O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Getting Ready for PCI 3.0
Kurt Hagerman
Chief Information Security Officer
Webinar Series: Part 1 of 6
What We’ll Cover
• Overview of Significant Changes
• Guidance on Addressing the Changes
• Observations on Anticipated Chal...
Scoping
• More responsibility for fully defining and documenting the scope of
the CDE:
Maintain an inventory of all system...
Scoping (cont.)
• Shared responsibilities with service providers
Maintain a list of control responsibilities with each pro...
SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
Threat & Vulnerability Management
Evaluate evolving threats ...
SIGNIFICANT CHANGES
Webinar Series: Getting Ready for PCI 3.0
Clarity & Reorganization
Further breakdown of controls with ...
Implement PCI into Business-as-Usual Processes
• Monitor security controls to ensure effective operation
• Ensure failures...
Positive Changes
• Addresses many of the well-known weaknesses in the DSS
• Reorganization and consolidation of controls m...
ANTICIPATED CHALLENGES
Webinar Series: Getting Ready for PCI 3.0
Challenges
• Physical security controls for payment termi...
ANTICIPATED CHALLENGES
Webinar Series: Getting Ready for PCI 3.0
Challenges (cont.)
• Implementing PCI DSS into Business-a...
Initial To-Do List
Download the new DSS
Make notes where you have questions about how
it may impact your organization
Sche...
What’s Next (Coming in Part 2)
• What to do in the next 12 months
• Getting more detailed with scoping
• Understanding pay...
Q&A
Webinar Series: Getting Ready for PCI 3.0
&
Questions
Answers
Thank You
Email
Phone
Kurt Hagerman
Director of Information Security
kurt.hagerman@firehost.com
877 262 3473 x8073
WRAP UP...
Próximos SlideShares
Carregando em…5
×

Firehost Webinar: Getting Ready for PCI 3.0

420 visualizações

Publicada em

An in-depth look at how to prepare for PCI 3.0. Join us as we discuss: scoping, dss, testing requirements, credit card security and threat & vulnerability management.

  • If you want to see more from Kurt Hagerman, you can visit his thought leadership page with the link below. http://www.firehost.com/company/speakers-and-experts/kurt-hagerman/
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui
  • See full webinar with audio here: http://www.firehost.com/company/resources-and-multimedia/webinars/
       Responder 
    Tem certeza que deseja  Sim  Não
    Insira sua mensagem aqui

Firehost Webinar: Getting Ready for PCI 3.0

  1. 1. Getting Ready for PCI 3.0 Kurt Hagerman Chief Information Security Officer Webinar Series: Part 1 of 6
  2. 2. What We’ll Cover • Overview of Significant Changes • Guidance on Addressing the Changes • Observations on Anticipated Challenges • Recommended Initial To-do List • Next Time (Series Part 2) • Address Your Questions AGENDA Webinar Series: Getting Ready for PCI 3.0 Submit your questions throughout the webinar via chat. We’ll address them live at the end or follow up offline.
  3. 3. Scoping • More responsibility for fully defining and documenting the scope of the CDE: Maintain an inventory of all systems within the CDE (NEW CONTROL) Produce cardholder data flow diagram (NEW CONTROL) Perform pen testing to verify all segmentation (STRENGTHENED CONTROL) SIGNIFICANT CHANGES Webinar Series: Getting Ready for PCI 3.0
  4. 4. Scoping (cont.) • Shared responsibilities with service providers Maintain a list of control responsibilities with each provider (NEW CONTROL) More specified testing of Service Provider controls (policies, procedures, etc.) throughout the 12 control families (NEW CONTROLS) More acknowledgements of responsibilities - require service provider sign written agreements with all of their customers (NEW CONTROL) Best practice until June, 2015 SIGNIFICANT CHANGES Webinar Series: Getting Ready for PCI 3.0
  5. 5. SIGNIFICANT CHANGES Webinar Series: Getting Ready for PCI 3.0 Threat & Vulnerability Management Evaluate evolving threats to systems not commonly affected by malware (STRENGTHENED CONTROL) More requirements to update vulnerabilities based on specific industry sources (STRENGTHENED CONTROL) New requirements around physical security of payment terminals (NEW CONTROL) Best practice until June, 2015 Implement a methodology for pen testing that matches CDE design and risks (STRENGTHENED CONTROL)
  6. 6. SIGNIFICANT CHANGES Webinar Series: Getting Ready for PCI 3.0 Clarity & Reorganization Further breakdown of controls with additional testing requirements Elimination of redundant sub-controls More detailed guidance on logging and log review controls Specific controls for policy and procedure documentation throughout the 12 control families Integrated content from guidance document into the DSS
  7. 7. Implement PCI into Business-as-Usual Processes • Monitor security controls to ensure effective operation • Ensure failures are detected and addressed quickly • Review changes to the environment and address the potential impact on scope • Review the potential impact to scope of changes to organizational structure (for example, a company merger or acquisition) • Conduct periodic reviews of DSS requirements to ensure they continue to operate as designed • Annually review hardware and software used within the CDE and confirm their continued vendor support ADDITIONAL GUIDANCE Webinar Series: Getting Ready for PCI 3.0
  8. 8. Positive Changes • Addresses many of the well-known weaknesses in the DSS • Reorganization and consolidation of controls makes the DSS easier to understand • More detailed testing procedures and inclusion of guidance for each control provides needed clarification on how the controls apply and what QSAs will be looking for • Clarification of scoping requirements and responsibility will help improve relationships between QSAs and their customers • If the changes are embraced and QSAs do proper assessments, there should be a measurable improvement in credit card security OBSERVATIONS ON CHANGES Webinar Series: Getting Ready for PCI 3.0
  9. 9. ANTICIPATED CHALLENGES Webinar Series: Getting Ready for PCI 3.0 Challenges • Physical security controls for payment terminals – significant hardship for retailers with large numbers of sites • Detailed scoping requirements will be difficult for many smaller and mid-sized merchants • Delineation of responsibilities between service providers and merchants • Strengthened pen testing requirements will likely result in many organizations no longer being compliant or at least increasing the scope of their CDE
  10. 10. ANTICIPATED CHALLENGES Webinar Series: Getting Ready for PCI 3.0 Challenges (cont.) • Implementing PCI DSS into Business-as-Usual Processes • PCI compliance has been seen as a once-a-year exercise • Many organizations lack (mature) InfoSec organizations to make this happen • Significant inertia of the checkbox compliance movement • Immediate impact will likely mean increased time and costs for organizations to remain compliant • Resistance to increased audit costs will put pressure on QSAs to perform proper assessments • Already strained IT budgets will see further upward pressure increasing the difficulty security officers have to justify the costs
  11. 11. Initial To-Do List Download the new DSS Make notes where you have questions about how it may impact your organization Schedule a conversation with your QSA Get their take on the new standard Start developing a gap analysis of issues Choose a qualified service provider Validated as a VISA/MasterCard service provider Compliance experts on staff Transparent and auditor friendly RECOMMENDED TO-DO LIST Webinar Series: Getting Ready for PCI 3.0
  12. 12. What’s Next (Coming in Part 2) • What to do in the next 12 months • Getting more detailed with scoping • Understanding payment terminal security • Addressing pen testing challenges • Don’t wait, start now UP NEXT Webinar Series: Getting Ready for PCI 3.0
  13. 13. Q&A Webinar Series: Getting Ready for PCI 3.0 & Questions Answers
  14. 14. Thank You Email Phone Kurt Hagerman Director of Information Security kurt.hagerman@firehost.com 877 262 3473 x8073 WRAP UP Webinar Series: Getting Ready for PCI 3.0

×