Upload File

sharing responsibilities: applicability of pci dss

  • Home
  • Documents
  • Sharing Responsibilities: Applicability of PCI DSS
39
Sharing Responsibilities: Applicability of PCI DSS Requirements for Merchants and MNSPs Presenter: Sam Pfanstiel Director, Security Consulting Services ControlScan

Upload: others

Post on 09-Dec-2021

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Sharing Responsibilities: Applicability of PCI DSS

Sharing Responsibilities:

Applicability of PCI DSS

Requirements for Merchants and

MNSPs

Presenter:

Sam Pfanstiel

Director, Security Consulting Services

ControlScan

Page 2: Sharing Responsibilities: Applicability of PCI DSS

Agenda• Housekeeping

• Presenters

• About Conexxus

• Presentation

• Q & A

Page 3: Sharing Responsibilities: Applicability of PCI DSS

HousekeepingThis webinar is being recorded and will be made available in approximately 15 days.

• YouTube (youtube.com/conexxusonline)

• Website Link (conexxus.org)

Slide Deck • Survey Link – Presentation provided at end

Participants• Ask questions via webinar interface

• Please, no vendor specific questions

• Our webinars may be used toward PCI continuing education credits. Please contact [email protected] for questions regarding a certificate of webinar attendance.

Email: [email protected]

mailto:[email protected]
Page 4: Sharing Responsibilities: Applicability of PCI DSS

Presenters Conexxus Host Moderator

Allie Russell Kara Gunderson

Conexxus Chair, Data Security Committee

[email protected] POS Manager, CITGO Petroleum

[email protected]

Speakers

Sam Pfanstiel

MBA, CISSP, CISM, CISA, QSA, QSA(P2PE), QPA

SME, Data Security Committee

Director, Security Consulting Services; ControlScan

[email protected]

mailto:[email protected]
mailto:[email protected]
mailto:[email protected]
Page 5: Sharing Responsibilities: Applicability of PCI DSS

About Conexxus• We are an independent, non-profit, member driven

technology organization

• We set standards…– Data exchange

– Security

– Mobile commerce

• We provide vision– Identify emerging tech/trends

• We advocate for our industry– Technology is policy

Page 6: Sharing Responsibilities: Applicability of PCI DSS

2019 Conexxus Webinar ScheduleMonth/Date Webinar Title Speaker Company

January 24, 2019Who’s Watching Your Network?

What you should know about Managed Detection & Response (MDR)

Mark Carl Tom Callahan

ControlScan

February 28, 2019Protect Your Business: PCI Resources for Securing

Payment Data Elizabeth Terry

PCI Security Standards Council

March 21, 2019 Proactive Defense in DepthBrett Stewart

DeWayne ManganMark Palmer

Acumera

May 30, 2019Firewalls, LANS & WANS

The Basics, The Benefits and The Security!Simon Gamble Mako Networks

June 27, 2019 Web Payment Asipirations Ian Jacobs W3C

July 25, 2019 SkimmingLinda Toth

Paige AndersonCaleb Burke

ConexxusNACSCITGO

August 8, 2019 Application Security 101 Denis Sheridan Synopsys

Page 7: Sharing Responsibilities: Applicability of PCI DSS

Month/Date Webinar Title Speaker Company

August 29, 2019Don’t Get Phished!! Train Your Employees To Avoid

RansomwareGeoffrey Vaughan

Ed AdamsSecurity Innovation

September 26, 2019Using Data Science to Proactively Manage the

Connected C-StoreAshwin SwamyThomas Duncan

Omega ATCOmega ATC

October 24, 2019 Easy PCI—How to Make PCI & Attestation Easier Ajith Edakandi Hughes

November 14, 2019 Impending Consumer Privacy LawsAlan ThiemannPaige Anderson

ConexxusNACS

November 21, 2019Applicability of PCI DSS requirements for Merchants

and MNSPsSam Pfanstiel ControlScan

December 5, 2019 EMVBrian Russell

Linda TothTBD

VerifoneConexxus

Visa

December 12, 2019 EMVGray Taylor

Dispenser Manufacturers Conexxus

TBD

2019-2020 Conexxus Webinar Schedule

Page 8: Sharing Responsibilities: Applicability of PCI DSS

2020 Conexxus Annual Conference

April 26 – April 30, 2020Loews Ventana Canyon

Tucson, AZ

More about Sponsorship Opportunities & Registration: www.Conexxus.org

Conexxus thanks our 2019 Annual Diamond Sponsors!

