230 likes | 495 Views
Agenda. Introduction / Goals / ObjectivesDrivers: The
E N D
2. Introduction / Goals / Objectives
Drivers: The Carding Market
Important Roles and Terms
Myths of PCI Data Security Standard
PCI DSS Compliance in 5 Easy Steps
Step 1: No Prohibited Data
Step 2: Scope, Scope, Scope
Step 3: Payment Application (PA-DSS)
Step 4: The DSS Requirements
Step 5: Compensating Controls
Whats New in PCI DSS v1.2
Tips and Tricks
Q&A
3. DISCLAIMERS IANAL I Am Not A Lawyer
IANTPS I Am Not The PCI SSC
IANAQSA I Am Not A Qualified Security Assessor
6. The stats:
Card Present vs. Card Not Present
Level 4 vs. Levels 1-3
Universities as % Compromised
Compromised Merchants Storing Full Track
Merchant Issue vs. Third-Party Issue
All numbers available from Trustwave Global Compromise Statistics: https://www.trustwave.com/whitePapers.php
8. You can buy PCI compliance in a box
Outsourcing processing makes you compliant
PCI is an IT problem
PCI Compliance = Security
PCI compliance is impossible to obtain
PCI requires an army of Qualified Security Assessors
PCI is only for the big companies
Filling out a SAQ makes you complaint
PCI requires storing more data
PCI is your processors responsibility
10. Definition #1: PCI applies to all system components that store, process, or transmit cardholder data
Definition #2: System components are defined as network component, server, or application included in or connected to the cardholder data environment
Definition #3: Network components include firewalls, switches, routers, wireless access points, network appliances, and other security appliances
Definition #4: Server types include web application, database, authentication, mail, proxy, network time protocol, and domain name server
Definition #5: Applications include all purchased and custom applications, including internal and external (internet) applications