Download Information security, sometimes shortened to InfoSec, is the practice

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Multidimensional empirical mode decomposition wikipedia, lookup

History of wildlife tracking technology wikipedia, lookup

Last mile wikipedia, lookup

Data center wikipedia, lookup

Computer security wikipedia, lookup

Total Information Awareness wikipedia, lookup

Where Do You Have Cardholder Data?
Branimir Pacar
Director of PCI & Payment Services
/We are a NASDAQ agile EMEA company/
Cognosec Assesses, Designs, Implements and
Manages Cyber Resilient Solutions
Where do I have CHD and
why is it important?
Compliance vs. Security
Scope of PCI DSS Requirements
The PCI DSS security requirements apply to all system components
included in or connected to the cardholder data environment. The
cardholder data environment (CDE) is comprised of people, processes,
and technologies that store, process, or transmit cardholder data or
sensitive authentication data.
PCI DSS v3.2, page 10
Compliance vs. Security
“Information security, sometimes shortened to InfoSec, is the practice of
preventing unauthorized access, use, disclosure, disruption, modification,
inspection, recording or destruction of information. It is a general term that can
be used regardless of the form the data may take (e.g. electronic, physical).”
Compliance vs. Security
Security should be the goal, Compliance will be a
Defining the scope
Concepts that always apply:
Systems located within the Cardholder data environment (CDE) are in scope
Systems that connect to a system in the CDE are in scope
In a flat network, all systems are in scope
CDE - The people, processes and technology that store, process, or transmit
cardholder data or sensitive authentication data.
The primary account number is the defining factor for cardholder data. If
cardholder name, service code, and/or expiration date are stored, processed
or transmitted with the PAN, or are otherwise present in the cardholder data
environment (CDE), they must be protected in accordance with applicable PCI
DSS requirements
Defining the scope
Annually and prior to the annual assessment the assessed entity should
confirm the accuracy of the scope
Identify the existence of all cardholder data in the environment
Verify no cardholder data exists outside of the CDE
Assessor will validate that the scope of the assessment is accurately
Identifying cardholder data
Manual vs. automated methods
Specialized tools:
Open source
Cooperation between QSA and client
Know the environment
Trust but verify
Manual cardholder data
Work together with your QSA
QSA is not working against you
Use knowledge and experience QSA has
QSA is objective about your environment
No other information than what you provide
Know the environment
Start with the purpose and business model
Review the cardholder data flow and network diagrams
Review the security documentation
Identify the technology used in the environment
Understand the internal organization
Try to resist “Just in case” urge
Test and verify
Test known locations to verify information is accurate
Test connected systems to verified known locations
Wisely determine testing sample
Address technology specifics for tested systems
Perform negative testing
Update the documentation
Invest time and resources to identify CHD in your environment
Proper scoping and CHD identification can save you a lot of time and money
Don’t hide CHD from the QSA – you are just saving it for someone to take
Thank you!