of 25
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
1/25
EDUF UQVAKFU IJ VUKLO
ODKQ JIS CVUKLFUU DLA KQ SKUH
QI UEIRF REK EIMR@KDLEF
DDAAZZDDLLEEFFAAQQFFEEGGLLII@@IIOO[[ EEIIMMMMKKQQQQFF
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
2/25
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff
Eduf Uqvakfu ij VukloODKQ jis Cvuklfuu dla KQ Skuh 'ODKQ-S+
qi Ueirf REK Eimr`kdlef
Dvqgisu>
Egskuqklf Cf``kli, Nfjjfsuil _f``uEgskuqklf Egdlf{, Eilqklflqd` Dks`klfuOds{ F{mfs, Mdsdqgil Ik` Eisrisdqkil
Fske Gdlldodl, Nfjjfsuil _f``uOflf Hkm, Qskrwksf, Kle
Lismdl Mdshu, UDRAdzf M{fsuil, Lkhf, Kle
Ndmfu Sfklgdsa, Ukmil Rsirfsq{ Osivr, Kle
Adzka _k``kdmu, NERfllf{
Fqfsld` Eilqskcvqisu>Aiskdl Eivokdu, Vlkjkfa Eimr`kdlef Jsdmfwish
Qgf Kluqkqvqf ij Klqfsld` Dvakqisu, Dazdlefa Qfegli`io{ Eimmkqqff
Asdjq 43Ufrqfmcfs 4:, 3227
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
3/25
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff
Qdc`f ij eilqflqu
K, REK Eimr`kdlef Rsic`fm Uqdqfmflq,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,4KK, Qgf ODKQ-S Mfqgiai`io{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3
Aievmflq Uqsveqvsf 5KKK, Uefldski 4> @fzf` 5 F-Eimmfsef Mfsegdlq ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 1
Cdehosivla ldssdqkzf jis REK eimr`kdlef 1Uqfr 4 Kaflqkj{ qgf cvuklfuu icnfeqkzfu jis wgkeg qgf eilqsi`u dsf qi cf duufuufa 6Uqfr 3 Kaflqkj{ qgf hf{ cvuklfuu eilqsi`u sftvksfa qi rsizkaf
sfduildc`f duuvsdlef qgdq qgf cvuklfuu icnfeqkzfu wk`` cf degkfzfa 6Uqfr 5 Kaflqkj{ qgf eskqked` KQ jvleqkild`kq{ sf`kfa vril, jsim dmilo qgf hf{ cvuklfuu eilqsi`u :Uqfr 1 Kaflqkj{ qgf eimrvqklo flzksilmflq wgfsf edsagi`afs adqd
ku qsdlumkqqfa, uqisfa is rsiefuufa wgfsf KQOEu lffa qi cf qfuqfa :Uqfr 6 Kaflqkj{ KQOE rsiefuu skuhu dla sf`dqfa eilqsi` icnfeqkzfu :
Jvleqkild`kq{ 4 UU@ `kcsdskfu dla GQQRU ufszfs rsizkaf
fles{rqkil ij adqd jsim qgf evuqimfs il`klf jism ?Jvleqkild`kq{ 3 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuis 7Jvleqkild`kq{ 5 D`` cvq qgf `duq jivs akokqu ij qgf RDL dsf
qsvledqfa rskis qi uqisdof dla qgf EZZ)EZE ku lfzfs uqisfa 7Jvleqkild`kq{ 1 Lffafa edsagi`afs adqd ku uqisfa ufevsf`{ dla ufevsf`{ af`fqfa ;
Uqfr : Kaflqkj{ qgf hf{ KQOEu qi qfuq qgdq daasfuu kaflqkjkfa skuh dla sf`dqfa eilqsi` icnfeqkzfu 42Jvleqkild`kq{ 4 UU@ `kcsdskfu dla GQQRU ufszfs rsizkaf
fles{rqkil ij adqd jsim qgf evuqimfs il`klf jism 44Uqfr ? Rfsjism d sfduildc`f rfsuil gi`kuqke sfzkfw ij d`` hf{ eilqsi`u 44Uqfr 7 Afqfsmklf qgf ueirf ij qgf sfzkfw dla cvk`a dl
drrsirskdqf afukol dla fjjfeqkzflfuu qfuqklo rsiosdm 44KZ, Uefldski 3> @fzf` 4 @dsof Sfqdk`fs,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 43
Cdehosivla ldssdqkzf jis REK eimr`kdlef 43Uqfr 4 Kaflqkj{ qgf cvuklfuu icnfeqkzfu jis wgkeg qgf eilqsi`u dsf qi cf duufuufa 41Uqfr 3 Kaflqkj{ qgf hf{ cvuklfuu eilqsi`u sftvksfa qi rsizkaf
sfduildc`f duuvsdlef qgdq qgf cvuklfuu icnfeqkzfu wk`` cf degkfzfa 41Uqfr 5 Kaflqkj{ qgf eskqked` KQ jvleqkild`kq{ sf`kfa vril, jsim dmilo qgf hf{ cvuklfuu eilqsi`u 41Uqfr 1 Kaflqkj{ qgf eimrvqklo flzksilmflq wgfsf edsagi`afs adqd ku
qsdlumkqqfa, uqisfa is rsiefuufa wgfsf KQOEu lffa qi cf qfuqfa 41Uqfr 6 Kaflqkj{ KQOE rsiefuu skuhu dla sf`dqfa eilqsi` icnfeqkzfu 46
Jvleqkild`kq{ 4 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuis 46Jvleqkild`kq{ 3 D`` cvq qgf `duq jivs akokqu ij qgf RDL dsf
qsvledqfa rskis qi uqisdof dla qgf EZZ)EZE ku lfzfs uqisfa 4?
Jvleqkild`kq{ 5 Lffafa edsagi`afs adqd ku uqisfa ufevsf`{ dla ufevsf`{ af`fqfa 47Jvleqkild`kq{ 1 UU@ `kcsdskfu fles{rq edsagi`afs adqd rskis qi qsdlumkuukil 4;Uqfr : Kaflqkj{ qgf hf{ KQOEu qi qfuq qgdq daasfuu kaflqkjkfa skuh dla sf`dqfa eilqsi` icnfeqkzfu 34
Jvleqkild`kq{ 4 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuis 34Uqfr ? Rfsjism d sfduildc`f rfsuil gi`kuqke sfzkfw ij d`` hf{ eilqsi`u 34Uqfr 7 Afqfsmklf qgf ueirf ij qgf sfzkfw dla cvk`a dl
drrsirskdqf afukol dla fjjfeqkzflfuu qfuqklo rsiosdm 34Z, Eile`vukil,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,33
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
4/25
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 4
K, REK Eimr`kdlef Rsic`fm Uqdqfmflq
D`` isodlk~dqkilu qgdq deefrq is rsiefuu rd{mflq edsau ij dl{ q{rf dsf uvcnfeq qi qgf Rd{mflq Edsa
Klavuqs{ Adqd Ufevskq{ Uqdladsa 'REK AUU+ dla iqgfs sf`fzdlq eilqsdeqvd` ic`kodqkilu Qgf uqdqfa oid` ij
qgf REK AUU ku qi kmrsizf qgf ufevskq{ ij o`icd` rd{mflq u{uqfmu c{ rsiqfeqklo eiluvmfsu, mfsegdlqu
dla cdlhu jsim esfakq kljismdqkil qgfjq dla `iuu dla uvcuftvflq jsdvav`flq deqkzkq{
Jvladmflqd` qi eissfeq`{ afjklklo qgf REK flzksilmflq ku qgf dck`kq{ qi rsirfs`{ aievmflq qgfkljismdqkil j`iw ij wgfsf rd{mflq edsa adqd flqfsu, qsdlukqu, ku rsiefuufa, uqisfa, dla ivqrvq wgk`f kq kuvlafs qgf isodlk~dqkilu eilqsi`
Dld`{uku ij ufevskq{ csfdegfu dla jisflukeu adqd uvrr`kfa c{ Zfsk~il Cvuklfuu U{uqfmu4 ugiwfa qgdq dq`fduq :6& ij d`` hliwl edsagi`afs adqd csfdeg klekaflqu ieevssfa il u{uqfmu qgdq wfsf liq hliwl qi gdzfeilqdklfa edsagi`afs adqd Jvsqgfsmisf, kl qgiuf isodlk~dqkilu, ?6& aka liq fmr`i{ rsirfs milkqisklorsiefuufu qgdq wiv`a gdzf fldc`fa qgf isodlk~dqkil qi afqfeq dla sfurila qi qgf ufevskq{ csfdeg
Qgku e`fds`{ klakedqfu qgdq isodlk~dqkilu dsf liq eissfeq`{ ueirklo qgf REK flzksilmflq, lis dsf qgf{
rsirfs`{ milkqisklo qgfuf u{uqfmu deeisaklo qi REK ovkaf`klfu Vlqk` qgfuf kuuvfu dsf eissfeqfa, adqdcsfdegfu wk`` hffr ieevssklo, fzfl qgivog isodlk~dqkilu gdzf REK eimr`kdlef rsiosdmu
_f gdzf kaflqkjkfa qwi eivsufu ij deqkil qgdq dsf sftvksfa qi sfmfa{ qgku>4 Isodlk~dqkilu mvuq gdzf qii`u qi misf deevsdqf`{ ueirf wgdq KQ u{uqfmu dsf kl qgf REK
flzksilmflq8 dla3 Jis qgiuf KQ u{uqfmu kl ueirf, isodlk~dqkilu mvuq u{uqfmdqked``{ dla eilukuqflq`{ kaflqkj{ qgf
eilqsi` icnfeqkzfu qgdq fldc`f qgf fjjfeqkzf rsfzflqkil ij, afqfeqkil ij, dla sfeizfs{ jsimedsagi`afs adqd ufevskq{ csfdegfu
Qgf ovkadlef jis qgfuf eivsufu ij deqkil edl cf jivla kl ODKQ jis Cvuklfuu dla KQ Skuh 'ODKQ-S+,
4 3227 Adqd Csfdeg Klzfuqkodqkilu Sfrisq> Jivs [fdsu Ij Jisflukeu Sfufdseg Misf Qgdl 622 Edufu Ilf EimrsfgflukzfSfrisq, Zfsk~il Cvuklfuu U{uqfmu
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
5/25
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 3
KK, Qgf ODKQ-S Mfqgiai`io{
