1 / 13

10 Tips for PCI Compliance programs

10 Tips for PCI Compliance programs. Christopher Heinz, CISSP. Overview. Understand Impact Know the landscape Reduce scope Consider alternatives Data storage considerations Be transparent Be prepared Top attack vectors Ongoing process is required Have a plan (or two).

allen-cooley
Download Presentation

10 Tips for PCI Compliance programs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 10 Tips for PCI Compliance programs Christopher Heinz, CISSP

  2. Overview • Understand Impact • Know the landscape • Reduce scope • Consider alternatives • Data storage considerations • Be transparent • Be prepared • Top attack vectors • Ongoing process is required • Have a plan (or two)

  3. Understand the impact of PCI • Reputation • Financial (processing fees, fines) • Reporting requirements • Understand that mitigating risk to card data is the goal • Potential benefits of program

  4. Know the landscape • Define compliance ownership • Involve legal team to determine scope • Use multiple sources to build consensus

  5. Reduce scope • Move systems out of scope if possible • Consider third party solutions where possible • Map actual data flows • Stop when it makes sense

  6. Consider alternatives • Third party processors • Encryption/hashing • Do not forget PA-DSS for third party software vendors

  7. Data storage considerations • CVV/CID (NEVER!) • Is there a business need to store data? • Limit risk by limiting data stored • Data store should be reduced/removed wherever possible

  8. Be transparent • Obfuscation of situation only hurts, never helps • Define reporting mechanisms • Clarity of information/responses should be paramount • Internal reporting/approvals should be retained

  9. Be prepared • Compliance packets are helpful • Ease assessment pain, which limits cost • Build confidence in program • Thorough, easy to parse documentation • Use comments in configs/code anywhere possible

  10. Top Attack Vectors • Improper Patching • Insecure code practices • Default username/password • Insecure remote access • Nothing new under the sun (because there doesn’t need to be)

  11. Ongoing process is required • Self assess internally as frequently as practical • Avoid checkbox mentality • Apply the Security wheel model (Secure -> Monitor -> Test -> Improve) • Scanning required quarterly, but meaningless if remediation action not taken • Compensating controls should be reduced/eliminated

  12. Have a plan (or two) • Considerable amount of time/effort to maintain compliance • Have a backup plan (DR, adding new systems, breach) • Analyze plan, evaluate application of each process • Consider lessons learned, otherwise they're not "learned"

  13. Questions/Answers?

More Related