SMART-RA.com is a patent pending product of SISA Information Security

smart-ra.com

The World’s First PCI Risk Assessment Tool

Understanding the Prioritized

Approach to PCI Compliance

Agenda

• The Basics

- What is the Prioritized Approach?

- Why a Prioritized Approach?

- Who should adopt the Prioritized Approach and When

• The Prioritized Approach to PCI DSS Compliance

- 6 Milestones

• Q&A

smart-ra.com

The BasicsWhat is the Prioritized Approach?

- Created by the PCI SSC

– Developed based on actual security incidents, feedback from

QSAs, etc.

- Provides a

– Structured guideline

– Track-able roadmap to compliance

- Works by

– Prioritizing the top compliance activities

– Chalking out a roadmap to PCI compliance

- 6 Milestones

smart-ra.com

The BasicsPrioritized Approach: What its not:

– A substitute for the actual PCI DSS Requirements

– A one-size-fits-all solution for all organizations

smart-ra.com

The Basics

Why A Prioritized Approach?

Facilitates faster and cheaper compliance by

– Setting the context

– Identifying high risks

– ‘Quick win’ RTP Items

– Tracking compliance

smart-ra.com

The Basics

Who should adopt the Prioritized Approach?

Merchants:

- Unsure about where to start with PCI Compliance

- Don’t know their high risk areas

- In case of an onsite assessment

- Use of SAQ D

Acquirers:

- To get compliance status updates from merchants and service

providers.

- Ongoing monitoring of progress

smart-ra.com

The Prioritized Approach to PCI DSS Compliance

VISA Europe Technology

Innovation Programme

EMV Chip Enabled Merchants who have

- Previously validated PCI Compliance

OR

- Provided a plan to comply

AND

- Have not been involved in a recent

card breach

AND

- Met Milestones 1 and 2

smart-ra.com

Waived from annual

revalidation assessment

The Prioritized Approach to PCI DSS Compliance

Milestone 1:

smart-ra.com

PCI DSS Requirements

1.1.2 Current network diagram

3.1 Minimal storage of cardholder data

3.2 No storage of SAD

9.10 Destroy obsolete storage media

12.1.1 Include a formal policy that addresses all PCI requirements

12.1.2 Include a formal policy that leads to a formal risk assessment.

The Prioritized Approach to PCI DSS Compliance

Milestone 2:

smart-ra.com

PCI DSS Requirements

1.1.3 Firewall requirements

1.1.5 Documented use of ports, etc.

1.2 Restricted connections between untrusted networks and system components in the CDE

1.3 Prohibit direct public access between the Internet and any system component in the CDE.

1.4 Install personal firewall software on portable devices.

2.1 Change vendor-supplied system defaults.

2.3 Encrypt all non-console administrative access using strong cryptography.

4.1 Use strong cryptography and security protocols to safeguard CHD during transmission over open, public networks.

4.2 Never send unprotected PANs by end-user messaging technologies.

5.1 Deploy anti-virus software on all systems commonly affected by malicious software.

5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.

9.1 Use appropriate facility entry controls to monitor physical access to systems in the CDE.

11.2 Run network vulnerability scans at least quarterly and after any significant change in the network.11.4 Use IDS/IPS

12.1.1 Addresses all PCI DSS requirements

12.8 If CHD is shared with service providers, implement policies to manage service providers.

12.8.2 Maintain a written agreement that the service providers are responsible for the security of CHD that they possess.

12.8.3 Ensure there is an established process for engaging service providers.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status at least annually.

The Prioritized Approach to PCI DSS ComplianceMilestone 3:

Secure payment card applications.

This milestone targets controls for applications, application processes, and application

servers. Weaknesses in these areas offer easy prey for compromising systems and

obtaining access to cardholder data.

Milestone 4:

Monitor and control access to your systems.

Controls for this milestone allow you to detect the who, what, when, and how concerning

who is accessing your network and cardholder data environment.

Milestone 5:

Protect stored cardholder data.

For those organizations that have analyzed their business processes and determined that

they must store Primary Account Numbers, Milestone 5 targets key protection

mechanisms for that stored data.

Milestone 6:

Finalize remaining compliance efforts, and ensure all controls are in place.

The intent of Milestone 6 is to complete PCI DSS requirements, and to finalize all

remaining related policies, procedures, and processes needed to protect the cardholder

data environment. smart-ra.com

Questions?

You can learn about PCI Risk Assessment by using SMART

Basic (FREE). Sign up today on www.smart-ra.com.

smart-ra.com

smart-ra.com

Write to Us

dharshan.s@smart-ra.com

praveen.v@smart-ra.com