PCI DSS Security and Compliance Taking on the Worl

Views:
 
Category: Education
     
 

Presentation Description

Australian Computer Society, Inc. Event Name: Information Security SIG - PCI DSS - Security and Compliance Taking On the World Event Date: 27 October 2009

Comments

Presentation Transcript

Shearwater Solutions: 

Shearwater Solutions Protecting your Information Assets ACS Security SIG Stephan Overbeek 27 October 2009

Agenda: 

Agenda

Securing credit card transactions: 

Securing credit card transactions

PCI DSS – History: 

Visa / Mastercard PCI DSS – History AIS CISP SDP PCI

Purpose of PCI =: 

Purpose of PCI = Protect cardholder data

Payments – Stakeholders and parties: 

Payments – Stakeholders and parties Merchant Customer Acquiring bank Issuing bank Various other parties Various other parties

Stakeholders: 

Stakeholders

Applicability of PCI DSS: 

Applicability of PCI DSS Merchant Customer Acquiring bank Issuing bank Various other parties Various other parties Service providers

Credit card lifecycle: 

Credit card lifecycle Processing Capture Storage Cardholder data Disposal Transmit Customer Merchant Acquirer

PCI-SSC website: 

PCI-SSC website

Slide133: 

https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf

Minimising storage and protecting stored data: 

Minimising storage and protecting stored data

Minimising storage and protecting stored data: 

Minimising storage and protecting stored data

PCI SSC – Three standards: 

PCI SSC – Three standards MANUFACTURERS PCI PTS Payment Transaction Security

Complying with PCI DSS: 

PCI’s twelve requirements

Complying with PCI DSS – example: 

Complying with PCI DSS So organisations need to comply with 211 requirements And auditors need to conduct 261 testing procedures

Validation requirements: 

Complying with PCI DSS – example

Validation requirements: 

Validation requirements

Validation versus Compliance: 

Validation requirements Validation requirements At all times, you need to comply with all 211 requirements in PCI DSS!

Determing level (for merchants, example): 

Validation versus Compliance

What if you do not validate compliance?: 

Determing level (for merchants, example)

What if you do not validate compliance?: 

What if you do not validate compliance?

What if you do not validate compliance?: 

What if you do not validate compliance?

What if you do not validate compliance?: 

Complying with PCI DSS

Slide137: 

29 PCI remediation and compliance – Three phases PCI pre-review assessment Remediation PCI on-site review by QSA

PCI remediation and compliance – Three phases: 

Remediation models

Remediation models: 

Remediation for PCI DSS: Shearwater’s Layered Remediation Model

Remediation for PCI DSS:Shearwater’s Layered Remediation Model: 

Physical security Systems security Network security Storage security Application security Management Documentation Layered design Identity and access management

Layered design: 

Physical security Layered design Identity and access management

Layered design: 

Physical security Implementation – step 1 Identity and access management

Implementation – step 1: 

Physical security Implementation – step 2 Identity and access management

Implementation – step 2: 

Physical security Implementation – step 3 Identity and access management

Implementation – step 3: 

PCI SSC’s Prioritised Approach

PCI SSC’s Prioritised Approach: 

Prioritised Approach

Prioritised Approach: 

PCI DSS for increased security

PCI DSS for increased security: 

PCI DSS for increased security

PCI DSS for increased security: 

Alternatives for PCI DSS

Alternatives for PCI DSS: 

Total PCI offering PCI auditing services PCI consulting services Network security scan (Shearwater is not an ASV) On-site review (QSA) SAQ assistance Network vulnerability scanning Network penetration testing Pre-review assessment Remediation Security design Forensics

Slide125: 

Contact details

authorStream Live Help