1 / 13

Essential Guide to PCI Compliance Programs by Christopher Heinz, CISSP

This guide by Christopher Heinz, CISSP, provides 10 crucial tips for implementing robust PCI compliance programs. Understand the impact and landscape, reduce scope, consider alternatives, and prioritize data storage considerations. Transparency, preparation, awareness of top attack vectors, and ongoing commitment are emphasized. The significance of PCI impact on reputation, finances, and reporting is highlighted along with benefits of compliance. Ownership, legal involvement, scope reduction, and use of third-party solutions are recommended strategies. Secure data storage practices, transparency, preparedness, and attentiveness to attack vectors are crucial. Ensure ongoing compliance with a comprehensive plan and proactive measures to maintain program effectiveness and address potential risks effectively.

allen-cooley
Télécharger la présentation

Essential Guide to PCI Compliance Programs by Christopher Heinz, CISSP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 10 Tips for PCI Compliance programs Christopher Heinz, CISSP

  2. Overview • Understand Impact • Know the landscape • Reduce scope • Consider alternatives • Data storage considerations • Be transparent • Be prepared • Top attack vectors • Ongoing process is required • Have a plan (or two)

  3. Understand the impact of PCI • Reputation • Financial (processing fees, fines) • Reporting requirements • Understand that mitigating risk to card data is the goal • Potential benefits of program

  4. Know the landscape • Define compliance ownership • Involve legal team to determine scope • Use multiple sources to build consensus

  5. Reduce scope • Move systems out of scope if possible • Consider third party solutions where possible • Map actual data flows • Stop when it makes sense

  6. Consider alternatives • Third party processors • Encryption/hashing • Do not forget PA-DSS for third party software vendors

  7. Data storage considerations • CVV/CID (NEVER!) • Is there a business need to store data? • Limit risk by limiting data stored • Data store should be reduced/removed wherever possible

  8. Be transparent • Obfuscation of situation only hurts, never helps • Define reporting mechanisms • Clarity of information/responses should be paramount • Internal reporting/approvals should be retained

  9. Be prepared • Compliance packets are helpful • Ease assessment pain, which limits cost • Build confidence in program • Thorough, easy to parse documentation • Use comments in configs/code anywhere possible

  10. Top Attack Vectors • Improper Patching • Insecure code practices • Default username/password • Insecure remote access • Nothing new under the sun (because there doesn’t need to be)

  11. Ongoing process is required • Self assess internally as frequently as practical • Avoid checkbox mentality • Apply the Security wheel model (Secure -> Monitor -> Test -> Improve) • Scanning required quarterly, but meaningless if remediation action not taken • Compensating controls should be reduced/eliminated

  12. Have a plan (or two) • Considerable amount of time/effort to maintain compliance • Have a backup plan (DR, adding new systems, breach) • Analyze plan, evaluate application of each process • Consider lessons learned, otherwise they're not "learned"

  13. Questions/Answers?

More Related