The PCI DSS -- Meeting the Challenges
Any organization involved in processing credit card transactions has undoubtedly been made aware of the "Payment Card Industry Data Security Standard" (PCI DSS). Published by the PCI Security Standards Council, the PCI DSS stipulates numerous, and some say quite onerous, requirements for the secure processing and storage of Primary Account Number (PAN) data. These apply to any "system component" used within the cardholder data environment, including file servers, applications, and network components ranging from web and database servers, to mail, network time protocol, and even domain name servers. As one expert assessor was heard to comment, "just because you're secure doesn't mean you're PCI-compliant".
During this three-day session, we'll examine the 12 DSS requirements as they are published in both version 2.0 of the Standard, as well as all the changes in the latest version 3.0. (The new version was published in November 2013, and becomes active after 31 December 2014).
For each area, we'll look at some of the potential problem areas that commonly arise, with particular focus on issues like rendering PANs unreadable (Section 3.4), using wireless and other public networks (Section 4.1), and user access and transaction logging (Section 10). We'll also consider possible compensating controls that may be employed in order to pass an assessment and obtain certification.
In addition to the PCI DSS, we'll review the requirements of the PCI Security Standard Council's "Payment Application Data Security Standard" (PA-DSS) also covering versions 2.0 and 3.0. The PA-DSS is extremely important to any organization creating and selling payment applications that will process PANs. But anyone buying a payment application should also be keenly aware of the PA-DSS requirements to help ensure they'll eventually be able to pass their own PCI DSS assessment.
The course includes a review of the criteria used to determine which organizations require a formal assessment by a Qualified Security Assessor (QSA), as well as periodic external network penetration testing. We'll cover the assessment process itself, as well as the resultant Report on Compliance.
Finally, we'll look at the available self-assessment questionnaires, and their use in preparing for a full PCI DSS review.
- Details on the PCI DSS and the standards setting process
- Compliance levels and assessments required
- Gap analysis
- Typical problem areas
- Possible solutions
- Compensating controls
After completing this course, you will be able to help your organization work with your Qualified Security Assessor to identify and remediate security deficiencies, and successfully achieve PCI DSS compliance.
- In-class lecture with experienced instructor
- Case studies involving group work