Qgfuf qwi REK eimr`kdlef egd``flofu ij eissfeq ueirklo dla uvcuqdlqkdqkil dsf zfs{ ukmk`ds qi qgiufjdefa c{ isodlk~dqkilu gdzklo qi eimr`{ wkqg Ufeqkil 121 ij qgf Udscdlfu-I`f{ Deq ij 3223 'UIW-121+ Qgfuf egd``flofu `fa Qgf Kluqkqvqf ij Klqfsld` Dvakqisu 'KKD+ qi afzf`ir dla rvc`kug qgf ODKQ3Mfqgiai`io{ kl Ndlvds{ 322?5, wgkeg wdu afukolfa qi gf`r isodlk~dqkilu kaflqkj{ qgf KQ oflfsd` eilqsi`rsiefuu skuhu dla sf`dqfa hf{ eilqsi`u qgdq lffa qi cf kle`vafa kl qgf duufuumflq ij klqfsld` eilqsi`u izfsjkldlekd` sfrisqklo kl qgfks UIW-121 eimr`kdlef fjjisqu
ODKQ gdu cffl wkaf`{ dairqfa c{ isodlk~dqkilu, dla gdu rsizkafa rsfueskrqkzf ovkadlef jis mdldofmflqqgdq ku eilukuqflq wkqg qgf ovkadlef rsizkafa c{ qgf VU Ufevskqkfu dla Fegdlof Eimmkuukil 'UFE+ dlaqgf Rvc`ke Eimrdl{ Deeivlqklo Izfsukogq Cidsa 'REDIC+
Kl 3227, Qgf KKD rvc`kugfa ODKQ-S, wgkeg fqflau qgf drr`kedqkil ij ODKQ cf{ila jkldlekd` sfrisqkloqi cvuklfuu dla KQ skuh, kle`vaklo eimr`kdlef wkqg `dwu dla sfov`dqkilu dla irfsdqkilu ODKQ-Srsizkafu d ufq ij rsklekr`fu dla d jismd`, qir-aiwl, uqsveqvsfa sfduilklo drrsideg jis kaflqkj{klo dladuufuuklo d`` qgf eilqsi`u, ciqg KQ dla kl qgf cvuklfuu, sftvksfa qi daasfuu cvuklfuu icnfeqkzfu, kle`vakloqgiuf urfekjke qi qgf KQ eimr`kdlef sftvksfmflqu
_f cf`kfzf qgdq qgf ODKQ-S mfqgiai`io{ edl cf drr`kfa qi eissfeq`{ ueirf REK flzksilmflqu wgfsfesfakq edsa rsiefuuklo ieevsu ODKQ-S ku d jsdmfwish qgdq gf`ru isodlk~dqkilu mizf jsim d eimr`kdlefegfeh`kuq mflqd`kq{ qi d gi`kuqke, qir-aiwl, dla skuh-cdufa drrsideg qi d`` deqkzkqkfu kl qgf KQ eilqsi`flzksilmflq Ukmk`ds`{, ODKQ-S eiv`a cf drr`kfa jis dl{ iqgfs eimr kdlef icnfeqkzf> fo, GKRRD,JKUMD, O@CD, fqe
Kafd``{, ODKQ-S wk`` cf vufa qi klqfosdqf REK eimr`kdlef fjjisqu wkqg iqgfs sfov`dqis{ sftvksfmflqu, uvegdu UIW-121, GKRRD, fqe, dla urfekj{ wgfl wf edl sf`{ il qfuqklo ailf jis iqgfs eimr`kdlef fjjisquDmilo qgf ivqeimfu wiv`a cf sfavefa skuh, dl flgdlefa eilqsi` flzksilmflq, du wf`` du qgf sfaveqkil ijvllfefuuds{ qfuqklo dla eimr`kdlef eiuqu
ODKQ-S ku cdufa il jivs rsklekr`fu>
Rsklekr`f 4> Qgf jdk`vsf ij qfegli`io{ ku il`{ d skuh qgdq lffau qi cf duufuufa, mdldofa, dla dvakqfa kjkq sfrsfuflqu d skuh qi qgf cvuklfuu
Rsklekr`f 3> Hf{ eilqsi`u ugiv`a cf kaflqkjkfa du qgf sfuv`q ij d qir-aiwl duufuumflq ij cvuklfuu skuh,skuh qi`fsdlef, dla qgf eilqsi`u 'kle`vaklo dvqimdqfa eilqsi`u dla KQ oflfsd` eilqsi`u+ sftvksfa qimdldof is mkqkodqf cvuklfuu skuh
Rsklekr`f 5> Cvuklfuu skuhu dsf mkqkodqfa c{ d eimckldqkil ij mdlvd` dla dvqimdqfa hf{ eilqsi`u Klisafs qi duufuu qgf u{uqfm ij klqfsld` eilqsi` qi mdldof)mkqkodqf cvuklfuu skuhu, hf{ dvqimdqfaeilqsi`u lffa qi cf duufuufa
Rsklekr`f 1> KQ oflfsd` eilqsi`u md{ cf sf`kfa vril qi rsizkaf duuvsdlef ij qgf eilqklvfa dla rsirfsirfsdqkil ij dvqimdqfa hf{ eilqsi`u
Rsklekr`f 1d> Qgf KQ oflfsd` eilqsi` 'KQOE+ rsiefuu skuhu qgdq lffa qi cf kaflqkjkfa dsf qgiuf qgdqdjjfeq eskqked` KQ jvleqkild`kq{ kl ukolkjkedlq drr`kedqkilu dla sf`dqfa adqd
Rsklekr`f 1c> Qgf KQOE rsiefuu skuhu qgdq lffa qi cf kaflqkjkfa fkuq kl rsiefuufu dla dq zdskivuKQ `d{fsu> drr`kedqkil rsiosdm eiaf, adqdcdufu, irfsdqklo u{uqfmu, dla lfqwish
Rsklekr`f 1e> Skuhu kl KQOE rsiefuufu dsf mkqkodqfa c{ qgf degkfzfmflq ij KQ eilqsi` icnfeqkzfu,liq klakzkavd` eilqsi`u
3 ODKQ uqdlau jis Ovkaf qi qgf Duufuumflq ij KQ Oflfsd` Eilqsi`u Ueirf Cdufa il Skuh 'ODKQ+5 Qgf ODKQ Mfqgiai`io{, Qgf Kluqkqvqf ij Klqfsld` Dvakqisu, Ndlvds{ 322? 'gqqr>))wwwqgfkkdiso)ovkadlef)qfegli`io{)odkq)+
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
6/25
KKKK,,QQggffOODDKKQQSSMMffqqggiiaaii`iioo{{
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 5
Qgf ODKQ-S mfqgiai`io{ eimrskufu fkogq uqfru>
4 Kaflqkj{ qgf cvuklfuu rsiefuu dla icnfeqkzfu jis wgkeg qgf eilqsi`u dsf qi cf duufuufa3
Kaflqkj{ qgf hf{ cvuklfuu eilqsi`u sftvksfa qi rsizkaf sfduildc`f duuvsdlef qgdq qgf cvuklfuuicnfeqkzfu wk`` cf degkfzfa5 Kaflqkj{ qgf eskqked` KQ jvleqkild`kq{ sf`kfa vril, jsim dmilo qgf hf{ cvuklfuu eilqsi`u1 Kaflqkj{ qgf ukolkjkedlq drr`kedqkilu wgfsf KQOEu lffa qi cf qfuqfa16 Kaflqkj{ KQOE rsiefuu skuhu dla sf`dqfa eilqsi` icnfeqkzfu: Kaflqkj{ qgf hf{ KQOEu qi qfuq qgdq daasfuu kaflqkjkfa skuh dla sf`dqfa eilqsi` icnfeqkzfu? Rfsjism d sfduildc`f rfsuil gi`kuqke sfzkfw ij d`` hf{ eilqsi`u7 Afqfsmklf qgf ueirf ij qgf sfzkfw dla cvk`a dl drrsirskdqf afukol dla fjjfeqkzflfuu qfuqklo rsiosdmAievmflq Uqsveqvsf
Kl qgf sfmdklafs ij qgku aievmflq, wf rsizkaf qwi eduf uqvakfu ij drr`{klo ODKQ-S qi REK eimr`kdlefQgf jksuq ku d ukmr`f f-eimmfsef flzksilmflq uvrrisqklo d !422M sfzflvf isodlk~dqkil, dla qgf ufeila
ku d misf eimr`f sfqdk` flzksilmflq, uvrrisqklo d 4222 uqisf, !42C sfzflvf isodlk~dqkil
Kl fdeg uefldski, wf wd`h qgsivog qgf ODKQ-S Mfqgiai`io{, aievmflqklo qgf qgivogq rsiefuu jisueirklo dla uvcuqdlqkdqkil ij KQ eilqsi`u
1 Jis rvsriufu ij REK eimr`kdlef, qgku ODKQ-S uqfr ku cfuq afjklfa du qgf kaflqkjkedqkil ij qgf REK eimrvqklo flzksilmflqwgfsf edsagi`afs adqd ku qsdlumkqqfa, uqisfa is rsiefuufa wgfsf KQOEu lffa qi cf qfuqfa 'fo, qgku kle`vafu drr`kedqkilu,adqdcdufu, irfsdqklo u{uqfmu, lfqwish afzkefu, dla ui jisqg+
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
7/25
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 1
KKK, Uefldski 4> @fzf` 5 F-Eimmfsef Mfsegdlq
Cdehosivla ldssdqkzf jis REK eimr`kdlef
@fzf` 5 Mfsegdlq Kle ku d !62M rskzdqf`{ gf`a eimrdl{ qgdq uf``u eiluv`qklo ufszkefu dla klqf``feqvd`rsirfsq{ izfs dl f-eimmfsef ukqf, kl daakqkil qi kqu qsdakqkild` ijj-`klf egdllf`u Qgf ukqf ku mdldofa kl-
givuf c{ d qgsff-rfsuil KQ uqdjj gdla`klo isafs flqs{ dla rsiefuuklo 'fo, qgf deefrqklo dla rsiefuuklo ijesfakq edsa rd{mflqu+ Qgf f-eimmfsef ukqf gdu cffl uqfdak`{ osiwklo jis qgf rduq jfw {fdsu dla wdusfurilukc`f jis izfs !6M kl sfzflvf `duq {fds
Qgf ukqf deefrqu drrsikmdqf`{ 422 qsdludeqkilu rfs ad{ qgdq dsf rsiefuufa c{ ilf detvksklo cdlh
Qgf jsilq-fla isafs flqs{ drr`kedqkil ku qgf Ai`rgklEdsq ugirrklo edsq, wgkeg ku rdsq ij qgf f-eimmfsefukqf Kq ku svl c{ d Asvrd` _fc ufszfs dla qgf c`io floklf, wgkeg gdla`fu d`` evuqimfs fles{rqkilufuukilu, wgkeg afrflau il Ufevsf Uiehfqu @d{fs 'UU@+ `kcsdskfu kl qgf irfsdqklo u{uqfm 'IU+
Qgf jsilq fla drr`kedqkil ku `iedqfa kl d ufevsf lfqwish ~ilf 'afmk`kqdsk~fa ~ilf is AM^+, wgkegsfefkzfu evuqimfs edsagi`afs adqd, kle`vaklo qgf rskmds{ deeivlq lvmcfs 'RDL+, frksdqkil adqf, dla qgf
evuqimfs zd`kadqkil eiaf 'EZE is qgsff-akokq eiaf il qgf cdeh ij qgf edsa+ Qgf edsagi`afs adqd ku qgflfles{rqfa dla qsdlumkqqfa izfs dl UU@ ufuukil qi qgf rsiefuuis 'rd{mflq odqfwd{+ jis dvqgisk~dqkil Dldrrsizd` eiaf ku sfefkzfa c{ qgf drr`kedqkil jsim qgf rd{mflq odqfwd{
