PCI Compliance - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

PCI Compliance

Description:

Log analysis tools. System logs. IDS logs. File Integrity Monitoring logs ... It gives them an excuse to buy 'cool' tools ... It requires them to use 'limiting' tools ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 21
Provided by: jamesric
Category:
Tags: pci | compliance

less

Transcript and Presenter's Notes

Title: PCI Compliance


1
PCI Compliance
  • ATM Security in the Americas 2007
  • Las Vegas 11 September 2007
  • Wayne Varga

wayne.varga_at_k3des.com 801-386-3520
2
PCI Compliance
  • Avoiding PCI Compliance Traps
  • Tips for Buying PCI Compliant Products
  • Linking PCI Compliance to IT Governance
  • Achieving PCI Compliance with Minimal Staff
  • A Software Developers Perspective on PCI
    Compliance

3
Avoiding PCI Compliance Traps
  • Trap 1 PCI compliance doesnt apply to me.
  • PCI applies to all organizations that are
    involved in the payment card industry in any way
    that touches account numbers.
  • If your organization has access to full account
    numbers of any form of payment card, then PCI
    applies to you.

4
Avoiding PCI Compliance Traps
  • Trap 2 PCI compliance only applies to big
    companies.
  • PCI compliance is required of all companies that
    touch full account numbers.
  • The only difference between large and small
    companies is how they validate compliance.

5
Avoiding PCI Compliance Traps
  • Trap 3 I can get PCI compliant on my own.
  • PCI compliance is complex enough that very few
    can do it effectively without outside help.
  • Engage an assessor early. They can help you focus
    in the right areas. This can drastically simplify
    the compliance process (and maybe reduce the
    cost).

6
Avoiding PCI Compliance Traps
  • Trap 4 Hiring an assessor is the most expensive
    part of becoming PCI compliant.
  • Assessors can be expensive. But their fees are
    small compared with the other costs.
  • Compliant hardware and software
  • Network security (firewalls, IDS)
  • Central logging and monitoring
  • Engage an assessor early. They can help you focus
    in the right areas. This can drastically simplify
    the compliance process (and maybe reduce the
    cost).

7
Avoiding PCI Compliance Traps
  • Trap 5 PCI assessors cant help me become
    compliant
  • The assessors are your advocates with the card
    associations and their members
  • They can and should assist you in becoming
    compliant
  • There are not the same independence requirements
    as in financial audits. The card associations
    encourage assessors to consult with their clients
    and assist them become compliant.

8
Avoiding PCI Compliance Traps
  • Trap 6 Only applications and systems that
    handle card numbers must be compliant.
  • PCI security requirements apply to any network
    component, server, or application included in, or
    connected to, the cardholder data environment
  • Without internal network segmentation, every
    system and application must meet PCI security
    requirements.

9
Avoiding PCI Compliance Traps
  • Trap 7 Buying PCI-compliant products make you
    PCI compliant
  • It is possible for your organization to NOT be
    PCI compliant, even when using PCI-Compliant
    products.
  • It is possible to be PCI Compliant, even if using
    no PCI-Compliant products (today).
  • PCI-Compliant products must be installed and
    maintained according to vendor instructions in
    order to be considered compliant.

10
What is a PCI-Compliant Product?
  • The general definitionA PCI-Compliant product
    is any product that helps an organization meet
    one or more of the PCI requirements.
  • The specific definitionA PCI-Compliant
    product is any product that has been tested by an
    approved testing entity to demonstrate compliance
    with specific requirements as put forth by Visa
    or another standards body. These are also called
    Validated or Approved products.

11
Validation Process
  • The product is installed and tested in a
    laboratory against specific technical
    requirements.
  • Supplied documentation is also reviewed for
    accuracy and completeness.
  • The validation process ensures that a company
    implementing this product is able to be
    compliant.
  • The existence of non-compliant features or
    insecure operating modes does not necessarily
    disqualify a product.
  • The vendor must prepare PCI implementation
    instructions for what the customer must do to
    meet PCI requirements

12
Validated PCI Products
  • Payment Applications
  • Not currently required, but highly recommended
    See future requirements posted by VISA required
    no later than 7/2010
  • It is possible to use a non-validated application
    and still be PCI compliant
  • It is possible to use a validated application and
    not be PCI compliant
  • PIN Entry Devices
  • Currently required
  • Requirements are becoming tighter
  • It is not possible to be compliant without using
    validated products.

13
PIN Entry Devices
  • Effective nowAll newly deployed devices must be
    on the list of approved devices.Newly deployed
    means installed for the first time in your
    organization.
  • July 1, 2010All attended devices must be on the
    list of approved devices. This means all attended
    devices must be compliant, regardless of when
    they were installed.
  • There is no date set for installed unattended
    devices, such as ATMs, kiosks, or automated fuel
    dispensers

14
Buying PCI Compliant Products
  • Check the approved lists on Visas
    websitewww.visa.com/cisp (Payment
    Applications)www.visa.com/pin (PIN Entry
    Devices)
  • Work closely with your assessor.
  • Before purchasing, review the vendors PCI
    implementation documentation. Make sure what is
    required to meet PCI requirements matches your
    expectations.
  • Get everything in writing (PCI approvals,
    installation requirements, maintenance
    requirements, etc.)
  • Do not buy non-approved PIN Entry Devices, except
    as replacement for existing devices of the same
    model.

15
Linking PCI Compliance to IT Governance
  • PCI compliance is first about policy, second
    about implementation.
  • Without strong organizational policies and
    enforcement of those policies, it is impossible
    to achieve PCI compliance.
  • Therefore, PCI Compliance is inseparably linked
    to IT Governance, and vice versa.
  • It is impossible to be PCI Compliant without
    effective IT Governance.

16
PCI Compliance With Minimal Staff
  • Certain PCI requirements are difficult with a
    small staff
  • Separation of duties (req. 6.3.3)
  • Code review by someone other than the author
    (6.3.7)
  • Some PCI requirements are very time consuming
  • Keep current on security vulnerabilities (6.2)
  • Change Control (6.4)
  • Review all logs at least daily (10.6)
  • Perform daily security procedures (12.2)

17
PCI Compliance With Minimal Staff
  • Automate as much as you can
  • Log analysis tools
  • System logs
  • IDS logs
  • File Integrity Monitoring logs
  • Subscribe to newsgroups, industry publications on
    security and PCI.
  • Make the PCI requirements standard operating
    procedure.
  • Involve everyone, including management. Not
    everything in PCI is technical.

18
Software Development
  • PCI mandates good software development processes
  • PCI has many requirements on how software is
    developed
  • Requirement 6 covers software development
  • Keep everything current with latest patches
  • Secure by design, not by inspection
  • Follow a formal Software Development Life Cycle
    (SDLC)
  • Strict change control

19
Software Development
  • Developers either love or hate PCI
  • Why developers love PCI
  • It gives them an excuse to buy cool tools
  • It requires management to follow defined
    processes in dealing with developers.
  • It limits their access to production
    environments.
  • Why developers hate PCI
  • It requires them to use limiting tools
  • It requires them to follow defined processes in
    developing and testing applications.
  • It requires others to review and critique their
    work.
  • It limits their access to production environments.

20
PCI Compliance
  • ATM Security in the Americas 2007
  • Las Vegas 11 September 2007
  • Wayne Varga

wayne.varga_at_k3des.com 801-386-3520
Write a Comment
User Comments (0)
About PowerShow.com