCI DSS Teams (2) In order to determine what role each member of the PCI Project team should have, we should first consider the elements that make up a security strategy. Typically there are five key elements: • Physical Security • People Security • Data Security • IT Security • Disaster Recovery and Business Continuity

  20. Building & Maintaining PCI DSS Teams (3) (c) VigiTrust 2003-2013

  21. Finally Getting Some attention…User Awareness • PCI DSS Requirement 12.6 states: • “The company needs to implement a formal security awareness program, and educate employees upon hire at least once annually on the importance of cardholder data security. “ • PCI DSS requires every member of staff involved inbe trained as to what PCI DSS is about, why and how to protect card holder storing, transmitting or processing cardholder data to data as well as best practice security. • Qualified Security Assessors (QSAs) verify that awareness training is being delivered by randomly questioning employees about their security awareness levels for cardholder data. Organizations must be able to demonstrate compliance with 12.6. (c) VigiTrust 2003-2013

  22. PCI DSS – Integration with other standards • PCI DSS can be mapped to other standards • E.g HIPPA Security & Administrative Rules • E.g. ISO 27001 • http://www.iso27001security.com/ISO27k_Mapping_ISO_27001_to_PCI-DSS_V1.2.pdf (c) VigiTrust 2003-2012

  23. Corporate Culture & Risk Management – The overall Picture Risk Management Strategy for Internal and/or external Risk Management Teams DPA, PCI DSS & ISO 27001 compliance

  24. Best Practices - Achieve and Maintain compliance with PCI DSS • What first steps can you take? • Remember the five accreditation process steps • Education • Pre-assessment (internal) • Remediation • Actual Assessment • Continuous compliance • Mix of 3 key elements • Policies & procedures • Technical Solutions • Awareness Training • What do you next then? • Policies & procedures: draw up a list of P&Ps in place @ your org. • Technical Solutions: update your network diagram + pen test • Awareness Training: identify in-scope employees and start the education process (c) VigiTrust 2003-2013

  25. Recommended Reading • www.pcisecuritystandards.org • www.vigitrust.com • http://searchcompliance.techtarget.com/tip/Does-using-ISO-27000-to-comply-with-PCI-DSS-make-for-better-security • http://searchsecurity.techtarget.co.uk/news/2240036890/PCI-virtualisation-With-new-guidelines-compliance-may-be-harder • http://searchsecurity.techtarget.co.uk/tip/Employee-information-awareness-training-PCI-policy-templates • http://searchsecurity.techtarget.co.uk/expert/Mathieu-Gorge • ENISA http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment • NIST • http://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf (c) VigiTrust 2003-2013

  26. Networking Break

  27. Peadar Duffy RMI

  28. Susan Hayes The Positive Economist

  29. Concluding Thoughts on how to Achieve and Maintain compliance with PCI DSS • PCI DSS is evolving – PCI DSS v3.0 is long awaited • Mobility is here & the market welcomes the new guidance# • However we need the PCI SSC to invest its accumulated funds into helping the market with this new major challenge • PCI DSS adoption growth rate is driven by Data Protection in the EU – this will continue • PCI DSS adoption growth rate is driven by PHI and State PII in the US – this will continue and a Federal law will come in You need to start preparing now for upcoming changes in the standard and in legal frameworks incorporating PCI DSS (c) VigiTrust 2003-2013

  30. 3rd European PCI DSS Roadshow Dublin, March 5th 2013 Mathieu.gorge@vigitrust.com http://www.linkedin.com/in/mgorge www.vigitrust.com (c) VigiTrust2003-2013

More Related