pci 101. trustwave corporate profile copyright trustwave 2008 confidential 2009 sc magazine...
Post on 18-Dec-2015
225 Views
Preview:
TRANSCRIPT
Copyright Trustwave 2008 Confidential
2009SC Magazine “Recommended”
Managed Security Services
Forrester 9 out of 10 rating NAC solution
Founded in 1995
Approximately 600 employees in 21 locations on six continents
Chicago is global HQ; London, Sydney and Sao Paolo are regional HQs
Secure Operation Centers in Chicago and Warsaw
Award-winning, patented security technology
2010SC Magazine “Finalist”
Encryption
2009Frost & Sullivan
NAC Best Practices
Thousands of customers throughout the world, including 6 of the Fortune Top 10
Trustwave is an established company serving a global client base with industry-leading solutions
Copyright Trustwave 2008 Confidential
Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series
MSSP with more than 1,400 devices under management
Monitor more than 18 million events per day
Top 10 global Certificate Authority with more than 40,000 SSL certificates issued
Performed more than 2,000 network and application penetration tests
Conducted more than 740 forensic investigations
PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40 percent of Payment Apps.
Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)
The leader in compliance and data security
Copyright Trustwave 2008 Confidential
Global Presence
Global HeadquartersChicago, IL
EMEA HeadquartersLondon, UK
LAC HeadquartersSao Paolo, Brazil
APAC HeadquartersSydney, Australia
Toronto, Canada
Bogota’, Columbia
Dallas, TX
Austin,TX
Mexico City, Mexico
Santiago, Chile
Pretoria, South Africa
Dubai, United Arab Emirates
Mumbai, India
Tokyo, Japan
Shanghai, ChinaBeijing, China
Rennes, France
Stockholm, Sweden
Budapest, Hungary
Kiev, Ukraine
Pittsburg, PA
Boston, MA
Denver, CO Warsaw, Poland
Frankfurt, Germany
Annapolis, MD
Belo Horizonte, Brazil
Copyright Trustwave 2008 Confidential 6
Payment Card Acceptance
The Payment Card Industry’s Data Security Standard states:
PCI Data Security Requirements apply to allmembers, merchants, and service providersthat store, process or transmit cardholder data
Copyright Trustwave 2008 Confidential
The Mandate: Visa Merchant Levels Defined
7
Level Merchant Classification Criteria (as of July 18, 2006)
1
Any merchant -regardless of acceptance channel-that:• Processes over 6 million Visa transactions per year• In some cases, merchants who suffered a hack or an attack that
resulted in an account data compromise• Has been identified by any other payment card brand as Level 1
2Any merchant that processes 1 million to 6 million Visa transactions, regardless of acceptance channel
3Any merchant that processes 20,000 to 1 million Visa e-commerce
transactions
4Any merchant that processes fewer than 20,000 Visa e-commerce transactions or fewer than 1 million Visa transactions regardless of acceptance channel
Copyright Trustwave 2008 Confidential 8
Validation Actions Depend on Level
Merchant
Level
Validation Actions Validated By Deadline
1
Annual On-site PCI DSS Data Security Assessment
Qualified Security Assessor9/30/04 (Visa’s new level 1 merchants have up to one year from identification to validate)
Quarterly Network Scan
Approved Scanning Vendor
2
Annual PCI DSS Self-Assessment Questionnaire/Annual On-site PCI DSS Data Security Assessment
Merchant/Qualified Security Assessor
6/30/05(Visa’s new level 2 merchants have until 9/30/07)
Quarterly Network Scan
Approved Scanning Vendor
Copyright Trustwave 2008 Confidential 9
Validation Actions Depend on Level (cont.)
Merchant
Level
Validation Actions Validated By Deadline
3
Annual PCI DSS Self-Assessment Questionnaire
Merchant
6/30/05
Quarterly Network Scan
Approved Scanning Vendor
4
Annual PCI DSS Self-Assessment Questionnaire
MerchantValidation requirements and dates are determined by the merchant’s acquirer
Quarterly Network Scan
Approved Scanning Vendor
Copyright Trustwave 2008 Confidential
Develop and maintain secure systems and applications
Use and regularly update anti-virus software or programs
Six Goals, Twelve Requirements
Do not use vendor-supplied defaults for system passwords and other security parameters
Install and maintain a firewall configuration to protect cardholder data
Encrypt transmission of cardholder data across open, public networks
Protect stored cardholder data
Restrict access to cardholder data by business need-to-know
Assign a unique ID to each person with computer access
Build and Maintain a Secure Network
Protect cardholde
r data
Maintain a vulnerabilit
y management program
Restrict physical access to cardholder data
Implement strong access control
measures
Regularly test security systems and processes
Track and monitor all access to network resources and cardholder data
Regularly monitor and test networks
Maintain a policy that addresses information security for employees and contractors
Maintain an
information security
policy
Copyright Trustwave 2008 Confidential
Requirement 1: Install and maintain a firewall to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults
Requirement 3: Protect stored data
Requirement 6: Develop and maintain secure systems and applications
Requirement 8: Assign a unique ID to each person with computer access
Requirement 10: Track and monitor access to network and card data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security
Violations found in incident response investigations in 2009.
Top PCI DSS Violations
Copyright Trustwave 2008 Confidential
Self Assessment Questionnaire (SAQ) 1.2
SAQ Version
Validation Type
Description of Subject Merchant
SAQ 1.2 A13 Questions
1 Card not present merchants only that outsource all parts of the credit card transaction. Data is only kept in paper reports.
SAQ 1.2 B27 Questions
2 This merchant only accepts payment cards using an imprint machine and does not keep any card data electronically.
SAQ 1.2 B27 Questions
3 Merchants who use stand alone, dial out terminal connected to a phone line or processor. Terminal has NO internet connection and no data is stored electronically.
SAQ 1.2 C41 Questions
4 Payment application is connected to the internet but is not connected to any other system w/in the network. No data is stored electronically. Service providers who connect remotely to the application are in compliance with Security Best Practices.
SAQ 1.2 D222
Questions
5 Any merchant that does not fit any of the above categories and any eligible service provider.
Copyright Trustwave 2008 Confidential
Resources
PCI Security Standards Council:
https://www.pcisecuritystandards.org/index.shtml
Visa CISP:
http://www.visa.com/cisp
MasterCard SDP:
http://www.mastercard.com/sdp
14
Copyright Trustwave 2008 Confidential
TrustKeeper
• TrustKeeper is Trustwave's compliance portal that merchants will use to manage, track and validate their compliance status.
• TrustKeeper is the leading portal used by acquiring banks to monitor PCI DSS compliance status among merchants.
• TrustKeeper offers easy-to-use vulnerability assessment and management services to help merchants meet all their PCI DSS compliance requirements.
Copyright Trustwave 2008 Confidential
TrustKeeper Agent
• TrustKeeper Agent is an optional component of TrustKeeper that installs on Windows PCs or PC based payment terminals.
• TrustKeeper Agent:– Assists with setting up and managing vulnerability scans
– Collects information needed to answer technical system questions and reports back to TrustKeeper
– Monitors systems to ensure the security and data storage settings meet the requirements of the PCI DSS
– Provides information for summarized and detailed reports in TrustKeeper
Copyright Trustwave 2008 Confidential
Security Policy Advisor
25
TrustKeeper’s Security Policy Advisor
top related