Qgf drr`kedqkil rfsjismu dvqgisk~dqkil qsdludeqkilu kl sfd`-qkmf 'kf, li cdqeg nicu uqisf edsagi`afs adqd+,qgdq uflau qgf adqd qi qgf Rsiefuuis qi eimr`fqf qgf qsdludeqkilu jis qgdq cvuklfuu ad{
Uefldski 4 Fwdmr`f Akdosdm
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
8/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 6
D risqkil ij qgf fles{rqfa edsagi`afs adqd ku uqisfa `ied``{ kl d m{UT@ adqdcduf '`iedqfa il d ufevsflfqwish ~ilf il qgf klqfsld` lfqwish+ D`` cvq qgf `duq 1 akokqu ij qgf RDL dsf qsvledqfa c{ qgfdrr`kedqkil, wgkeg qsdlujismu qgf adqd ui qgdq kq ku li `ilofs eilukafsfa edsagi`afs adqd Qgf `duq 1akokqu, drrsizd` eiaf, frksdqkil adqf, evuqimfs ldmf, dla qsdludeqkil dmivlq dsf uqisfa kl qgf adqdcduf
Qgf IU ku Sfa Gdq @klv Eimrdl{ KQ uqdjj mdldofu qgf drr`kedqkil dla qgf IU Qgf giuqklo eimrdl{mdldofu qgf lfqwishu dla jksfwd``u
Kl uvmmds{, qgf edsagi`afs adqd ku uqisfa, rsiefuufa, is qsdlumkqqfa du ji``iwu>
Adqd ku uqisfa kl qgf m{UT@ adqdcduf Adqd ku qsdlumkqqfa>
i @ied` lfqwish wkqgkl qgf adqd eflqfsi _kaf dsfd lfqwish 'Klqfslfq+ qi qgf esfakq edsa rsiefuuis, qsdlukqklo qgsivog qwi jksfwd``ui Fles{rqkil jvleqkild`kq{ rsizkafa c{ qgf UU@ `kcsdskfu kl qgf IU
Adqd ku rsiefuufa c{ d rsiefuuis 'rd{mflq odqfwd{+i Dvqgisk~dqkil ku rfsjismfa c{ qgf rd{mflq odqfwd{i Drrsizd` ku sfefkzfa c{ qgf drr`kedqkil jsim qgf rd{mflq odqfwd{i Ufqq`fmflq qsdludeqkilu dsf rfsjismfa il`klf
Cdeh ijjkefi Qgf deeivlqklo uqdjj gdu deefuu qi qgf detvksklo cdlh)rsiefuuis f-eimmfsef _fc ukqf kl
isafs qi rfsjism deeivlq sfeilek`kdqkil Deeivlqklo uqdjj edl deefuu jv` esfakq edsaqsdludeqkil kljismdqkil, cvq li rsigkckqfa edsagi`afs adqd ku uqisfa
i Evuqimfs ufszkef gdu deefuu qi qgf adqdcduf kl isafs qi rfsjism egdsof cdehu is sfjvlau Qgfevuqimfs mvuq rsizkaf d esfakq edsa lvmcfs qi sfefkzf d sfjvla
Qgf edsagi`afs adqd flzksilmflqu dsf ufomflqfa klqi ufevsf lfqwish ~ilfu, dla ai liq qsdlukq qgfeisrisdqf lfqwish6 D`` qsdlumkuukilu edss{klo edsagi`afs adqd dsf fles{rqfa vuklo UU@
Uqfr 4 Kaflqkj{ qgf cvuklfuu icnfeqkzfu jis wgkeg qgf eilqsi`u dsf qi cf duufuufaJis qgf rvsriuf ij qgku eduf uqva{, wf dsf il`{ eilukafsklo qgf cvuklfuu icnfeqkzfu urfekjke qi REK AUUeimr`kdlef _f sfeiolk~f qgdq qgfsf dsf iqgfs cvuklfuu icnfeqkzfu jis qgku rsiefuu 'fo, eimr`fqflfuudla deevsde{ ij qgf drrsizd` rsiefuu+, cvq qgfuf dsf imkqqfa jis e`dskq{
Qgf REK AUU eimr`kdlef icnfeqkzf ku>
Rsiefuu esfakq edsa qsdludeqkilu ufevsf`{, deeisaklo qi REK AUU sftvksfmflqu
Uqfr 3 Kaflqkj{ qgf hf{ cvuklfuu eilqsi`u sftvksfa qi rsizkaf sfduildc`fduuvsdlef qgdq qgf cvuklfuu icnfeqkzfu wk`` cf degkfzfa
Eilqsi` 4 D`` qsdlumkqqfa edsagi`afs adqd jsim qgf evuqimfs ku fles{rqfa eilukuqflq wkqg REK uqdladsau'kf, jsilq-fla isafs flqs{, il`klf jism+
Eilqsi` 3 D`` edsagi`afs adqd ku fles{rqfa rskis qi qsdlumkuukil qi qgf esfakq edsa rsiefuuis eilukuqflqwkqg REK uqdladsau 'kf, dvqgisk~dqkil dla ufqq`fmflq rsiefuu+
6 Jis ueirklo d REK flodofmflq, dl{ afzkef is lfqwish qgdq ku klzi`zfa wkqg qgf qsdlumkuukil, uqisdof, is rsiefuuklo ku kl-ueirfjis qgf REK flzksilmflq dla duufuumflq Qgf jksuq uqfr kl afjklklo qgf edsagi`afs adqd flzksilmflq 'EAF+ ku qi afjklf giw qgfqsdludeqkil ku rfsjismfa qi kle`vaf qsdlumkuukil, uqisdof, dla rsiefuuklo ij edsagi`afs adqd Kj d lfqwish ku j`dq, qgfl fzfs{afzkef, ufszfs, wishuqdqkil, fqe il qgf lfqwish ku kle`vafa kl ueirf jis qgf EAF
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
9/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff :
Eilqsi` 5 Li rsigkckqfa edsagi`afs adqd ku uqisfa 'kf, uqisdof ij EZZ:, DZ3 kl rdrfs, u{uqfm `iou, adqdwdsfgivuf, fqe+
Eilqsi` 1 D`` uqisfa edsagi`afs adqd sfmdklu ufevsf 'kf, uqisdof ij EZZ, DZ3 kl rdrfs, u{uqfm `iou,adqd wdsfgivuf, fqe+
Cfedvuf ij qgf dvqimdqfa ldqvsf ij giw isafsu dsf rsiefuufa, qgfsf dsf li mdlvd` hf{ eilqsi`u
ODKQ-S sftvksfu qgf kaflqkjkedqkil ij d`` eilqsi`u, kle`vaklo flqkq{-`fzf` eilqsi`u? Giwfzfs, REK AUUeimr`kdlef aifu liq sftvksf qgf sfzkfw ij flqkq{-`fzf` eilqsi`u
Uqfr 5 Kaflqkj{ qgf eskqked` KQ jvleqkild`kq{ sf`kfa vril, jsim dmilo qgf hf{cvuklfuu eilqsi`u
Jvleqkild`kq{ 4 UU@ `kcsdskfu dla GQQRU ufszfs rsizkaf fles{rqkil ij adqd jsim qgf evuqimfs il`klfjism
Jvleqkild`kq{ 3 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuisJvleqkild`kq{ 5 D`` cvq qgf `duq jivs akokqu ij qgf RDL dsf qsvledqfa rskis qi uqisdof dla qgf EZZ)EZE ku
lfzfs uqisfa
Jvleqkild`kq{ 1 Lffafa edsagi`afs adqd ku uqisfa ufevsf`{ dla ufevsf`{ af`fqfa
Uqfr 1 Kaflqkj{ qgf eimrvqklo flzksilmflq wgfsf edsagi`afs adqd ku qsdlumkqqfa,uqisfa is rsiefuufa wgfsf KQOEu lffa qi cf qfuqfa7
Jvleqkild`kq{ Qgf KQ u{uqfmu qgdq af`kzfs qgf KQ jvleqkild`kq{
Jvleqkild`kq{ 4 UU@ `kcsdskfu dla GQQRUufszfs rsizkaf fles{rqkil ij adqd jsim qgfevuqimfs il`klf jism
Ai`rgklEdsq drr`kedqkilSfa Gdq IU
Jvleqkild`kq{ 3 UU@ `kcsdskfu fles{rqedsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuis
Ai`rgklEdsq drr`kedqkilSfa Gdq IU
Jvleqkild`kq{ 5 D`` cvq qgf `duq jivs akokqu ijqgf RDL dsf qsvledqfa rskis qi uqisdof dla qgfEZZ)EZE ku lfzfs uqisfa
Ai`rgklEdsq drr`kedqkil
Jvleqkild`kq{ 1 Lffafa edsagi`afs adqd kuuqisfa ufevsf`{ dla ufevsf`{ af`fqfa
Ai`rgklEdsq drr`kedqkilm{UT@ adqdcdufSfa Gdq IULfqwish
Uqfr 6 Kaflqkj{ KQOE rsiefuu skuhu dla sf`dqfa eilqsi` icnfeqkzfu
Kl qgku uqfr, jis fdeg eskqked` KQ jvleqkild`kq{ cfklo sf`kfa vril, wf kaflqkj{ qgf skuhu dla sf`dqfa eilqsi`icnfeqkzfu jis qgf ji``iwklo qgsff dsfdu> egdlof)eiljkovsdqkil, deefuu, dla irfsdqkilu Tvfuqkilu qi duh
jis fdeg dsfd dsf>
: Rsigkckqfa edsagi`afs adqd ku afjklfa c{ REK qi cf dl{ rfsuild``{ kaflqkjkdc`f kljismdqkil 'RKK+ duuiekdqfa wkqg d edsagi`afs>Rskmds{ Deeivlq Lvmcfs 'RDL+ qgdq kle`vafu frksdqkil adqf, edsagi`afs ldmf dla daasfuu, EZZ 'Edsa Zfskjkedqkil Zd`vfu+ isEZE Edsa qsdeh adqd 'mdolfqke uqskrf+? Fdmr`fu ij flqkq{-`fzf` eilqsi`u kle`vaf eiaf ij eilaveq cfklo deqkzf`{ eimmvlkedqfa, d wgkuq`fc`iwfs klf qgdq fldc`fufmr`i{ffu qi sfrisq zki`dqkilu ij edsagi`afs rskzde{, daftvde{ ij uqdjjklo qi fluvsf qgdq rfsuillf` rfsjismklo REK-sf`dqfadeqkzkqkfu dsf qsdklfa dla frfskflefa, dl vlafsuqdlaklo ij evssflq REK eimr`kdlef sftvksfmflqu dla d mfegdlkum qgdq kuqskoofsfa il egdlofu, dla ui jisqg7 Du afueskcfa kl qgf rdrfs klqsiaveqkil, qgku ku dl dadrqdqkil ij ODKQ-S Uqfr 1, wgkeg iskokld``{ sfda kaflqkj{ qgf ukolkjkedlqdrr`kedqkilu wgfsf KQOEu lffa qi cf qfuqfa
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
10/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff ?
