Step 2 Scoping

1
Step 2 Scoping

• Define the scope for compliance with network
  segmentation

2
PCI Scope

• Any network component, server or application
  included in or connected to the part of the
  network that stores, processes or transmits
  cardholder or sensitive authentication data

Internet
MERCHANT SITE IT COMPONENTS
Cardholder Data
Web Applications

• Router
• Load balancer
• DNS server
• Mail Server
• OS
• IP Services

Firewall
Database Server
Application Server Web Server
3
Step 3 Gap Analysis

• Understand the technical and operational
  requirements and determine your needs

4
Payment Card Industry Data Security Standard
5
9. Restrict Physical Access

• Ensure visitors are authorized before entering
  areas where CHD is maintained, and receive a
  physical token that identifies them as
  non-employees.
• Use and retain a visitor log for at least three
  months.
• Physically secure all paper media that contain
  CHD.
• Require management approval of media containing
  CHD moved from a secured area.
• Maintain strict control over storage and
  accessibility of media with CHD.
• Destroy media containing CHD when no longer
  needed.

6
12. Maintain an Info Security Policy

• Establish and disseminate a security policy
  addressing PCI DSS requirements, includes an
  annual process for identifying vulnerabilities
  and formally assessing risks, and includes a
  review at least once a year and when the
  environment changes.
• Develop daily operational security procedures
  consistent with PCI DSS.
• Ensure that the security policy and procedures
  clearly define information security
  responsibilities for all employees and
  contractors.

7
Policy Requirements
8
Incident Response

• Notify
• appropriate law enforcement authorities
• FSO-Bursars Department Services, which will
  coordinate reporting to Bank of America
• Info Sec, which coordinates
• Virtual Security Incident Response Team (VSIRT)
• Breach notification
• Make a note of all actions taken
• Document local procedures

9
UA Resources

• Information Security Standards and Guidelines
• Reviewed/updated annually
• Listed at http//security.arizona.edu/pci
• VISA If Compromised website (http//usa.visa.com
  /merchants/risk_management/cisp_if_compromised.htm
  l)
• Virtual Security Incident Response Team (VSIRT)
• Incident reporting link at http//security.arizona
  .edu/pci
• Annual awareness program (http//security.arizona.
  edu/pci)
• Contract provisions for 3rd party vendor
  proposals and agreements (http//security.arizona.
  edu/files/PCIContractProvision.pdf)

10
Step 4 Implementation

• Implement the requirements to address
  non-compliant findings

11
Remediation

• Correct/close identified vulnerabilities or gaps
• Test compensating controls
• Test remediating controls

12
Step 5 SAQ Validation

• Fill out the Self-Assessment Questionnaire

13
Self Assessment Questionnaires
14
Compensating Controls

• Meet the intent and rigor of requirement
• Rigor provide as much assurance (effectiveness)
  as the control in the standard
• Intent fulfills the same goal as the control in
  the standard
• Temporary not intended for long-term use
• Requires QSA concurrence
• Can use compliance with another requirement, if
  not required for you
• Cant use compliance for another requirement if
  its already required
• Unless you deploy new/additional controls

15
Sample Worksheet

• Constraints List constraints precluding
  compliance with the original requirement.

Company XYZ employs stand-alone Unix Servers
without LDAP. As such, they each require a
root login. It is not possible for Company XYZ
to manage the root login nor is it feasible to
log all root activity by each user.
2. Objective Define the original control
identify the objective met by the compensating
control.
The objective of requiring unique logins is
twofold. First, it is not considered acceptable
from a security perspective to share login
credentials. Secondly, shared logins make it
impossible to state definitively that a person is
responsible for a particular action.
3. Identified Risk Identify any additional
risk posed by the lack of the original control.
Additional risk is introduced to the access
control system by not ensuring all users have a
unique ID and are able to be tracked.
4. Definition of Compensating Controls Define
the compensating controls and explain how they
address the objectives of the original control
and the increased risk, if any..
Company XYZ is going to require all users to log
into the servers from their desktop using the SU
command. SU allows a user to access the root
account and perform actions under the root
account but is able to be logged in the su-log
directory. In this way, each users actions can
be tracked through the SU account..

• Source Appendix C
• Compensating Controls Worksheet

16
Attestation of Compliance

• Accepted by all payment brands
• Complete and sign
• Provide to acquirer

I have read the PCI DSS and I recognize that I
must maintain full PCI DSS compliance at all
times.
17
Step 6 Scan Validation

• Obtain a vulnerability scan, if required

18
Step 7 Stay Compliant