1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure.

Slides:



Advertisements
Similar presentations
Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.
Advertisements

National Bank of Dominica Ltd Merchant Seminar Facilitator: Janiere Frank Fraud & Compliance Analyst June 16, 2011.
Evolving Challenges of PCI Compliance Charlie Wood, PCI QSA, CRISC, CISA Principal, The Bonadio Group January 10, 2014.
Mobile Payment Security The Good, the Bad and the Ugly
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Clouds: What’s new is old is new… Joseph Alhadeff, VP Global Public Policy; CPO, Oracle.
Complying With Payment Card Industry Data Security Standards (PCI DSS)
This refresher course will:
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Chapter 22: Cloud Computing and Related Security Issues Guide to Computer Network Security.
Property of CampusGuard Compliance With The PCI DSS.
Cloud Computing NSAA Tallahassee September 2010 Brian Rue
Credit Card Compliance Regulations Mandated by the Payment Card Industry Standards Council Accounting and Financial Services.
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
Visa Europe Implementing PCI DSS Requirements Within Your Organisation September 2008 Simon Breeden.
PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.
Data Security Standard. What Is PCI ? Who Does It Apply To ? Who Is Involved With the Compliance Process ? How We Can Stay Compliant ?
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
Introduction to Cloud Computing and Secure Cloud Computing
The Cloud: Demystified Neil Cattermull Frontier Technology.
Northern KY University Merchant Training
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Security & PCI Compliance The Future of Electronic Payments Security & PCI Compliance Greg Grant Vice President – Managed Security Services.
Disclaimer Copyright Michael Chapple and Jane Drews, This work is the intellectual property of the authors. Permission is granted for this material.
Design of New or Changed Services in the Cloud: An ISO/IEC Perspective Ronald Dattero Missouri State University, CIS Dept. Stuart D. Galup Florida.
Discussion on LI for Mobile Clouds
Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger
The ABC’s of PCI DSS Eric Beschinski Relationship Manager Utility Payment Conference Kay Limbaugh Specialist, Electronic Bills & Payments &
PCI DSS Managed Service Solution October 18, 2011.
Celoxis Intro Celoxis is a web-based project management software company based in India. The Celoxis application integrates management of projects, resources,
TOP 10 TECHNOLOGY INITIATIVES © Robert G. Parker S-1 9. Preventing and Responding to Computer Fraud IT Security Ranked #2 Preventing and Responding.
The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.
An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
PCI requirements in business language What can happen with the cardholder data?
DATE: 3/28/2014 GETTING STARTED WITH THE INTEGRITY EASY PCI PROGRAM Presenter : Integrity Payment Systems Title: Easy PCI Program.
Cloud Computing. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.
© 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker May 24, 2012 Page: 1 © 2012-Robert G Parker.
PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
LEGAL ISSUES IN CLOUD COMPUTING
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Cloud Computing. Definition  The Cloud is a metaphor for the Internet  Cloud computing is a model for enabling ubiquitous, convenient, on-demand network.
Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.
APolicy EASy Security Project Analysis and Recommendations for TJX Companies, Inc.
© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.
BUSINESS CLARITY ™ PCI – The Pathway to Compliance.
G-Cloud - The Delivery of a Shared Computing Platform for Government Ian Osborne Director, Digital Systems KTN Intellect.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
PCI 3.1 Boot Camp Payment Card Industry Data Security Standards 3.1.
The National Institute of Standards and Technology (NIST) define Cloud Computing as “a model for enabling convenient, on-demand network access to a shared.
Chapter 6: Securing the Cloud
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
VIRTUALIZATION & CLOUD COMPUTING
Internet Payment.
Session 11 Other Assurance Services
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
PCI Compliance : Whys and wherefores
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Clouds: What’s new is old is new…
Utility Payment Conference
Basics of Cloud Computing
Presentation transcript:

1 Presented By: David Kidd, Director of Compliance, Peak 10 & Brian Herman, VP of Managed Security Sales, Still Secure

Defining the Challenge 2

Cost of Breaches Continues to Rise An increase in the total average cost of a data breach: For each reporting company, the average cost for a data breach was more than $8.9 million per breach and ranged from $1.4 million to $46 million, a 6% increase from An increase in lost business due to data breach: Lost business from denial of service, malicious insider and web-based attacks account for 58% of data breach costs averaging $591,780 with a 24 day duration to resolve the attack, a 42% increase from An increase in third-party data breaches: Companies averaged 102 successful attacks per week, up from 72 last year An increase in disruption to business in response to breach: Information theft accounts for 44% of external costs up 4% from 2011 Disruption to business and lost productivity accounts for 30% of external cost, up 1% from Recovery and detection accounted for 47% of internal activity cost. 3

Merchant Costs for a PCI Breach Card replacement costs now averaging about $4 per item Compliance fines now ranging from about $5,000 to $50,000 per event for a small merchant (III, IV) Cost of forensic examination averaging between $25,000 and $35,000 per event for these same merchants Additional fines for actual fraudulent utilization of stolen PAN varies 4

Breach Example TJX: The “Pearl Harbor” of Credit Card Breaches (01/2007) Hackers spent 18 months exploiting weak wireless security outside thousands of TJX stores 45.7 million credit and debit cards were stolen TJX stated the breach cost > $256 million Still incurring related expenses in years after the breach The average cost per breached card will be between $90 and $305 Business and reputation costs are even greater 5

