Introduction

The speaker welcomes the audience to a webinar on PCI DSS compliance checklist and provides some housekeeping items before starting.

• The speaker introduces himself as Kishor Veswani, the Chief Strategy Officer of Focus.

• A copy of the slides and related checklists will be distributed to everyone, and a recording of the webinar will be sent early next week.

• Participants can ask questions by typing them in the questions window or report any audio/visual difficulties in the chat window.

• The session is expected to run for 20-30 minutes with ample time for Q&A.

• Control Case is introduced as an IT certification and continuous compliance services company with over 1000 customers and 275 security experts.

Agenda

The speaker outlines what will be covered in the webinar.

• The presentation will focus on PCI DSS basics such as what it is, where it applies, its principles, requirements, liabilities, etc.

• Participants are encouraged to ask questions throughout the presentation.

• Control Case's certification services are briefly mentioned again.

What is PCI DSS?

This section explains what PCI DSS is and its purpose.

• In 2006, leading payment brands formed the PCI Data Security Standard (PCI DSS), maintained by the PCI Security Standards Council.

• Its purpose is to provide operational, technical, and process competence required to protect cardholder data within enterprises.

• It focuses on protecting credit/debit card data such as primary account numbers, cardholder names, track data, CVV numbers, PIN blocks etc.

Who does it apply to?

This section explains who needs to comply with PCI DSS.

• It applies to entities that store, process or transmit cardholder data.

• It applies to stakeholders and systems involved in the payment ecosystem such as merchants, service providers, and banks.

Control Case Services

This section provides an overview of Control Case's certification services.

• Control Case focuses on IT certification and related continuous compliance services.

• They use a partnership approach rather than being a checklist auditor and use automation to streamline the certification process.

• The company offers various certification services beyond PCI DSS.

Conclusion

The speaker concludes the webinar by thanking the audience for attending and inviting them to visit their website for future webinars.

• The speaker thanks the audience for attending and encourages them to sign up for future webinars on their website.

• Participants can also access earlier webinars posted on their website.

• The session ends with a reminder that questions can be asked at any time.

Introduction to PCI DSS

In this section, the speaker introduces the need for PCI DSS and discusses the stakeholders involved in maintaining compliance.

Stakeholders in PCI DSS

• Acquiring banks, merchants, service providers, and qualified security assessors like Control Case are all stakeholders in maintaining PCI compliance.

• Control Case is certified by the PCI council to provide PCI DSS certification services as a qualified security assessor.

Six High-Level Principles of PCI DSS

In this section, the speaker discusses the six high-level principles of PCI DSS that serve as overarching guidelines for protecting cardholder data.

The Six Principles

• Principle 1 - Build and maintain a secure network

• Principle 2 - Protect cardholder data

• Principle 3 - Maintain a vulnerability management program

• Principle 4 - Implement strong access control measures

• Principle 5 - Regularly monitor and test networks

• Principle 6 - Maintain an information security policy that covers key areas

Detailed Requirements of PCI DSS

In this section, the speaker provides an overview of the twelve detailed requirements of PCI DSS that align with the six high-level principles discussed earlier.

The Twelve Requirements

• Requirement 1 - Firewalls and DMZ

• Requirement 2 - Configuration standards

• Requirement 3 - Encryption of cardholder data

• Requirement 4 - Protection against malware

• Requirement 5 - Secure access control measures

• Requirement 6 - Regularly updated anti-virus software

• Requirement 7 - Restrict access to cardholder data by business need-to-know

• Requirement 8 - Unique IDs for system access and audit trails

• Requirement 9 - Physical security measures for cardholder data protection

• Requirement 10 - Logging and monitoring of network activity and access to cardholder data

• Requirement 11 - Regular testing of security systems and processes

• Requirement 12 - Information security policies that address all personnel

Conclusion

In this section, the speaker concludes the presentation on PCI DSS by summarizing the key points discussed earlier.

Key Takeaways

• PCI DSS is a set of guidelines designed to protect cardholder data.

• There are six high-level principles that serve as overarching guidelines for protecting cardholder data.

• The twelve detailed requirements align with these six principles and provide specific guidance on how to maintain compliance.

Requirement 4: Encryption in Transmission

This section covers the importance of encrypting cardholder data during transmission.

