3 rd European PCI DSS Roadshow Dublin, March 5 th 2013 Friday, 04 September 2015 (c) VigiTrust...

3rd European PCI DSS Roadshow

Dublin, March 5th 2013

Wednesday 19 April 2023 (c) VigiTrust 2003-2013 1

[email protected]

www.vigitrust.com

mailto:[email protected]

Today’s Agenda

(c) VigiTrust 2003-2013

Start Finish Dublin Description08:30 09:00 Registration Main event Registration run by VigiTrust

09:00 09:10 Welcome Note Provided by VigiTrust

09:10 09:55Keynote – PCI SSC Perspective Jeremy King, European Director, PCI SSC

09:55 10:10 Mobility & Retail - Impact for Payments & Security

Rowan Fogarty, Managing Director at PortHand

10:10 10:30PCI DSS - Perspective On Continuous

ComplianceMathieu Gorge, CEO, VigiTrust

10:30 10:50 Break Tea/Coffee Break

10:50 11:20Payments as part of Critical National

Operations – Risks OverviewPeadar Duffy, Chairman, RMI

11:20 11:50 The Positive Economist – A Perspective on Payments

Susan Hayes, founder, The Positive Economist

11:50 12.00 Concluding thoughts VigiTrust

12:00 12:15 Q&A session Moderated Q&A with speakers

Mathieu Gorge CEO & Founder, VigiTrust

- Founded VigiTrust in 2003- InfoSecurity Ireland Chairman - Created PCI DSS European RS - Independent Security Expert

for ENISA- East West Institute working

groups - ANSI – PHI reviewer - Geneva Security Forum- ISS world

• ISSA WCC (since 2008)• ISACA NYC (since 2009)• PCI Council SIGs (since 2011)

• Articles– techTarget (Security)– ISACA– Searchstorage.com – Computer Fraud & Security– SC Magazine– ISSA Journal– Baseline

Wednesday 19 April 2023 (c) VigiTrust 2003-2013

CSMSCompliance & Security Management Suite

SAMS

Security Accreditation Management System

Enterprise

MCP

Merchant Compliance Portal

Agregators

eSEC

Security eLearning Modules

Mid-Size

5 Pillars of Security Framework™Physical Security, People Security, Data Security, IT Security, Crisis Management

About VigiTrust


Setting PCI DSSGlobal Scene


Payments Industry – a Definition Payment security entails managing and securing payment data across an organization’s full order lifecycle, from the point of payment acceptance, through fraud management, fulfilment, customer service, funding and financial reconciliation, and transaction record storage.

The presence of payment data at any of these points, whether on organization systems, networks or visible to staff, exposes the organization to risk.

The presence of payment data …. exposes the organization to risk.

Therefore you need to fully understand your own ecosystem and payments data flow


2010 to 2012 – A very busy time for PCI DSS• US remains the most compliant territory in terms of PCI DSS• Europe Gaining Traction

– Appointment of Jeremy King as European Director

• PCI DSS was updated in October 2010– PCI DSS Lifecycle Update – Changes or lack of same in v2.0

• New Guidance papers from the Council – 2011 & 2012– Tokenization, P2PE, Wireless, Virtualization – includes Cloud Computing

Definitions– Cloud, Cloud, Cloud– Mobile, Mobile, Mobile

• Visa – is the US really going Chip & PIN?


Changes to Data Protection in the EU• Not a directive but a single regulation in the EU

– Harmonization at European level…but with challenges

• Applies to companies based outside in the EU if personal data is handled abroad by companies that are active in the EU and offer services to EU citizens

• Right to be forgotten• Controllers responsibilities

– Policies & procedures, Staff Training

• Data processing impact assessment – If any data is likely to present risks to individuals

• Security– Both processor and controllers must put security measures in place

• Fines • Data Breach Notification

– Within 24 hours of noticing the breach

• Data Portability (service providers) & Data Transfers• Data Protection Officers

Wednesday 19 April 2023(c) VigiTrust 2003-2013

10

Intersection between PCI DSS compliance and the DPA

• Need for appropriate levels of security• Compliance with PCI DSS should enable compliance with key provisions of

the DPA

• ICO in the UK made an example of Lush (Lush Cosmetics Ltd)– "This breach should serve as a warning to all retailers that online security must be taken

seriously and that the Payment Card Industry Data Security Standard or an equivalent must be followed at all times”

– For online retailers, the PCI DSS is clearly now best practice– Adherence to the PCI DSS should ensure compliance with the security obligations under the

Act– Undertaking from Lush requires them to only store minimum amount of payment data

necessary to receive payments, and keep for no longer than necessary.