T4> _gdq mvuq cf eiljkovsfa9 'kle`vafu eiaf, ufqqklou, dla ufevskq{ ufqqklou+T3> _gdq deefuu sfuqskeqkilu mvuq cf ufq9 'fo, rg{uked`, `ioked`, ufrdsdqkil ij avq{+T5> _gdq mvuq cf irfsdqkild``{ rvq klqi r`def9 REK urfekjked``{ sfjfsu qi qgf ji``iwklo>
R`dllfa deqkzkqkfu uveg du ufevsf cdehvru, zv`lfsdck`kq{ mdldofmflq dla rdqegklo, sfzkfw ij`iou, dla ufevskq{ dwdsflfuu qsdklklo
Vlr`dllfa deqkzkqkfu uveg du fefrqkil gdla`klo, klekaflq)rsic fm mdldofmflq, ufevskq{ klekaflqgdla`kloJvleqkild`kq{ 4 UU@ `kcsdskfu dla GQQRU ufszfs rsizkaf fles{rqkil ij adqd jsimqgf evuqimfs il`klf jism
Qgf qdc`f cf`iw `kuqu il`{ qgf KQOE skuhu qgdq gdzf cffl kaflqkjkfa qgdq nfirdsak~f qgf jvleqkild`kq{
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi` icnfeqkzfu
Vlqfuqfa is vldvqgisk~fa egdlof sfuv`qu kledsagi`afs adqd friuvsf 'fo, fles{rqkil, deefuueilqsi`u, eiljkovsdc`f ufqqklou+
Drr`kedqkil> Vlqfuqfa is vldvqgisk~fa UU@jvleqkild`kq{ zkd qgf gqdeefuu jk`f eiv`a cfakudc`fa kl qgf drr`kedqkil, sfuv`qklo kledsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf jis qgf jsilq-fla isafs flqs{ u{uqfmu
IU> UU@ jvleqkild`kq{ eiv`a cf akudc`fa kl qgfIU `kcsdskfu, sfuv`qklo kl edsagi`afs adqdfriuvsf 'rdqeg esfdqfu zv`lfsdck`kq{+
Lfqwish> l)d Li fles{rqkil jvleqkild`kq{sfukafu kl qgf lfqwish, du d`` fles{rqkil ku ailf
fla-qi-fla
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdqkaflqkjkfu vldvqgisk~fa is vlqfuqfa
egdlofu qgdq dsf afr`i{fa klqi rsiaveqkil>
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> li
Deefuu skuhu
Vldvqgisk~fa deefuu qi jsilq-fla isafs flqs{u{uqfmu sfuv`qu kl edsagi`afs adqd friuvsf Jisfdmr`f, vldvqgisk~fa deefuu qi deeivlqu ku odklfaqgdq deefuu edsagi`afs adqd is afes{rqkil hf{u 'fo,damklkuqsdqkzf deeivlqu, isafs flqs{ deeivlqu, fqe+
Drr`kedqkil> Vldvqgisk~fa vuf ijdamklkuqsdqkzf, isafs flqs{, dla ufszkef deeivlqusfuv`qu kl edsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf jis qgf jsilq-fla isafs flqs{ u{uqfmu
IU> Vldvqgisk~fa vuf ij damklkuqsdqkzfdeeivlqu sfuv`qu kl edsagi`afs adqd friuvsf
Lfqwish> l)d Vldvqgisk~fa deefuu qijksfwd``u)lfqwishu ku vl`khf`{ qi edvuf friuvsfqi edsagi`afs adqd 'kf, d`` adqd ku fles{rqfa+
D`` esfdqfa deeivlqu dsf dvqgisk~fa,fkuqklo deeivlqu dsf iwlfa c{ dvqgisk~farfsuillf`, dla sfzihfa drrsirskdqf`{
Drr`kedqkil> {fu Adqdcduf> li IU> {fu
Lfqwish> li Rg{uked` adqd eflqfs deefuu> li
'@fzf` 5 Mfsegdlq Kle ku liqsfurilukc`f, cvq qgfks giuqklo rsizkafswk`` gdzf qi ugiw qgdq qgf{ sfuqskeqdeefuu qi dvqgisk~fa rfsuillf`+
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
11/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 7
Rg{uked` adqd eflqfs deefuu> Ufszfsu dsf kl dqgksa-rdsq{ adqd eflqfs 'wgkeg mvuq fluvsf qgdqvldvqgisk~fa rg{uked` deefuu qiufszfsu)lfqwishu qgdq eiv`a sfuv`q kl friuvsf ijedsagi`afs adqd ku eilqsi``fa+
Irfsdqkild` skuhu
Drr`kedqkil dla IU zv`lfsdck`kqkfu eiv`a cffr`ikqfa, sfuv`qklo kl edsagi`afs adqd friuvsf
Drr`kedqkil> Lfw zv`lfsdck`kqkfu eiv`a sfuv`q kledsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf IU> Lfw zv`lfsdck`kqkfu eiv`a sfuv`q kl
edsagi`afs adqd friuvsf
Lfqwish> Lfqwish zv`lfsdck`kqkfu dsf vl`khf`{ qisfuv`q kl edsagi`afs adqd friuvsf
Friuvsf qi edsagi`afs adqd ku vl`khf`{ qi ieevs avfqi jdk`vsfu kl `iooklo, vl`fuu uimfilf mdhfu degdlof qgdq akudc`fu fles{rqkil
Zv`lfsdck`kq{ duufuumflqu dsf eilaveqfarfskiaked``{ qi rsfzflq friuvsf ijedsagi`afs adqd
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> li
Jvleqkild`kq{ 3 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgfrsiefuuis
Qgku jvleqkild`kq{ sfukafu kl qgf dvqgisk~dqkil dla ufqq`fmflq rsiefuu Qgf rsiefuuis qsdlumkuukil skuhu dsfukmk`ds qi qgf evuqimfs qsdlumkuukil skuhu, ugiwl kl Jvleqkild`kq{ 4
Jvleqkild`kq{ 5 D`` cvq qgf `duq jivs akokqu ij qgf RDL dsf qsvledqfa rskis qiuqisdof dla qgf EZZ)EZE ku lfzfs uqisfa
Qgku jvleqkild`kq{ sfukafu kl qgf cdeh-fla rsiefuufu, uveg du evuqimfs uvrrisq dla deeivlqklo, cvq wfgdzf d`sfda{ zfskjkfa qgdq li rsigkckqfa edsagi`afs kljismdqkil sfukafu kl qgf jsilq-fla u{uqfmu
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi` icnfeqkzfu
Eiaf is eiljkovsdqkil egdlofu 'fo, eiljkovsdqkilegdlof, qvslklo il afcvo `iooklo+ eiv`a sfuv`q klrsigkckqfa edsagi`afs kljismdqkil cfklo uqisfa
Egdlof)eiljkovsdqkil skuhu>
Drr`kedqkil> Eiaf is eiljkovsdqkil ufqqklou dsfegdlofa edvuklo uqisdof ij rsigkckqfakljismdqkil
Adqdcduf> Eiaf is eiljkovsdqkil ufqqklou dsf
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdqkaflqkjkfu vldvqgisk~fa is vlqfuqfaegdlofu qgdq dsf afr`i{fa klqi rsiaveqkil>
Drr`kedqkil> {fu Adqdcduf> {fu IU> li Lfqwish> li
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
12/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff ;
egdlofa edvuklo uqisdof ij rsigkckqfakljismdqkil
IU> l)d Li egdlof dq qgf IU `d{fs ku `khf`{ qiedvuf uqisdof ij rsigkckqfa adqd
Lfqwish> l)d Li egdlof dq qgf lfqwish `d{fs ku`khf`{ qi edvuf uqisdof ij rsigkckqfa adqd
Deefuu skuhu
Cfedvuf wfzf d`sfda{ fuqdc`kugfa dla zfskjkfa qgdqli rsigkckqfa adqd ku cfklo uqisfa kl qgf jsilq-fla iscdeh-fla u{uqfmu, vldvqgisk~fa deefuu qi qgfufu{uqfmu ku vl`khf`{ qi sfuv`q kl uqisdof ij rsigkckqfaedsagi`afs adqd 'kf, qgfsf mvuq jksuq cf d egdlof+;
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d
D`` esfdqfa deeivlqu dsf dvqgisk~fa,fkuqklo deeivlqu dsf iwlfa c{ dvqgisk~farfsuillf`, dla sfzihfa drrsirskdqf`{
Drr`kedqkil> li Adqdcduf> li IU> li Lfqwish> li
Irfsdqkild` skuhu
Qgfsf ku li ijj`klf miaf qgdq eiv`a edvuf uqisdof ijrsigkckqfa adqd Jdk`vsfu kl irfsdqkild` rsiefavsfu,uveg du zv`lfsdck`kq{ mdldofmflq dla ufevsf`iooklo, dsf d`ui vl`khf`{ qi edvuf uqisdof ijrsigkckqfa adqd
Irfsdqkild` skuhu>
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d
l)d
Drr`kedqkil> li Adqdcduf> li IU> li Lfqwish> li
Jvleqkild`kq{ 1 Lffafa edsagi`afs adqd ku uqisfa ufevsf`{ dla ufevsf`{ af`fqfa
Qgku jvleqkild`kq{ sfukafu kl qgf cdeh-fla rsiefuufu, uveg du evuqimfs uvrrisq dla deeivlqklo 'kf, wfgdzf d`sfda{ zfskjkfa qgdq li rsigkckqfa edsagi`afs kljismdqkil sfukafu kl qgf jsilq-fla u{uqfmu+