Page 9: Sharing Responsibilities: Applicability of PCI DSS

Sharing Responsibilities: Applicability of PCI

DSS Requirements for Merchants and MNSPs

Presenter:

Sam Pfanstiel

Director, Security Consulting Services

ControlScan

Page 10: Sharing Responsibilities: Applicability of PCI DSS

Overview

PCI DSS TPSPs

Assessment

• Scoping

•AOC

•Responsibility Matrix

MNSPs

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs10

Page 11: Sharing Responsibilities: Applicability of PCI DSS

PCI DSS

Payment Card Industry Data Security Standard

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs11

Page 12: Sharing Responsibilities: Applicability of PCI DSS

PCI Data Security Standard• 251 Requirements in v3.2.1

– Not counting service provider requirements and appendices

– Apply to merchant that operates the card present environment

• All are “required” for all merchants

• Some payment configurations may render some controls “not applicable” (e.g., SAQ eligibility)

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs12

Page 13: Sharing Responsibilities: Applicability of PCI DSS

PCI DSS Document Repository

• https://www.pcisecuritystandards.org/document_library

• Requirements and Security Assessment

Procedures 3.2.1 (link)

• Third-party Security Assurance guidance (link)

• SAQs (Self-Assessment Questionnaires)

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs13

https://www.pcisecuritystandards.org/document_library
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf
https://www.pcisecuritystandards.org/documents/ThirdPartySecurityAssurance_March2016_FINAL.pdf
Page 14: Sharing Responsibilities: Applicability of PCI DSS

TPSP

Third-Party Service Providers

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs14

Page 15: Sharing Responsibilities: Applicability of PCI DSS

TPSPs: TypesStore/process CHD

• Call center

• E-commerce service

• Loyalty host

• Processors

• Gateways

Secure CHD

• Media destruction

• Tokenization

• Encryption service / KIF

• POS vendor, integrators, resellers

Securing CDE

• Data centers

• Managed infrastructure

• Managed network

• Monitoring/alerting

Incidental access to CHD or CDE

• IT support

• Software developers

• Maintenance services

• Product Delivery

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs15

Page 16: Sharing Responsibilities: Applicability of PCI DSS

TPSPs and PCI DSS• Vendor Risk Management & PCI Requirements

– Disseminate Information Security Policy (12.1)

– Risk Assessment (12.2)

– List (12.8.1)

– Written agreement that acknowledges PCI responsibility (12.8.2)

– Due Diligence (12.8.3)

• Compliance Responsibilities– Monitor compliance (12.8.4)

– Maintain list of PCI DSS requirements (12.8.5)

• Change Notification

• Incident Response (12.8.3, 12.10)

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs16

Page 17: Sharing Responsibilities: Applicability of PCI DSS

ASSESSMENT

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs17

Page 18: Sharing Responsibilities: Applicability of PCI DSS

Assessments: Documents• List of TPSPs with description

• TPSP control responsibilities– Responsibility Matrix

• Attestation of Compliance (AOC)– ROC (optional: May be partial or redacted)

• Other Evidence– Agreements/templates

– Risk assessment

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs18

Page 19: Sharing Responsibilities: Applicability of PCI DSS

Assessment: Environmental Scope

• People – TPSP contractors or roles

• Process – TPSP services

• Technology – TPSP systems

• In Scope– CDE

– Security Affecting Systems

– Connected-to Systems

• Segmentation

• Applicable Product / Service / Delivery model (see AOC)

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs19

Page 20: Sharing Responsibilities: Applicability of PCI DSS

Assessment: Environmental Scope

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs20

Sample list template available for download at https://www.controlscan.com/TPSP-Management

https://www.controlscan.com/TPSP-Management
Page 21: Sharing Responsibilities: Applicability of PCI DSS

Assessment: Control Scope

• Is Function providing Security Control?

• Did they meet it,or deem it N/A

• How are you monitoring that TPSP is meeting control (12.8.4)?