Jeremy King PCI SSC

Rowan Fogarty PortHand

Perspectives on Continous Compliance


PCI DSS & GRC Process

SOX SAS 70 II PCI DSS HIPAAEU Data

ProtectionOthers

Regulatory, Legal and Corporate Governance Frameworks

Remediation Work

Policies & Procedures

Education &

Security Awareness

Specialized Skills Transfer

Official Assessors &

Auditors

Network & Hardware Security

Application Security

GRC Process

Self-Governed Pre-

Assessment

Step 1 Step 2 Step 3 Step 4 Step 5

Continuous Compliance Process


Understanding Your Ecosystem


Scoping your ecosystem for PCI DSS

• Scope your network’s perimeter to determine the ecosystem’s size– Traditional Perimeter – either in or out of the firewall– Cloud

• Private / Public / Hybrid

– Wireless networks – also part of your ecosystem– Mobile & I/O devices are also part of your ecosystem

• Must be referenced in your asset inventory

• Diagrams are key– Must cover your WHOLE ecosystem– Must be kept up to date

• Flow of data between all ecosystem sub-areas must be clear– Know where the data comes from, where it might transit through,

where it may be stored/copied, where it ends up


Required Documentation• Diagrams and Data Flows

– Ecosystem Diagrams– Data Flow Diagrams – Network Diagrams

• Asset Inventory • Acceptable Usage Policy for staff• Access Control Policy• Firewall Rules and Business Justification for Rules • AV, Anti-Spam and Intrusion Detection-Prevention Policy • Incident Response Plan • Hardening, Log and Patch Management Policy • Back-Up and Media Storage Policy • Security Assessment, Application Security & Vulnerability Management Policy• Management of Third Parties Policy


Technical Solutions typically required for PCI DSS

• Anti-Virus / Anti-Spam• Firewalls & VPNs• IDS/IPS• Web Filtering / Mail Filtering• IM monitoring• File Integrity• SIEM – Central Log solutions• Asset Management• PSD Mgt/Control• Encryption

• Onsite vs Managed Services Vs Cloud services?


Building & Maintaining PCI DSS Teams (1)An effective PCI DSS project team is essential to the success of your PCI compliance process in terms of raising security awareness, enforcing security policies and implementing technical solutions. The first step in creating a project team is to decide which staff members to include on the team.

Who should be part of my PCI DSS team?

Basically anyone who falls within the scope of PCI DSS may be a member of your PCI project team. A typical PCI DSS project team might consist of:

•IT Department staff/ IT Manager• Development staff• Human Resources staff• Operations management• Security staff

PCI Project

Manager /Security Officer


Building & Maintaining PCI DSS Teams (2)

In order to determine what role each member of the PCI Project team should have, we should first consider the elements that make up a security strategy. Typically there are five key elements:

• Physical Security • People Security• Data Security• IT Security• Disaster Recovery and Business Continuity

Po

lic

y W

ork

Te

ch

nic

al

So

luti

on

sU

se

r A

wa

ren

es

s

January 2012 April 2012 July 2012 October 2012 January 2013 April 2013 July 2013 October 2013 January 2014

Finalise AUPs

Disseminate AUPs

Finalise DR Scenarios + ERPs

Develop and Roll-out Change Management

procedures

Develop and Roll out Storage Policy

Roll out Encrypted E-mail usage policy

Roll out Tele-Working Policy

Design helpdesk Support & Shared Knowledge Base

Policy

Fine Tune Internet & Web Content Filters

Roll-out VPN to all remote branches

Review all Firewall Configuration

settings

Deploy new version of Anti-Virus on All Gateways

Test all back-up Tape Units + Upgrade B-up S/w

Install and test all back-up systems at DR site

Install Laptop Encryption Software for managers

Install Laptop Encryption Software for all laptop & PDA users

Decommissioning of old Helpdesk system + Roll-out of new Helpdesk and CRM integrated solution

