Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure. Defining the Challenge. Cost of Breaches Continues to Rise. An increase in the total average cost of a data breach:
Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure
TJX: The “Pearl Harbor” of Credit Card Breaches (01/2007)
Federal Trade Commission Response
Founders: Payment Brands
Merchants, Banks, Processors, Developers, POS Vendors
Trademarks and logos used on this page are the property of their respective owners.
Established in 2006, the Security Standards Council was formed to coordinate information security programs of the founding payment brands.
The PCI Security Standards Council has established multiple standards for the industry including equipment manufacturers, payment software application developers, merchantsand merchant service providers.
The PCI Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that store, process, or transmit cardholder data.
The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS regardless of transaction volume.
Software as a Service (SaaS) – Capability for clients to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface.
Platform as a Service (PaaS) – Capability for clients to deploy their applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider.
Infrastructure as a Service (IaaS) – Capability for clients to utilize the provider’s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure.
Understanding the Cloud
What makes the cloud different?
The cloud is relatively new technology and may be misunderstood.
Clients may have limited visibility into the service providers underlying infrastructure and the related security controls.
Some virtual components do not have the same level of access control, logging, and monitoring as their physical counterparts.
It can be challenging to verify who has access to cardholder data process, transmitted, or stored in the cloud environment.
Public cloud environments are usually designed to allow access from anywhere on the Internet.
Tips for Successful PCI DSS Compliance
Cloud Service Stack (typical)
The client may have limited control of user-specific appliacation configuration settings
The client has control over the deployed applications and possibly configuration settings for the application-hosting environment.
The client has control over operating systems, storage, deployed applications and possible limited control of select networking components (e.g. host firewalls)
Questions for Service Providers
PCI Compliance is an Ongoing Process of Continuous
Monitoring and Improvement.
The assessment stage is key.