+ All Categories
Home > Technology > Data Discovery and PCI DSS

Data Discovery and PCI DSS

Date post: 03-Jul-2015
Category:
Upload: controlcase
View: 140 times
Download: 1 times
Share this document with a friend
Description:
In this 45 minute webinar ControlCase will discuss the following - What is Data Discovery - Why Data Discovery - PCI DSS requirements - Need for Data Discovery in the context of PCI DSS - Challenges in the Data Discovery space
24
Data Discovery and PCI DSS By Kishor Vaswani, CEO - ControlCase
Transcript
Page 1: Data Discovery and PCI DSS

Data Discovery and PCI DSSBy Kishor Vaswani, CEO - ControlCase

Page 2: Data Discovery and PCI DSS

Agenda

• About Data Discovery

• PCI DSS Requirements and need for Data Discovery in

the context of PCI DSS

• Challenges in the Data Discovery space

• Q&A

1

Page 3: Data Discovery and PCI DSS

About Data Discovery

Page 4: Data Discovery and PCI DSS

Current Technology Environment

• Servers – Windows, Unix etc.

• Databases – SQL Server, Oracle etc.

• Email

• File systems

2

Page 5: Data Discovery and PCI DSS

What is Data Discovery

• Ability to identify and pinpoint sensitive data across› File Shares

› Servers

› Databases

› Email

› Log files

› Etc.

3

Page 6: Data Discovery and PCI DSS

Why is it important

• GRC focuses on confidentiality, integrity and availability

• Confidentiality is always focused on “Data”

• Data that is sensitive must be protected, however the first step of that is to know where the data resides

• Hence, it is important to identify where sensitive data resides

4

Page 7: Data Discovery and PCI DSS

PCI DSS Requirements and Data

Discovery

Page 8: Data Discovery and PCI DSS

What is PCI DSS?

Payment Card Industry Data Security Standard:

• Guidelines for securely processing, storing, or transmitting payment card account data

• Established by leading payment card issuers

• Maintained by the PCI Security Standards Council (PCI SSC)

5

Page 9: Data Discovery and PCI DSS

PCI DSS Requirements

Control Objectives Requirements

Build and maintain a secure network 1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect cardholder data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public

networks

Maintain a vulnerability management program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly monitor and test networks 10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an information security policy

12. Maintain a policy that addresses information security

6

Page 10: Data Discovery and PCI DSS

Protect Stored Cardholder Data

You must ensure stored data is encrypted and protected.

7

Page 11: Data Discovery and PCI DSS

PCI Council Advisory…

• Importance of Updating Scope for PCI DSS Assessments

There have been a number of high profile data compromises in the press recently. These reports serve as a daily reminder of the damage caused by compromises and of the need to keep business environments secure. Businesses evolve and change over time, and the scope of an entity's cardholder data environment must be reviewed and verified each time a PCI DSS assessment is undertaken. As has always been the case, many compromises are the result of businesses having data they weren't aware of. Please remember that scoping an assessment includes verifying that no cardholder data exists outside of the defined cardholder data environment. By ensuring the scope of an assessment is appropriate, the risk of data compromise is greatly reduced - a benefit to everyone involved.

8

Page 12: Data Discovery and PCI DSS

Challenges in Data Discovery

Page 13: Data Discovery and PCI DSS

Challenges

• Deployment and agents› Can get expensive

› Technologically complicated

› Long deployment cycles

› Databases are a challenge

• False Positives› Luhn’s formula narrows down but is not full proof

› Many schemes use Luhn’s formula to generate numbers

› Separators and delimiters change

9

Page 14: Data Discovery and PCI DSS

Challenges

• Performance within production environments› Database load

› Large number of records in databases

› Active directory scanning

› Emails storing cardholder data

• Tokenization› Differentiation between tokens and real card numbers

• Exclusions› Directories

› Files

› Extension types

› Tables/Columns

10

Page 15: Data Discovery and PCI DSS

Features to look for – Agentless/Credential Based

11

Page 16: Data Discovery and PCI DSS

Features to look for – Database Search Capability

12

Page 17: Data Discovery and PCI DSS

Features to look for – Remediation support

13

Page 18: Data Discovery and PCI DSS

Features to look for – Delimiter definition

14

Page 19: Data Discovery and PCI DSS

Features to look for – Performance tuning

15

Page 20: Data Discovery and PCI DSS

Features to look for – Token exclusion capability

16

Page 21: Data Discovery and PCI DSS

Features to look for – File/Directory Exclusion

17

Page 22: Data Discovery and PCI DSS

Why Choose ControlCase?

• Global Reach

› Serving more than 400 clients in 40 countries and rapidly

growing

• Certified Resources

› PCI DSS Qualified Security Assessor (QSA)

› QSA for Point-to-Point Encryption (QSA P2PE)

› Certified ASV vendor

18

Page 23: Data Discovery and PCI DSS

To Learn More About PCI Compliance or Data Discovery…

19

• Visit www.controlcase.com

• Call +1 703 483 6383 (North America)

• Call +57 1 678 3716 (South America)

• Call +44 1276 686 048 (Europe)

• Call +971 4440 5958 (Middle East & Africa)

• Call +91 982 029 3399 (Asia Pacific)

• Kishor Vaswani (CEO) – [email protected]

Page 24: Data Discovery and PCI DSS

Thank You for Your Time


Recommended