Awareness Strategic Session with HR Manager

Staff Awareness Program – Phase 1

Staff Awareness Program – Phase 2

Staff Awareness Campaign – Posters, Flyers, Security Events

Senior Managers Refresher

Program Program

Staff Re-Fresher Sessions

HR Training on how to deal with

Security Incidents

E-mail Etiquette Training to Sales Satff

Security Awareness

presentation to the Board

Building & Maintaining PCI DSS Teams (3)


Finally Getting Some attention…User Awareness• PCI DSS Requirement 12.6 states:

– “The company needs to implement a formal security awareness program, and educate employees upon hire at least once annually on the importance of cardholder data security. “

– PCI DSS requires every member of staff involved inbe trained as to what PCI DSS is about, why and how to protect card holder storing, transmitting or processing cardholder data to data as well as best practice security.

• Qualified Security Assessors (QSAs) verify that awareness training is being delivered by randomly questioning employees about their security awareness levels for cardholder data. Organizations must be able to demonstrate compliance with 12.6.


PCI DSS – Integration with other standards

• PCI DSS can be mapped to other standards– E.g HIPPA Security & Administrative Rules– E.g. ISO 27001

• http://www.iso27001security.com/ISO27k_Mapping_ISO_27001_to_PCI-DSS_V1.2.pdf


Comparison Criteria ISO27k PCI DSSScope Defined by the entity Cardholder Data

Choice of Controls Wide Very prescriptive

Flexibility in Implementation of Controls

High Low

Ongoing Management of Compliance Status

Very granular and well documented Not flexible and not comprehensive

Corporate Culture & Risk Management – The overall Picture

Risk Management Strategy for Internal and/or external Risk Management Teams

DPA, PCI DSS & ISO 27001 compliance

Best Practices - Achieve and Maintain compliance with PCI DSS

• What first steps can you take?– Remember the five accreditation process steps

• Education• Pre-assessment (internal)• Remediation• Actual Assessment• Continuous compliance

– Mix of 3 key elements• Policies & procedures• Technical Solutions• Awareness Training

– What do you next then?• Policies & procedures: draw up a list of P&Ps in place @ your org.• Technical Solutions: update your network diagram + pen test• Awareness Training: identify in-scope employees and start the education process


Recommended Readingwww.pcisecuritystandards.org

www.vigitrust.com

http://searchcompliance.techtarget.com/tip/Does-using-ISO-27000-to-comply-with-PCI-DSS-make-for-better-security

http://searchsecurity.techtarget.co.uk/news/2240036890/PCI-virtualisation-With-new-guidelines-compliance-may-be-harder

http://searchsecurity.techtarget.co.uk/tip/Employee-information-awareness-training-PCI-policy-templates

http://searchsecurity.techtarget.co.uk/expert/Mathieu-Gorge

ENISA http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

NISThttp://www.nist.gov/itl/cloud/upload/SP_500_293_volumeII.pdf


NetworkingBreak

Peadar DuffyRMI

Susan HayesThe Positive Economist

Concluding Thoughts on how to Achieve and Maintain compliance with PCI DSS

• PCI DSS is evolving – PCI DSS v3.0 is long awaited• Mobility is here & the market welcomes the new guidance#

– However we need the PCI SSC to invest its accumulated funds into helping the market with this new major challenge

• PCI DSS adoption growth rate is driven by Data Protection in the EU – this will continue

• PCI DSS adoption growth rate is driven by PHI and State PII in the US – this will continue and a Federal law will come in

You need to start preparing now for upcoming changes in the standard and in legal frameworks incorporating PCI DSS


3rd European PCI DSS Roadshow

Dublin, March 5th 2013

Wednesday 19 April 2023 (c) VigiTrust 2003-2013 32

[email protected]://www.linkedin.com/in/mgorge

www.vigitrust.com

3 rd European PCI DSS Roadshow Dublin, March 5 th 2013 Friday, 04 September 2015 (c) VigiTrust...

Documents

Transcript of 3 rd European PCI DSS Roadshow Dublin, March 5 th 2013 Friday, 04 September 2015 (c) VigiTrust...