qsa shares pci 3.0 advice & checklist
DESCRIPTION
It’s big. It’s bigger than you think. On January 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 becomes the global PCI audit standard. In this webinar, PCI QSA Jeff Hall shares the biggest gotchas that he’s encountered while working with clients. Key insights will include: • How will auditors’ requirements increase notably? • What are the foreseeable problem hot spots? • Why won't steps for passing PCI 2.0 cut it for 3.0? You’ll also get a helpful checklist for 3.0 late starters!TRANSCRIPT
3
2
1
http://itrevolution.com/pci-
scoping-toolkit/
Recommendation: Have meetings with Application Developers, Networking and Security
teams to understand and document current state and communicate expectations. Use
some type of discovery tool to aid your inventory work.
Recommendation: Vulnerability scanning, and security configuration assessments
can validate mitigations. Tripwire’s solutions produce audit-ready reporting, including
a special PCI 3.0 Reporting Pak we have available to our Log Center customers.
Recommendation: Work across development and IT operations to clearly define
access rights based on consistent roles and business purpose. Divide the work
into business units for clearer ownership as well as executive support.
Ponemenon Risk-Based
Security - Only 34% of the retail
sector measure the reduction in
access and authentication
violations to assess risk
management efforts
Verizon’s 2014 PCI
Compliance Report shows that
64.4% of accounts with access
to cardholder data failed to
restrict access to just one user
— limiting traceability and
increasing security risk.
Recommendation: Centrally manage (discover, monitor, report, log) on your
wireless infrastructure to get visibility early
for PCI (ASV)
Recommendation: Accept that this is really difficult to do and begin to hone
and develop ways to create and manage these inventories
Recommendation: Accept that this is really difficult to do and begin to hone
and develop ways to create and manage these inventories and security steps
Recommendation: The PCI DSS 3.0 requirements advise you implement these now as
“Best Practices” knowing in July they require audit compliance. Whenever penetration
test findings need remediation – you can use vulnerability scanning and configuration
assessments to validate the corrections are in place.
There are more than a billion active credit
and debit cards in the U.S., and
nearly 48% of those are breached
annually at the point of sale!
There are more than a billion active credit
and debit cards in the U.S., and
nearly 48% of those are breached
annually at the point of sale!
Recommendation: Focus on security awareness training at the endpoint to train non-
technical resources of what to look for and be clear as to what your expectations are
Only 41 percent of the
retail sector uses
penetration testing
to identify security risks
Recommendation: Immediately begin to document and track all threats and
vulnerabilities to your environment for the last 12 months
for PCI (ASV)
Recommendation: Have conversations with your MSSP, vendors and service providers
to ask them to document scoping and enter into a formal, written agreement about it
tripwire.com | @TripwireInc