PCI DSS Security and Compliance Taking on the Worl

Information about PCI DSS Security and Compliance Taking on the Worl

Published on October 27, 2009

Author: AustralianComputerSo

Source: authorstream.com

Content

Shearwater Solutions: Shearwater Solutions Protecting your Information Assets ACS Security SIG Stephan Overbeek 27 October 2009 Agenda: Agenda Securing credit card transactions: Securing credit card transactions PCI DSS – History: Visa / Mastercard PCI DSS – History AIS CISP SDP PCI Purpose of PCI =: Purpose of PCI = Protect cardholder data Payments – Stakeholders and parties: Payments – Stakeholders and parties Merchant Customer Acquiring bank Issuing bank Various other parties Various other parties Stakeholders: Stakeholders Applicability of PCI DSS: Applicability of PCI DSS Merchant Customer Acquiring bank Issuing bank Various other parties Various other parties Service providers Credit card lifecycle: Credit card lifecycle Processing Capture Storage Cardholder data Disposal Transmit Customer Merchant Acquirer PCI-SSC website: PCI-SSC website Slide133: https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf Minimising storage and protecting stored data: Minimising storage and protecting stored data Minimising storage and protecting stored data: Minimising storage and protecting stored data PCI SSC – Three standards: PCI SSC – Three standards MANUFACTURERS PCI PTS Payment Transaction Security Complying with PCI DSS: PCI’s twelve requirements Complying with PCI DSS – example: Complying with PCI DSS So organisations need to comply with 211 requirements And auditors need to conduct 261 testing procedures Validation requirements: Complying with PCI DSS – example Validation requirements: Validation requirements Validation versus Compliance: Validation requirements Validation requirements At all times, you need to comply with all 211 requirements in PCI DSS! Determing level (for merchants, example): Validation versus Compliance What if you do not validate compliance?: Determing level (for merchants, example) What if you do not validate compliance?: What if you do not validate compliance? What if you do not validate compliance?: What if you do not validate compliance? What if you do not validate compliance?: Complying with PCI DSS Slide137: 29 PCI remediation and compliance – Three phases PCI pre-review assessment Remediation PCI on-site review by QSA PCI remediation and compliance – Three phases: Remediation models Remediation models: Remediation for PCI DSS: Shearwater’s Layered Remediation Model Remediation for PCI DSS:Shearwater’s Layered Remediation Model: Physical security Systems security Network security Storage security Application security Management Documentation Layered design Identity and access management Layered design: Physical security Layered design Identity and access management Layered design: Physical security Implementation – step 1 Identity and access management Implementation – step 1: Physical security Implementation – step 2 Identity and access management Implementation – step 2: Physical security Implementation – step 3 Identity and access management Implementation – step 3: PCI SSC’s Prioritised Approach PCI SSC’s Prioritised Approach: Prioritised Approach Prioritised Approach: PCI DSS for increased security PCI DSS for increased security: PCI DSS for increased security PCI DSS for increased security: Alternatives for PCI DSS Alternatives for PCI DSS: Total PCI offering PCI auditing services PCI consulting services Network security scan (Shearwater is not an ASV) On-site review (QSA) SAQ assistance Network vulnerability scanning Network penetration testing Pre-review assessment Remediation Security design Forensics Slide125: Contact details

Related presentations


Other presentations created by AustralianComputerSo

Puzzle  Based  Learning
01. 10. 2009
0 views

Puzzle Based Learning