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi` icnfeqkzfu
Kl qgku uefldski, qgfsf ku li uqisfa rsigkckqfaedsagi`afs adqd 'kf, d`` cvq `duq 1 akokqu ij RDLgdzf cffl qsvledqfa+
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdqkaflqkjkfu vldvqgisk~fa is vlqfuqfaegdlofu qgdq dsf afr`i{fa klqi rsiaveqkil>
; Deefuu skuhu wk`` cf qgf udmf jis Jvleqkild`kq{ 5 dla Jvleqkild`kq{ 1
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
13/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 42
Egdlof)eiljkovsdqkil skuhu>
Drr`kedqkil> Eiaf is eiljkovsdqkil ufqqklou dsfegdlofa, edvuklo uqisdof ij rsigkckqfa adqd
Adqdcduf> l)d Jvleqkild`kq{ qi qsvledqf RDLsfukafu kl qgf drr`kedqkil, liq qgf adqdcduf
IU> l)d Egdlofu qi qgf IU dsf vl`khf`{ qi sfuv`qkl uqisdof ij edsagi`afs adqd Lfqwish> l)d Egdlofu qi qgf IU dsf vl`khf`{ qi
sfuv`q kl uqisdof ij edsagi`afs adqd
Drr`kedqkil> {fu Adqdcduf> li IU> li Lfqwish> li
Deefuu skuhu
Cfedvuf wfzf qsvledqklo qgf RDL, qgfsf ku liedsagi`afs adqd cfklo uqisfa Qgfsfjisf,vldvqgisk~fa deefuu qi qgfuf u{uqfmu wk`` liq friufedsagi`afs adqd 'Qgfsf mvuq jksuq cf dlvldvqgisk~fa egdlof+42
Sfuqskeqfa deefuu skuhu 'rsizkukilklo, iloiklomilkqisklo, ufevsf qgf cdehaiis+>
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d
D`` esfdqfa deeivlqu dsf dvqgisk~fa,fkuqklo deeivlqu dsf iwlfa c{ dvqgisk~farfsuillf`, dla sfzihfa drrsirskdqf`{
Drr`kedqkil> li Adqdcduf> li IU> li Lfqwish> li
Irfsdqkild` skuhu
Qgfsf ku li ijj`klf miaf qgdq eiv`a edvuf uqisdof ijedsagi`afs adqd Jdk`vsfu kl irfsdqkild` rsiefavsfu,
uveg du zv`lfsdck`kq{ mdldofmflq dla ufevsf`iooklo, dsf d`ui vl`khf`{ qi edvuf uqisdof ijrsigkckqfa edsagi`afs adqd
Irfsdqkild` skuhu>
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d
Lilf
Drr`kedqkil> li Adqdcduf> li IU> li Lfqwish> li
Uqfr : Kaflqkj{ qgf hf{ KQOEu qi qfuq qgdq daasfuu kaflqkjkfa skuh dla sf`dqfaeilqsi` icnfeqkzfu
Uqfr : ku `fjq du dl ffsekuf jis qgf dairqfs ij qgku mfqgiai`io{ Du dl fdmr`f, wf ugiw qgf KQOEu kluvrrisq ij Jvleqkild`kq{ 4 jis egdlof mdldofmflq
42 Deefuu skuhu wk`` cf qgf udmf jis Jvleqkild`kq{ 5 dla Jvleqkild`kq{ 1
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
14/25
KKKKKK,,UUeeffllddsskkii44>>@@ffzzff`55FFEEiimmmmffsseeffMMffsseeggddllqq
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 44
Jvleqkild`kq{ 4 UU@ `kcsdskfu dla GQQRU ufszfs rsizkaf fles{rqkil ij adqd jsimqgf evuqimfs il`klf jism
KQOE icnfeqkzfu KQOE eilqsi`u
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdq kaflqkjkfuvldvqgisk~fa is vlqfuqfa egdlofu qgdq dsfafr`i{fa klqi rsiaveqkil>
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> li
D`` egdlofu qi qgf drr`kedqkil dla IU dsfsfeisafa il d egdlof jism dla drrsizfa c{mdldofmflq
D`` dvqgisk~fa egdlofu dsf qfuqfa rskis qikmr`fmflqdqkil
D ufrdsdqf KQ flzksilmflq jis rsiaveqkil dlalil-rsiaveqkil ku mdklqdklfa
D rfskiake sfzkfw ku rfsjismfa qi fluvsf qgdqvlaievmflqfa egdlofu dsf klzfuqkodqfa
dla ui jisqg
Uqfr ? Rfsjism d sfduildc`f rfsuil gi`kuqke sfzkfw ij d`` hf{ eilqsi`u
Uqfr ufzfl ku klqflafa jis qgf dairqfs qi rfsjism d sfduildc`f rfsuil sfzkfw ij qgf skuhu, eilqsi`icnfeqkzfu, dla qgf eilqsi`u kaflqkjkfa du d sfuv`q ij drr`{klo qgku mfqgiai`io{ Kq ku klqflafa qgdq qgfsfzkfw kle`vafu d `iih dq qgf izfsd`` REK AUU eimr`kdlef skuh ij qgf eimrdl{ qi fzd`vdqf jis qgfriuukck`kq{ qgdq d hf{ skuh wdu izfs`iihfa Fzd`vdqklo dl{ rskis skuh dla eilqsi` sfzkfw sfrisqu md{ cfkle`vafa du d rdsq ij qgku duufuumflq
Dq qgku riklq, wf gdzf kaflqkjkfa 4+ qgf eskqked` KQ jvleqkild`kq{ dla 3+ wgfsf wf gdzf sf`kdlef il KQOEu
Qgf{ dsf du ji``iwu>
Uvmmds{ ODKQ Mdqsk jis eimcklfa Jvleqkild`kqkfu 4-1>
@d{fs Egdlof )
Eiljkovsdqkil
Irfsdqkilu Ufevskq{)@ioked`
Deefuu
Drr`kedqkil [fu [fu [fu
Adqdcduf [fu
Irfsdqklo u{uqfm [fu [fu [fu
Lfqwish)kljsduqsveqvsf
Uqfr 7 Afqfsmklf qgf ueirf ij qgf sfzkfw dla cvk`a dl drrsirskdqf afukol dlafjjfeqkzflfuu qfuqklo rsiosdm
Qgku ku `fjq du dl ffsekuf jis qgf ODKQ-S dairqfs ji``iwklo qgf isodlk~dqkilu qfuqklo mfqgiai`iokfu dlajismdq
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
15/25
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 43
KZ, Uefldski 3> @fzf` 4 @dsof Sfqdk`fs
Cdehosivla ldssdqkzf jis REK eimr`kdlef
@dsof @fzf` 4 Kle ku d rvc`ke`{ qsdafa, mfakvm-uk~fa osiefs{ egdkl qgdq sfrisqfa !42C kl sfzflvf `duq{fds Qgf eimrdl{ rsiefuufu izfs :,222,222 qsdludeqkilu rfs {fds dla du d sfuv`q ku d @fzf` 4 mfsegdlq
Du uveg, kq gdu qi eimr`{ wkqg qgf ji``iwklo REK sftvksfmflqu du ij Ufrqfmcfs 52, 3221>
Dl dllvd` il-ukqf ufevskq{ dvakq zd`kadqfa c{ dl klafrflaflq ufevskq{ duufuuis is klqfsld` dvakq kjukolfa c{ ijjkefs ij qgf eimrdl{
Tvdsqfs`{ lfqwish uedlu eimr`fqfa c{ d tvd`kjkfa klafrflaflq uedl zflaisQgf eimrdl{ gdu 4222 uqisfu, wkqg drrsikmdqf`{ 32 riklq ij ud`f 'RIU+ u{uqfmu)afzkefu dq fdeg`iedqkil Qgf sfqdk` uqisfu dsf qgf il`{ egdllf` qi qgf eiluvmfs 'kf, li f-eimmfsef irfsdqkilu+
Qgf uqisfu RIU ufqvr eilukuqu ij d eimckldqkil ij uedllfa egfeh-ivq dla uf`j-ufszkef eivlqfsu Qgf RIUu{uqfmu dla afzkefu dsf eillfeqfa qi dl il-ukqf cdeh-fla ufszfs wgkeg ei``fequ esfakq edsa adqd Fdeguqisf gdu dcivq jkzf ufszfsu, wgkeg dsf d`` eillfeqfa qi qgf eisrisdqf dvqgisk~dqkil ufszfsu zkd `fdufa `klfu
dla udqf``kqf, wgfsf edsa dvqgisk~dqkil dla ufqq`fmflq dsf rfsjismfa
D`` adqd qsdlujfssfa jsim qgf uqisfu qi eisrisdqf ufszfsu dsf fles{rqfa Qgf eisrisdqf dvqgisk~dqkil ufszfsqsdlumkqu qgf fles{rqfa esfakq edsa kljismdqkil qi qgf cdlh jis dvqgisk~dqkil Dvqgisk~dqkil jsim qgf cdlhku sfqvslfa fles{rqfa qi qgf eisrisdqf dvqgisk~dqkil ufszfs dla qgfl jiswdsafa il qi qgf urfekjke uqisfufszfs jis ffevqkil Ilef dvqgisk~dqkil gdu cffl eiljksmfa, qgf RIU u{uqfm dla uqisf ufszfs af`fqf d``rsigkckqfa adqd Esfakq edsa lvmcfsu dla eiluvmfs ldmfu dsf fles{rqfa dla sfqdklfa jis ufzfl ad{u ilqgf uqisf ufszfs jis rsiefuuklo sfjvlau
Kl qgf fzflq ij u{uqfm is lfqwish jdk`vsfu, qsdludeqkilu edl cf rsiefuufa ijj`klf, kle`vaklo mdlvd``{,wgfsf ukolfa rg{uked` kmrsklqu dsf mdlvd``{ klrvqqfa klqi qgf u{uqfm Ilef flqfsfa klqi qgf u{uqfm, qgfukolfa sfefkrq ku sfqdklfa, dla qgf rg{uked` kmrsklq ku ufevsf`{ ugsfaafa