• Is Responsibility Matrix provided? If not, you must create (12.8.5)

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs21

Page 22: Sharing Responsibilities: Applicability of PCI DSS

AOC

Attestation of Compliance

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs22

Page 23: Sharing Responsibilities: Applicability of PCI DSS

AOC: Part 2e

• Read the description

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs23

Page 24: Sharing Responsibilities: Applicability of PCI DSS

AOC: Part 2a

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs24

vs

• View service names and types

Page 25: Sharing Responsibilities: Applicability of PCI DSS

AOC: Part 2g

• Every N/A must be noted

• What is N/A for the TPSP may not be N/A for the merchant

• It is the merchant’s responsibility to compare these controls against PCI DSS

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs25

Page 26: Sharing Responsibilities: Applicability of PCI DSS

AOC: Part 2f

• PA-DSS software services: confirm QIR

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs26

Page 27: Sharing Responsibilities: Applicability of PCI DSS

AOC: Part 3

• Is AOC compliant?

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs27

Page 28: Sharing Responsibilities: Applicability of PCI DSS

Responsibility Matrix

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs28

• May or may not be provided by TPSP

– Not required

– AOC Part 2g provides sufficient information to inform conversation

• In lieu of responsibility matrix:

– TPSP agreement must specify (12.8.2)

– Controls maintained by Merchant (12.8.5)

Page 29: Sharing Responsibilities: Applicability of PCI DSS

Responsibility Matrix

Sample responsibility matrix available for download at https://www.controlscan.com/TPSP-Management

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs29

https://www.controlscan.com/TPSP-Management
Page 30: Sharing Responsibilities: Applicability of PCI DSS

MNSP

Managed Network Service Providers

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs30

Page 31: Sharing Responsibilities: Applicability of PCI DSS

MNSP – Remote Access

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs31

Page 32: Sharing Responsibilities: Applicability of PCI DSS

MNSP – CHD Flow

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs32

Page 33: Sharing Responsibilities: Applicability of PCI DSS

MNSP PCI DSS Responsibilities

• 1 – Firewalls

(both hosted and on-premises)

• 8.1, 8.3, 8.5 – Managing vendor IDs and

remote access to environment

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs33

Page 34: Sharing Responsibilities: Applicability of PCI DSS

Possible MNSP Responsibilities

• 4 – Encryption for CHDcommunications from site to processor

• 6 – Custom application for conversion of cardholder data to the payment host

• 10 – May perform logging and monitoring

• 11 – May perform external and internal network testing

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs34

Page 35: Sharing Responsibilities: Applicability of PCI DSS

SHARED Responsibilities

MNSP and merchant each…

• 2 – Securely configure respective systems

• 4 – Encrypt CHD on respective networks

• 5 – Have antimalware on applicable systems

• 6 – Have secure software (e.g., PA-DSS)

• 10 – Track and monitor respective systemsConexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs35

Page 36: Sharing Responsibilities: Applicability of PCI DSS

Merchant Responsibilities

• 1.4 – Personal firewalls

• 3 – Protect cardholder data

• 7 – Access control responsibilities

• 9 – Physical security

• 11 – Testing

• 12 – Risk management and infosec policies

• 12.8.9 – One-time support password

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs36

Page 37: Sharing Responsibilities: Applicability of PCI DSS

Conexxus: Sharing Responsibilities: Applicability of

PCI DSS Requirements for Merchants and MNSPs37

Page 38: Sharing Responsibilities: Applicability of PCI DSS

• Website: www.conexxus.org

• Email: [email protected]

• LinkedIn Profile: Conexxus.org

• Follow us on Twitter: @Conexxusonline

Page 39: Sharing Responsibilities: Applicability of PCI DSS

DISCLAIMER: Conexxus does not endorse any products or services that may be described or mentioned in this presentation. The views and opinions expressed in this presentation are solely those of the speakers and not of Conexxus. By hosting this webinar, Conexxus is not providing any legal advice; if you have any questions about legal issues raised or discussed, you should seek the assistance of attorneys who are competent in that area.