6 Consequences: New Oversight Federal Trade Commission Response As a consequence of the breach TJX Stores announced in 2007, the FTC took enforcement action by treating the breach as an “unfair trade practice” State and local privacy laws are also increasingly applied to information security breaches What had been an industry challenge is now a regulatory challenge

PCI DSS 7

PCI Security Standards Council Founders: Payment Brands Participating Organizations: Merchants, Banks, Processors, Developers, POS Vendors Trademarks and logos used on this page are the property of their respective owners. 8

9WWW.PEAK10.COM Manufactures PCI PTS Developing Standards Established in 2006, the Security Standards Council was formed to coordinate information security programs of the founding payment brands. The PCI Security Standards Council has established multiple standards for the industry including equipment manufacturers, payment software application developers, merchants and merchant service providers. Software Developers PCI PA-DSS Merchants & Processors PCI DSS 9

10WWW.PEAK10.COM The PCI DSS The PCI Data Security Standard The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that store, process, or transmit cardholder data. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data. If you are a merchant who accepts or processes payment cards, you must comply with the PCI DSS regardless of transaction volume. 10

11 Elements of the PCI Data Security Standard

Moving to the Cloud 12

13 Understanding the Cloud Service Models Public Cloud The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services. Private Cloud The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on- premises or off premises. Community Cloud The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, or compliance considerations). It may be managed by the organizations or a third party and may exist on- premises or off-premises. Hybrid The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

14WWW.PEAK10.COM Software as a Service (SaaS) – Capability for clients to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through either a thin client interface, such as a web browser, or a program interface. Platform as a Service (PaaS) – Capability for clients to deploy their applications (created or acquired) onto the cloud infrastructure, using programming languages, libraries, services, and tools supported by the provider. Infrastructure as a Service (IaaS) – Capability for clients to utilize the provider’s processing, storage, networks, and other fundamental computing resources to deploy and run operating systems, applications and other software on a cloud infrastructure. 14 Understanding the Cloud Service Models

The Cloud Compliance Challenge: PCI DSS What makes the cloud different? The cloud is relatively new technology and may be misunderstood. Clients may have limited visibility into the service providers underlying infrastructure and the related security controls. Some virtual components do not have the same level of access control, logging, and monitoring as their physical counterparts. It can be challenging to verify who has access to cardholder data process, transmitted, or stored in the cloud environment. Public cloud environments are usually designed to allow access from anywhere on the Internet. 15

Meeting the Challenge 16

Assessing PCI DSS Compliance Study PCI DSS Standard Learn what the standard requires of your business. Inventory IT Assets and Processes Identify all systems, personnel and processes involved in the transmission, processing or storing of cardholder data. Find Vulnerabilities Use the appropriate SAQ to guide the assessment, and appropriate technologies to locate insecure systems. Validate with Third-Party Experts Your environment’s complexity may require a Qualified Security Assessor and/or Approved Scanning Vendor to execute proper assessment. 17

Tips for Successful PCI DSS Compliance Begin in the early stages of deciding to accept payment cards Perform an initial gap analysis Follow the PCI Prioritized Approach to avoid hitting big issues late in the project Select a QSA early in the project Tip #1 – Start Early Follow project management tenets: get a project sponsor, create a core team, and make a project charter Tip #2 – Manage as a Project Segregate the cardholder data environment to the maximum extent possible. As data expands across the network the compliance scope increases multi- fold. Tip #3 – Limit scope as much as possible Leverage the opinion of you QSA and the guidance documents from the Council on the intent of each requirement to avoid getting lost in technicalities Tip #4 – Look beyond checklists and tools: follow the intent behind controls PCI DSS serves a specific purpose: protection of payment card data; being compliant with another information security standard may not be sufficient Tip #5 – Compliance with another standard is not enough Compliance of service providers is as important as that of the merchant Even when you outsource an activity, you are still responsible for compliance Tip # 6 – Validate your Vendors’ Compliance 18

19 Control in the Cloud Cloud Service Stack (typical)

20 Responsibility in the Cloud The client may have limited control of user- specific appliacation configuration settings The client has control over the deployed applications and possibly configuration settings for the application-hosting environment. The client has control over operating systems, storage, deployed applications and possible limited control of select networking components (e.g. host firewalls) SaaS PaaS IaaS Client Service Provider

21 Cloud Considerations Sample of PCI Responsibilities in the Cloud

22WWW.PEAK10.COM Questions for Service Providers How long has the service provider been PCI DSS compliant? When was its last validation? What specific services and PCI DSS requirement were included in the validation? What specific facilities and system components were included in the validation? Ask for proof: Copy of the AOC Applicable sections of the ROC 22

23WWW.PEAK10.COM Governance, Risk and Compliance Risk Management Due Diligence Service Level Agreements (SLAs) Business Continuity and Disaster Recovery Human Resources Physical Security Technical Security Identity and Access Management Logging and Audit Trails Other Considerations 23

The 3 elements of comprehensive compliance 24

25 Cloud Considerations Sample of PCI Responsibilities in the Cloud

Ongoing Process PCI Compliance is an Ongoing Process of Continuous Monitoring and Improvement. Assess Remediate Report The assessment stage is key. 26

THANK YOU! 27