Qgfsf ku d umd`` wksf`fuu lfqwish kl fdeg uqisf wgkeg eillfequ gdlagf`a klzflqis{ eivlqklo qii`u qi qgfRIU u{uqfm Qgf kl-uqisf u{uqfmu dsf uvrrisqfa c{ ilf qfeglked` rfsuil il ukqf D`` u{uqfm egdlofu,flgdlefmflqu, is jkfu dsf mdldofa c{ qgf eisrisdqf KQ uqdjj dq GT
Qgf RIU u{uqfmu dsf eimmfsekd``{ uvrrisqfa dla gdzf cffl zd`kadqfa du REK-eimr`kdlq Qgku ku dedsa-rsfuflq flzksilmflq Dq fdeg RIU uqdqkil, eiluvmfsu wk`` fkqgfs uwkrf qgfks esfakq edsa dla qgfukoldqvsf ku uedllfa f`feqsilked``{, is qgf eiluvmfs wk`` ukol d edscil rdrfs kmrsklq
Kl il`klf dvqgisk~dqkil miaf> D`` edsagi`afs adqd ku uflq jsim qgf RIU uqdqkil qi qgf uqisf ufszfsu, wgfsflil-rsigkckqfa edsagi`afs adqd ku uqisfa 'qi uvrrisq sfjvlau+ Edsagi`afs adqd ku uflq qi qgf eisrisdqfcdeh-fla u{uqfmu wgfsf dvqgisk~dqkil dla ufqq`fmflq dsf rfsjismfa, dla edsagi`afs adqd ku uqisfa jis
ufzfl ad{u 'qi uvrrisq sfjvlau dla ud`fu sfeilek`kdqkil+
Kl ijj`klf dvqgisk~dqkil miaf 'fo, uqisf is eimrdl{ `iufu eillfeqkzkq{ qi rsiefuuis+> D`` edsagi`afsadqd ku uflq jsim qgf RIU uqdqkil qi qgf uqisf ufszfsu Qgf{ qgfl ofq dl drrsizd` eiaf jsim qgf cdeh-ijjkefu{uqfm, dla uqisf ufszfsu wk`` uqisf edsagi`afs adqd 'kle`vaklo qgf jv`` RDL, wgkeg ku fles{rqfa c{ qgf kl-uqisf ufszfsu+ vlqk` fkqgfs dvqgisk~dqkil ku icqdklfa is 31 givsu f`drufu, dq wgkeg riklq qgf edsagi`afs adqdku ufevsf`{ rvsofa
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
16/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 45
Kl mdlvd` miaf 'fo, uqisf u{uqfmu dsf aiwl+> D`` eiluvmfs qsdludeqkilu dsf ailf mdlvd``{, oflfsdqklorg{uked` kmrsklqu Qgfl uqisf rfsuillf` wk`` mdlvd``{ flqfs qgf qsdludeqkilu wgfl qgf uqisf u{uqfmu dsfcdeh vr dodkl
@fdufa@klfEillfeqkilqiEisrisdqf
Uefldski 3 Fwdmr`f Akdosdm
RIU u{uqfmu>
Zflais uvrrisqfa drr`kedqkil _klaiwu EF u{uqfmu Li `ied` uqisdof, fefrq jis eiljkovsdqkil ufqqklou dla mfmis{
Uqisf ufszfsu>
Deqkzf Aksfeqis{ aimdkl eilqsi``fs 'rskmds{ dla ufeilads{+ RIU Drr`kedqkil Mkesiuijq UT@ Ufszfs adqdcduf Mkesiuijq _klaiwu 3225 Sivqfsu dla ZRL eillfeqfa qi `fdufa `klf qi eisrisdqf u{uqfmu _ksf`fuu @DL uvrrisq wksf`fuu uedllfsu jis klzflqis{
_ksf`fuu @DL sfukafu il qgf udmf lfqwish du qgf uqisf u{uqfmu, qi uvrrisq eillfeqkzkq{ qi qgf klzflqis{mdldofmflq u{uqfmu
Uqisf ufszfsu dsf rg{uked``{ ufevsf, qi rsfzflq uimfilf jsim rg{uked``{ uqfd`klo qgf u{uqfmu dla adqd
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
17/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 41
Uqfr 4 Kaflqkj{ qgf cvuklfuu icnfeqkzfu jis wgkeg qgf eilqsi`u dsf qi cf duufuufa
Jis qgf rvsriuf ij qgku eduf uqva{, wf dsf il`{ eilukafsklo qgf cvuklfuu icnfeqkzfu urfekjke qi REK AUUeimr`kdlef _f sfeiolk~f qgdq qgfsf dsf iqgfs cvuklfuu icnfeqkzfu jis qgku rsiefuu 'fo, eimr`fqflfuudla deevsde{ ij qgf drrsizd` rsiefuu+, cvq qgfuf dsf imkqqfa jis e`dskq{
Qgf REK AUU eimr`kdlef icnfeqkzf ku> Rsiefuu esfakq edsa qsdludeqkilu ufevsf`{, deeisaklo qi REK AUU sftvksfmflquUqfr 3 Kaflqkj{ qgf hf{ cvuklfuu eilqsi`u sftvksfa qi rsizkaf sfduildc`fduuvsdlef qgdq qgf cvuklfuu icnfeqkzfu wk`` cf degkfzfa
Eilqsi` 4 D`` edsagi`afs adqd ku fles{rqfa rskis qi qsdlumkuukil qi qgf esfakq edsa rsiefuuis eilukuqflqwkqg REK uqdladsau 'kf, dvqgisk~dqkil dla ufqq`fmflq rsiefuu+
Eilqsi` 3 Li rsigkckqfa edsagi`afs adqd ku uqisfa 'kf, uqisdof ij EZZ, DZ3 kl rdrfs, u{uqfm `iou, adqdwdsfgivuf, fqe+
Eilqsi` 5 D`` uqisfa edsagi`afs adqd sfmdklu ufevsf 'kf, uqisdof ij EZZ, DZ3 kl rdrfs, u{uqfm `iou,adqd wdsfgivuf, fqe+
Eilqsi` 1 D`` edsagi`afs adqd qsdlumkqqfa cfqwffl eimrdl{ u{uqfmu dsf fles{rqfa eilukuqflq wkqg REK
uqdladsau 'kf, cfqwffl uqisf u{uqfmu dla qi qgf eisrisdqf ufszfsu+
Qgf rsfuflef ij dl ijj`klf qsdludeqkil miaf dla rg{uked` kmrsklqu sftvksfu mdlvd` eilqsi`u 'fo, sftvksfaijj`klf miaf rsiefavsfu, cdqeg eilqsi`u uveg du e`iufivq, ufevsf rg{uked` uqisdof, qsdklklo qi rsiqfeqrg{uked` kmrsklqu, fqe+
ODKQ-S sftvksfu qgf kaflqkjkedqkil ij d`` eilqsi`u, kle`vaklo flqkq{-`fzf` eilqsi`u, uveg du sfokild` uqisfmdldofs aiklo adk`{ klurfeqkilu qgdq rg{uked` kmrsklqu dsf rsiqfeqfa Giwfzfs, REK AUU eimr`kdlefaifu liq sftvksf qgf sfzkfw ij flqkq{-`fzf` eilqsi`u
Uqfr 5 Kaflqkj{ qgf eskqked` KQ jvleqkild`kq{ sf`kfa vril, jsim dmilo qgf hf{cvuklfuu eilqsi`u
Jvleqkild`kq{ 4 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuisJvleqkild`kq{ 3 D`` cvq qgf `duq jivs akokqu ij qgf RDL dsf qsvledqfa rskis qi uqisdof dla qgf EZZ)EZE ku
lfzfs uqisfaJvleqkild`kq{ 5 Lffafa edsagi`afs adqd ku uqisfa ufevsf`{ dla ufevsf`{ af`fqfaJvleqkild`kq{ 1 UU@ `kcsdskfu fles{rq edsagi`afs adqd rskis qi qsdlumkuukil
Uqfr 1 Kaflqkj{ qgf eimrvqklo flzksilmflq wgfsf edsagi`afs adqd ku qsdlumkqqfa,uqisfa is rsiefuufa wgfsf KQOEu lffa qi cf qfuqfa44
Jvleqkild`kq{ Qgf KQ u{uqfmu qgdq af`kzfs qgf KQ jvleqkild`kq{
Jvleqkild`kq{ 4 UU@ `kcsdskfu fles{rq
edsagi`afs adqd qsdlumkqqfa qi qgf rsiefuuis
Uqisf ufszfsu>
Jsilq-fla RIU drr`kedqkil_klaiwu 3225 IU
Eisrisdqf ufszfsu>Cdeh-fla RIU drr`kedqkil_klaiwu 3225 IU
44 Du afueskcfa kl qgf rdrfs klqsiaveqkil, qgku ku dl dadrqdqkil ij ODKQ-S Uqfr 1, wgkeg iskokld``{ sfda kaflqkj{ qgf ukolkjkedlqdrr`kedqkilu wgfsf KQOEu lffa qi cf qfuqfa
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
18/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 46
Jvleqkild`kq{ 3 D`` cvq qgf duq jivs akokqu ijqgf RDL dsf qsvledqfa rskis qi uqisdof dla qgfEZZ)EZE ku lfzfs uqisfa
Uqisf ufszfsu>RIU drr`kedqkil_klaiwu 3225 IU
Jvleqkild`kq{ 5 Lffafa edsagi`afs adqd ku
uqisfa ufevsf`{ dla ufevsf`{ af`fqfa
Uqisf ufszfsu>
RIU drr`kedqkilUT@ Ufszfs adqdcduf_klaiwu 3225 IU
Eisrisdqf ufszfsu>Cdeh-fla RIU drr`kedqkil_klaiwu 3225 IULfqwish
Jvleqkild`kq{ 1 UU@ `kcsdskfu fles{rqedsagi`afs adqd rskis qi qsdlumkuukil
Uqisf ufszfsu>Jsilq-fla RIU drr`kedqkil_klaiwu 3225 IU
Eisrisdqf ufszfsu>Cdeh-fla RIU drr`kedqkil_klaiwu 3225 IU
Uqfr 6 Kaflqkj{ KQOE rsiefuu skuhu dla sf`dqfa eilqsi` icnfeqkzfu