PCI DSS Compliance PCI DSS... · Introduction to PCI DSS 3 . PCI Security Standards Card Schemes Acquirer Council (PCI SSC) 4 Overview of PCI DSS Roles and Responsibilities Each of

LESS IS MORE PCI DSS SCOPING DEMYSTIFIED - … IS MORE PCI DSS SCOPING DEMYSTIFIED . ... PCI DSS assessment. However, ... PA-QSA . PCI Awareness . QSA . Guidance . Mobile

PCI DSS Prioritized Approach for PCI DSS 3 · PDF file2 PCI DSS Prioritized Approach for PCI DSS 3.2 2016 PCI Security Standards Council LLC. The intent of this document is to provide

PCI DSS 1 - PCI Security Standards · PDF filePCI DSS D, 2.0, 2010 . (C) PCI Security Standards Council LLC, 2010 i 1 2008 . 1.2 PCI DSS 1.2 1.1. 28 2010 . 2.0 PCI DSS 2.0

WHITE P APER JUNE 2017 REDHAT OPENSHIFT CONTAINER … · white p aper – june 2017 redhat openshift container platform product applicability guide for pci dss 3.2 applicability to

Demystifying PCI DSS - csmres.co.ukcsmres.co.uk/.../article-downloads/Rapid7---Demystifying-PCI-DSS-eB… · Demystifying PCI DSS Expert Tips and Explanations to Help You Gain PCI

Townsend Security Addendum to VMware Product …PCI DSS 3.0, which is documented in the VMware Product Applicability Guide for PCI-DSS 3.0 on the VMware Solutions Exchange under the

PCI Compliance: Made Easy · 2019-11-02 · October 24, 2019 Easy PCI—How to Make PCI & Attestation Easier Ajith Edakandi Hughes November 21, 2019 Applicability of PCI DSS requirements

Zahlungskartenbranche (PCI) Datensicherheitsstandard (DSS ...€¦ · (2) Ein ähnliches Verteidigungslevel wie die ursprüngliche PCI-DSS-Anforderung bieten; (3) Über andere PCI-DSS-Anforderungen

Управление соответствием PCI DSS - Секция 5 - Выполнение требований PCI DSS

PCI DSS Compliance

Payment Card Industry (PCI) Data Security Standardo PCI DSS – Summary of Changes from PCI DSS version 2.0 to 3.0 o PCI DSS Quick Reference Guide o PCI DSS and PA-DSS Glossary of

Presentación PCI-DSS

PCI DSS v3.2 Continuous Compliance & Audit ReadinessPCI DSS v3.2 Continuous Compliance & Audit Readiness Author Tufin Subject PCI DSS v3.2 compliance Keywords PCI DSS v3.2 compliance,

PCI DSS & PA DSS Version 3.0

PCI DSS and PA DSS

P2PE - PCI DSS

Pci dss v2

PCI DSS Self-Assessment Completion Steps - Finance and ... · Web viewFor details of PCI DSS changes, see PCI DSS – Summary of Changes from PCI DSS Version 3.1 to 3.2. Requirements

PCI DSS Overview

Управление соответствием PCI DSS - Секция 2 - Внедрение стандарта PCI DSS

PCI and PCI DSS Overview

PCI DSS Certification

Hpe secure data-payments-pci-dss-control-applicability-assessment

Navigating PCI DSS

PCI DSS 3.2

PCI DSS Compliance - vectra-corp.com.au DSS... · PCI DSS compliance is about protecting Payment Card Data PCI DSS stands for Payment Card Industry Data Security Standard. The PCI

Jornada PCI DSS

Red Hat Product Applicability Guide for PCI DSS version 3 · Red Hat Product Applicability Guide for PCI DSS 3.2 | White Paper 3 EXECUTIVE SUMMARY Red Hat, Inc. (Red Hat) delivers

PCI DSS Compliance - WhiteCanyon Softwarerequirements for PCI DSS Certification. WHAT DOES IT MEAN TO BE PCI-DSS COMPLIANT? Businesses that achieve PCI DSS certification enjoy access

Управление соответствием PCI DSS - Секция 1 - Обзор стандарта PCI DSS

PCI DSS Virtualization Guidelines - Official PCI … DSS Virtualization Guidelines Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date: June 2011 Author: Virtualization

Information Supplement - PCI DSS Wireless Guidelines · PDF fileInformation Supplement: PCI DSS Wireless Guidelines Standard: PCI Data Security Standard (PCI DSS) Version: 2.0 Date:

PCI DSS & PII

PCI-DSS 3.0 and Application Security - Quotium · PCI-DSS 3.0 AND APPLICATION SECURITY Achieving PCI DSS Compliance with Seeker This paper discusses PCI DSS and the vital role it