Encryption Standards

• PCI DSS requirement number four mandates that all cardholder data transmitted must be encrypted using a strong standard of encryption.

• This applies to all forms of transmission, including VPN, secure channels, and portals.

Requirement 5: Antivirus

This section covers the importance of antivirus software in meeting PCI DSS requirements.

Antivirus Deployment

• Requirement number five mandates that antiviruses are deployed and configured properly.

• Antiviruses should catch all common viruses and malware.

• Antivirus is not foolproof, which is why in-depth trail requirements exist.

Requirement 6: Secure Applications

This section covers the importance of developing secure applications to meet PCI DSS requirements.

Application Security

• Requirement number six mandates that all applications are developed securely and tested for vulnerabilities.

• Vulnerabilities at the application layer can be defined using industry standards such as OWASP.

Requirements 7 & 8: Logical Access Control

This section covers logical access control measures required by PCI DSS.

Password Protection

• Requirements seven and eight mandate password protection measures such as ensuring access is given only to authorized personnel.

Remote Access Control

• Access control measures must also be implemented for remote access to assets within an organization.

• LAC must be addressed when rolling out systems and applications.

Requirement 9: Physical Access Control

This section covers physical access control measures required by PCI DSS.

Physical Security Measures

• Requirement number nine mandates physical security measures such as CCTV, badge access, and visitor procedures.

• Cloud service providers are responsible for ensuring physical access control if assets are stored in the cloud.

Requirement 10: Logging and Monitoring

This section covers logging and monitoring requirements mandated by PCI DSS.

SIEM Technology

• Requirement number ten mandates the use of SIEM technology to capture logs.

• Intrusion detection must be properly configured, and there should be a scalable process to respond to incidents.

Requirement 11: Vulnerability Management

This section covers vulnerability management requirements mandated by PCI DSS.

Scanning Requirements

• Vulnerability scanning (internal/external), wireless access point reviews must be done quarterly.

• Penetration testing (internal/external/application segmentation etc.) must be done annually or semiannually.

Requirement 12: Policies and Procedures

This section covers policies and procedures required by PCI DSS.

Policy Compliance

• Requirement number twelve mandates that policies and procedures are documented, people are trained on them, vendors adhere to them, compliance is monitored against them, and there is an incident management plan in place.

Answering Questions After the Webinar

The speaker explains that any questions not answered during the webinar will be addressed via email.

• Any remaining questions will be answered by email after the webinar.

Liabilities of Not Complying with PCI DSS

The speaker discusses the potential liabilities of not complying with PCI DSS.

• Non-compliance can result in financial penalties, loss of revenue, damage to company reputation, and loss of contracts.

• PCI DSS was created to protect cardholder data.

• Compliance with other regulations and continuous compliance can help achieve cost-effective compliance.

Why Choose Control Case for Compliance Services

The speaker explains why Control Case is a good choice for compliance services.

• Control Case focuses on certification and continuous compliance services.

• They use automation to make compliance more cost-effective and accurate.

• They offer "assess once, comply to many" audits.

• They are partners in certification as a QSA (Qualified Security Assessor).

Effect of COVID Pandemic on PCI Compliance

The speaker addresses how the COVID pandemic has affected PCI compliance.

• Qualified security assessors like Control Case are allowed to conduct remote assessments if they meet all control testing requirements.

Remote Assessments and Continuous Compliance

In this section, the speaker discusses how remote assessments and automation are becoming more prevalent due to the COVID-19 pandemic. They also explain what continuous compliance is and provide an overview of the 20-25 high-risk questions that are evaluated every quarter.

Remote Assessments

• The company has released vulnerability assessment and penetration testing technologies that customers can deploy remotely.

• Streamlining through automation continues to be a major area of focus for companies adjusting to the pandemic situation.

Continuous Compliance

• The 20-25 high-risk questions evaluated every quarter are around important operational elements such as vulnerability scanning, firewall rule set review, data discovery, scope evaluation, monitoring, and log reporting.

• Control Case uses a library of English-like questions with templates as a framework for their assessments.

• Generally, those 20 to 25 questions remain the same but are customized for each customer.

• Customers can reach out to Control Case through their website or by phone for any other questions they may have.