Kl qgku uqfr, jis fdeg eskqked` KQ jvleqkild`kq{ cfklo sf`kfa vril, wf kaflqkj{ qgf skuhu dla sf`dqfa eilqsi`icnfeqkzfu jis qgf ji``iwklo qgsff dsfdu> egdlof)eiljkovsdqkil, deefuu, dla irfsdqkilu Tvfuqkilu qi duhjis fdeg dsf>T4> _gdq mvuq cf eiljkovsfa9 'kle`vafu eiaf, ufqqklou, dla ufevskq{ ufqqklou+T3> _gdq deefuu sfuqskeqkilu mvuq cf ufq9 'fo, rg{uked`, `ioked`, ufrdsdqkil ij avq{+T5> _gdq mvuq cf irfsdqkild``{ rvq klqi r`def9 REK urfekjked``{ sfjfsu qi qgf ji``iwklo>
R`dllfa deqkzkqkfu uveg du ufevsf cdehvru, zv`lfsdck`kq{ mdldofmflq dla rdqegklo, sfzkfw ij`iou, dla ufevskq{ dwdsflfuu qsdklklo Vlr`dllfa deqkzkqkfu uveg du fefrqkil gdla`klo, klekaflq)rsic fm mdldofmflq, ufevskq{ klekaflq
gdla`klo
Jvleqkild`kq{ 4 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgfrsiefuuis
Jis qgku uqfr, wf dsf il`{ eilukafsklo qgf jsilq-fla isafs flqs{ u{uqfm dla qgf eisrisdqf cdeh-flaufszfsu Qgku wk`` csklo klqi ueirf qgf wkqgkl-uqisf qsdjjke 'wgfsf fles{rqkil ku rsizkafa c{ qgfdrr`kedqkil is IU+ dla qsdjjke qi qgf eisrisdqf ufszfsu 'wgfsf fles{rqkil ku rsizkafa c{ qgf ZRLlfqwish+
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi` icnfeqkzfu
Vlqfuqfa is vldvqgisk~fa egdlof sfuv`qu kl edsagi`afsadqd friuvsf 'fo, fles{rqkil, deefuu eilqsi`u,eiljkovsdc`f ufqqklou+
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdqkaflqkjkfu vldvqgisk~fa is vlqfuqfaegdlofu qgdq dsf afr`i{fa klqirsiaveqkil>
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
19/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 4:
Drr`kedqkil> Eiaf is eiljkovsdqkil egdlofu qi qgfRIU drr`kedqkil eiv`a akudc`f fles{rqkil, sfuv`qklokl edsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf jis qgf jsilq-fla isafs flqs{ u{uqfmu
IU> UU@ jvleqkild`kq{ eiv`a cf akudc`fa kl qgf IU`kcsdskfu, sfuv`qklo kl edsagi`afs adqd friuvsf Lfqwish> ZRL rsizkafu fla-qi-fla fles{rqkil,
dla eiv`a cf akudc`fa qi akudc`f fles{rqkil
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> {fu
Deefuu skuhu
Vldvqgisk~fa deefuu qi u{uqfmu ku vl`khf`{ qi sfuv`q klvlfles{rqfa edsagi`afs adqd cfklo friufa 'vl`fuuqgfsf ku d egdlof+
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d Vldvqgisk~fa deefuu qi
jksfwd``u)lfqwishu ku vl`khf`{ qi edvuf friuvsf qiedsagi`afs adqd
Rg{uked` adqd eflqfs deefuu> l)d
D`` esfdqfa deeivlqu dsf dvqgisk~fa,fkuqklo deeivlqu dsf iwlfa c{dvqgisk~fa rfsuillf`, dla sfzihfadrrsirskdqf`{
Drr`kedqkil> li Adqdcduf> li IU> li Lfqwish> li
Irfsdqkild` skuhu
Drr`kedqkil dla IU zv`lfsdck`kqkfu eiv`a sfuv`q kledsagi`afs adqd friuvsf
Drr`kedqkil> Lfw zv`lfsdck`kqkfu eiv`a sfuv`q kledsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf IU> Lfw zv`lfsdck`kqkfu eiv`a sfuv`q kl edsagi`afs
adqd friuvsf
Lfqwish> Cfedvuf adqd ku fles{rqfa cfjisfqsdlumkuukil, fzfl lfw zv`lfsdck`kqkfu qi qgfeisrisdqf ZRL ku vl`khf`{ qi sfuv`q kl edsagi`afsadqd friuvsf
Friuvsf qi edsagi`afs adqd ku vl`khf`{ qi ieevs avf qijdk`vsfu kl `iooklo, vl`fuu uimfilf mdhfu d egdlofqgdq akudc`fu fles{rqkil
Zv`lfsdck`kq{ duufuumflqu dsfeilaveqfa rfskiaked``{ qi rsfzflqfriuvsf ij edsagi`afs adqd
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> li
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
20/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 4?
Jvleqkild`kq{ 3 D`` cvq qgf `duq jivs akokqu ij qgf RDL dsf qsvledqfa rskis qiuqisdof dla qgf EZZ)EZE ku lfzfs uqisfa
Qgku jvleqkild`kq{ rskmdsk`{ sfukafu kl qgf uqisf ufszfsu, wgkeg fluvsf qgdq edsagi`afs adqd ku rvsofa djqfsesfakq edsa dvqgisk~dqkil Eisrisdqf ufszfsu sfefkzf kljismdqkil wkqg li rsigkckqfa edsagi`afskljismdqkil
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi` icnfeqkzfu
Fles{rqfa RDL adqd edl cf uqisfa jis vr qi 31 givsukl ijj`klf ufqq`fmflq miaf, d`` fles{rqfa c{ qgfdrr`kedqkil
Qgf skuh ku qgdq d egdlof kl qgf drr`kedqkil akudc`fufles{rqkil is fldc`fu `iooklo ij rsigkckqfakljismdqkil
Egdlof)eiljkovsdqkil skuhu>
Drr`kedqkil> eiaf is eiljkovsdqkil ufqqklou dsfegdlofa qgdq akudc`f fles{rqkil
Adqdcduf> l)d Jvleqkild`kq{ qi qsvledqf RDLsfukafu kl qgf drr`kedqkil, liq qgf adqdcduf
IU> l)d Egdlofu qi qgf IU dsf vl`khf`{ qi sfuv`qkl uqisdof ij edsagi`afs adqd
Lfqwish> l)d Egdlofu qi qgf IU dsf vl`khf`{ qisfuv`q kl uqisdof ij edsagi`afs adqd
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdq kaflqkjkfuvldvqgisk~fa is vlqfuqfa egdlofu qgdq dsfafr`i{fa klqi rsiaveqkil>
Drr`kedqkil> {fu Adqdcduf> li IU> li Lfqwish> li
Deefuu skuhu
Vldvqgisk~fa deefuu skuhu kl qgf ji``iwklo dsfdu
eiv`a friuf edsagi`afs adqd>
Drr`kedqkil> Drr`kedqkil deefuu eiv`a friuffles{rqfa kljismdqkil
Adqdcduf> l)d IU> l)d Lfqwish> l)d
D`` esfdqfa deeivlqu dsf dvqgisk~fa,
fkuqklo deeivlqu dsf iwlfa c{ dvqgisk~farfsuillf`, dla sfzihfa drrsirskdqf`{
Drr`kedqkil> {fu Adqdcduf> li IU> li Lfqwish> li
Irfsdqkild` skuhu
Cdehvru ij qgf uqisf ufszfsu qgdq eilqdkl fles{rqfa
edsagi`afs adqd eiv`a cf uqi`fl is eirkfa, cvq kuvl`khf`{ qi sfuv`q kl friuvsf ij edsagi`afs adqd43
Edsagi`afs adqd ku cdehfa vr
Qgfsf dsf li iqgfs irfsdqkild` rsiefavsfu wgfsfjdk`vsfu dsf `khf`{ qi edvuf uqisdof ij edsagi`afs adqd
Drr`kedqkil> li
Adqdcduf> li IU> li Lfqwish> li Rg{uked`> Adqd eflqfs ku `iehfa
'uqisdof e`iufq ku `iehfa+ qi rsiqfeqfles{rqkil hf{
43 Kj cdehvr qdrfu dsf uqi`fl, edsa kuuvfsu md{ afjklf qgku du d csfdeg dla sftvksf dl klzfuqkodqkil Giwfzfs, qgku ku akjjfsflq qgdld adqd eimrsimkuf is adqd `iuu, wgkeg ku qgf skuh qgdq wdu fzd`vdqfa kl qgku fdmr`f
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
21/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 47
'fo, zv`lfsdck`kq{ mdldofmflq, ufevsf `iooklo+
Irfsdqkild` skuhu>
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d Rg{uked`> l)d 'Rg{uked` qdrfu md{ cf uqi`fl, cvq
fles{rqkil mdhfu kq vl`khf`{ qi sfuv`q kledsagi`afs adqd friuvsf+
Jvleqkild`kq{ 5 Lffafa edsagi`afs adqd ku uqisfa ufevsf`{ dla ufevsf`{ af`fqfa
Qgku jvleqkild`kq{ sfukafu kl qgf cdeh-fla rsiefuufu, uveg du adqd wdsfgivuf 'kf, wf gdzf d`sfda{zfskjkfa qgdq li rsigkckqfa edsagi`afs kljismdqkil sfukafu kl qgf jsilq-fla u{uqfmu+
Qgfsf dsf qwi dsfdu qgdq wf wdlq qi klurfeq> qgf kl-uqisf ufszfsu 'wgkeg rvsof rsigkckqfa kljismdqkil+ dlaqgf eisrisdqf ufszfsu 'wgkeg sfefkzf kljismdqkil jsim qgf uqisf ufszfsu+ Kl iqgfs wisau, eisrisdqf ufszfssfefkzfu kljismdqkil wkqg li rsigkckqfa edsagi`afs kljismdqkil
