1 / 18

Cardholder Data Discovery Andrew Henwood

Cardholder Data Discovery Andrew Henwood. May 2012. Typical College / University / Council Network. Unprotected Cardholder Data. Where is it?. Database Servers. Back Office. Finance. Library. Onsite Retail. Commercial Services. Course and Accommodation Fees. Service Payments.

keola
Download Presentation

Cardholder Data Discovery Andrew Henwood

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cardholder Data Discovery • Andrew Henwood May 2012

  2. Typical College / University / Council Network • Unprotected Cardholder Data. Where is it? Database Servers Back Office Finance Library Onsite Retail Commercial Services Course and Accommodation Fees Service Payments

  3. Where is the Cardholder Data to be found? • Unprotected Cardholder Data. Where is it? • Where is Unprotected Cardholder Data stored? • Files/locations used in daily use • Internet browser logs, xml files, binary files (database dumps), within compressed files (ZIP etc), backups, file shares etc. • Very difficult to find - deleted files, unallocated files, slack space.

  4. Where is the Cardholder Data to be found? • Unprotected Cardholder Data. Where is it? Database Servers Back Office Finance Library Commercial Services Onsite Retail Course and Accommodation Fees Service Payments

  5. Cardholder Data Environment • Entire Organisation in Scope of Compliance Database Servers Back Office Finance Library Commercial Services Onsite Retail Course and Accommodation Fees Service Payments

  6. Not a Good Place to be

  7. PCI DSS Compliance - Reality • PCI DSS & being secure is HARD (if not approached sensibly) • Simplify the Cardholder Data Environment • Scope Reduction is CRUCIAL • Focus your compliance activity, reduce efforts, reduce long term costs

  8. CHD Discovery Tools Use a Cardholder Data Discovery Tool do the heavy lifting and validation of PCI data & flows

  9. From PCI DSS • Standards - PCI DSS v2.0 • Page 10: • “The first step of a PCI DSS assessment is to accurately determine the scope of the review. At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope. “

  10. Cardholder Data Discovery • Cardholder Data Discovery - DEFINE • DEFINE and Identify Cardholder Data • Unaware of unknowns • Threat of Compromise & fraud is significant. • Identify data leaks in: • Badly configured payment software • Broken/changed business processes • Insecure payment software storing data it should not Persistent - Proactive - Protection

  11. Cardholder Data Discovery • Cardholder Data Discovery – PROTECT • PROTECT (or eradicate) identified CHD • Reduce risk of compromise. • Provide user time to evaluate risk tobusiness processes. • Protect – Encrypt / Tokenise / Hash etc. • * These systems are still in scope for PCI DSS. Persistent - Proactive - Protection

  12. Cardholder Data Discovery • Cardholder Data Discovery – ASSURE Persistent • ASSURE • Cardholder data not appearingwhere it should not • Applications / systems performingas they should Monitoring Persistent Monitoring = Ongoing Risk Management Persistent - Proactive - Protection

  13. Cardholder Data Environment • Entire Organisation in Scope of Compliance Database Servers Back Office Finance Library Commercial Services Onsite Retail Course and Accommodation Fees Service Payments

  14. Post Data Discovery and Remediation • New Cardholder Data Environment Database Servers Back Office Finance Library Commercial Services Onsite Retail Course and Accommodation Fees Service Payments

  15. Summary • Summarising Cardholder Data Discovery • After implementing an ongoing Cardholder Data Discovery solution via: • Opensourceor Commercial / DLP based or PCI specific • Unknowns become known • Knowns are confirmed Persistent - Proactive - Protection

  16. Summary • Summarising Cardholder Data Discovery • Facilitates: • Consolidation • Account data sterile environments • Restricted in scope environment • Easier and more manageable PCI compliance Persistent - Proactive - Protection

  17. Post Data Discovery and Remediation • New Cardholder Data Environment & Sterile Env. ✓ ✓ ✓ Database Servers Back Office Finance Library ✓ ✓ ✓ ✓ Support Canteen Contact Centre Significant risk reduction for the College / University / Council, their bank and the card schemes. Fees Office

  18. Stay Safe & Risk Aware Andrew Henwood - Director ahenwood@foregenix.com Foregenix Wesley House Bull Hill Leatherhead Surrey KT22 7AH United Kingdom Tel: 0845 309 6232 Web: www.foregenix.com

More Related