Qgf gkog skuh dsfd wf kaflqkj{ ku>
Uqisf ufszfs ku liq eissfeq`{ rvsoklo rsigkckqfa adqd djqfs esfakq edsa dvqgisk~dqkil 'avf qi d eiafegdlof, is afcvooklo cfklo qvslfa il+
Uqisf ufszfsu rvsof rsigkckqfa adqd, cvq uqk`` eilqdkl edsagi`afs ldmfu dla rskmds{ deeivlq lvmcfs'RDL+ jis ufzfl ad{u Kj qgku kljismdqkil ku eimrsimkufa, qgfl qgku eiluqkqvqfu d REK csfdeg
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi` icnfeqkzfu
Eiaf is eiljkovsdqkil egdlofu 'fo, eiljkovsdqkilegdlof, qvslklo il afcvo `iooklo+ qi qgf uqisf ufszfsueiv`a sfuv`q kl rsigkckqfa edsagi`afs kljismdqkil cfklouqisfa
Egdlof)eiljkovsdqkil skuhu>
Drr`kedqkil> Eiaf is eiljkovsdqkil ufqqklou dsfegdlofa, edvuklo uqisdof ij rsigkckqfa kljismdqkil
Adqdcduf> Eiaf is eiljkovsdqkil ufqqklou dsfegdlofa, edvuklo uqisdof ij rsigkckqfa kljismdqkil
IU> l)d Li egdlof dq qgf IU `d{fs ku `khf`{ qiedvuf uqisdof ij rsigkckqfa adqd
Lfqwish> l)d Li egdlof dq qgf lfqwish `d{fs ku`khf`{ qi edvuf uqisdof ij rsigkckqfa adqd
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdqkaflqkjkfu vldvqgisk~fa is vlqfuqfaegdlofu qgdq dsf afr`i{fa klqirsiaveqkil>
Drr`kedqkil> {fu Adqdcduf> {fu IU> li Lfqwish> li'Egdlofu qi qgf drr`kedqkil dlaadqdcduf wk`` sfukaf kl qgf GT egdlofeilqsi` dla UA@E rsiefuufu wgkegdvqgisk~f dla uegfav`f egdlofu qi uqisfufszfsu+
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
22/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 4;
Deefuu skuhu
Cfedvuf wfzf d`sfda{ fuqdc`kugfa dla zfskjkfa qgdq lirsigkckqfa edsagi`afs adqd ku cfklo uqisfa kl qgf uqisfufszfsu jis 31 givsu, vldvqgisk~fa deefuu qi qgfufu{uqfmu ku vl`khf`{ qi friuf rsigkckqfa edsagi`afs
adqd 'Qgfsf mvuq jksuq cf dl vldvqgisk~fa egdlof+
Cfedvuf wf dsf vuklo d REK-zd`kadqfa drr`kedqkil, qgfedsagi`afs ldmfu dla RDL dsf fles{rqfa c{ qgfdrr`kedqkil Qgf skuh ij akue`iuvsf ij adqd ku `iw, fzflkj qgfsf ku rg{uked` qgfjq ij qgf uqisf ufszfs, is qgf adqdku eirkfa, cfedvuf qgf rg{uked` afes{rqkil hf{ kusftvksfa
Drr`kedqkil> Cfedvuf qgf drr`kedqkil edl afes{rqrsigkckqfa edsagi`afs adqd 'wkqg qgf drrsirskdqfdeeivlq dla rsfuflef ij qgf rg{uked` hf{+,
vldvqgisk~fa deefuu qi qgf drr`kedqkil edl sfuv`q klfriufa edsagi`afs adqd 'fo, svllklo sfrisq,ffevqklo eiaf, fqe+
Adqdcduf> l)d IU> l)d Lfqwish> l)d
D`` esfdqfa deeivlqu dsf dvqgisk~fa,fkuqklo deeivlqu dsf iwlfa c{dvqgisk~fa rfsuillf`, dla sfzihfadrrsirskdqf`{
Drr`kedqkil> {fu Adqdcduf> li IU> li Lfqwish> li
Irfsdqkild` skuhu
Qgfsf ku dl ijj`klf miaf qgdq sftvksfu uqisdof ijfles{rqfa RDL jis 31 givsu Jdk`vsf kl irfsdqkild`rsiefavsfu, uveg du zv`lfsdck`kq{ mdldofmflq dlaufevsf `iooklo, dsf d`ui vl`khf`{ qi edvuf uqisdof ij
rsigkckqfa adqd
Irfsdqkild` skuhu>
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d
Lilf
Drr`kedqkil> l)d Adqdcduf> l)d IU> l)d Lfqwish> l)d
Jvleqkild`kq{ 1 UU@ `kcsdskfu fles{rq edsagi`afs adqd rskis qi qsdlumkuukil
Jis qgku uqfr, wf eilukafs d`` qsdlumkuukil ij edsagi`afs adqd, liq nvuq qi qgf rd{mflq rsiefuuis
Egdlof)eiljkovsdqkil skuhu KQOE eilqsi`u
Vlqfuqfa is vldvqgisk~fa egdlof sfuv`qu kl edsagi`afsadqd friuvsf 'fo, fles{rqkil, deefuu eilqsi`u,eiljkovsdc`f ufqqklou+
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdqkaflqkjkfu vldvqgisk~fa is vlqfuqfaegdlofu qgdq dsf afr`i{fa klqirsiaveqkil>
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
23/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 32
Drr`kedqkil> UU@ jvleqkild`kq{ eiv`a cf akudc`fa klqgf drr`kedqkil, sfuv`qklo kl edsagi`afs adqdfriuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf jis qgf jsilq-flaisafs flqs{ u{uqfmu
IU> UU@ jvleqkild`kq{ eiv`a cf akudc`fa kl qgf IU`kcsdskfu, sfuv`qklo kl edsagi`afs adqd friuvsf Lfqwish> l)d Li fles{rqkil jvleqkild`kq{ sfukafu kl
qgf lfqwish, du d`` fles{rqkil ku ailf fla-qi-fla
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> li
Deefuu skuhu
Vldvqgisk~fa deefuu qi jsilq-fla isafs flqs{ u{uqfmusfuv`qu kl edsagi`afs adqd friuvsf Jis fdmr`f,vldvqgisk~fa deefuu qi deeivlqu ku odklfa qgdq deefuuedsagi`afs adqd is afes{rqkil hf{u 'fo, damklkuqsdqkzfdeeivlqu, isafs flqs{ deeivlqu, fqe+
Drr`kedqkil> Vldvqgisk~fa vuf ij damklkuqsdqkzfdeeivlqu sfuv`qu kl edsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf jis qgf jsilq-flaisafs flqs{ u{uqfmu
IU> Vldvqgisk~fa vuf ij damklkuqsdqkzf deeivlqusfuv`qu kl edsagi`afs adqd friuvsf
Lfqwish> l)d Vldvqgisk~fa deefuu qi jksfwd``u)lfqwishu ku vl`khf`{ qi edvuf friuvsf qi edsagi`afsadqd
Rg{uked` adqd eflqfs deefuu> Vldvqgisk~fa rg{uked`deefuu qi ufszfsu)lfqwishu eiv`a sfuv`q kl friuvsf
ij edsagi`afs adqd
D`` esfdqfa deeivlqu dsf dvqgisk~fa,fkuqklo deeivlqu dsf iwlfa c{dvqgisk~fa rfsuillf`, dla sfzihfadrrsirskdqf`{
Drr`kedqkil> {fu Adqdcduf> li IU> {fu Lfqwish> li Rg{uked`> {fu
Irfsdqkild` skuhu
Drr`kedqkil dla IU zv`lfsdck`kqkfu eiv`a sfuv`q kledsagi`afs adqd friuvsf
Drr`kedqkil> Lfw zv`lfsdck`kqkfu eiv`a sfuv`q kledsagi`afs adqd friuvsf
Adqdcduf> l)d Qgfsf ku li adqdcduf
IU> Lfw zv`lfsdck`kqkfu eiv`a sfuv`q kl edsagi`afsadqd friuvsf
Lfqwish> li
Friuvsf qi edsagi`afs adqd ku vl`khf`{ qi ieevs avf qi`iooklo, vl`fuu uimfilf mdhfu d egdlof qgdq akudc`fufles{rqkil
Zv`lfsdck`kq{ duufuumflqu dsfeilaveqfa rfskiaked``{ qi rsfzflqfriuvsf ij edsagi`afs adqd
Drr`kedqkil> {fu Adqdcduf> li
IU> {fu Lfqwish> li
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
24/25
KKZZ,,UUeeffllddsskkii33>>@@ffzzff`44@@ddssooffSSffqqddkk`ffss
EEdduuffUUqqvvaakkffuuiijjVVuukkllooOODDKKQQSSQQiiUUeeiirrffRREEKKEEiimmrr`kkddlleeff 34
Uqfr : Kaflqkj{ qgf hf{ KQOEu qi qfuq qgdq daasfuu kaflqkjkfa skuh dla sf`dqfaeilqsi` icnfeqkzfu
Uqfr : ku `fjq du dl ffsekuf jis qgf dairqfs ij qgku mfqgiai`io{ Du dl fdmr`f, wf ugiw qgf KQOEu kluvrrisq ij Jvleqkild`kq{ 4 jis egdlof mdldofmflq
Jvleqkild`kq{ 4 UU@ `kcsdskfu fles{rq edsagi`afs adqd qsdlumkqqfa qi qgfrsiefuuis
KQOE eilqsi` icnfeqkzfu KQOE eilqsi`u
Egdlofu dsf kmr`fmflqfa ji``iwklo degdlof mdldofmflq rsiefuu qgdq kaflqkjkfuvldvqgisk~fa is vlqfuqfa egdlofu qgdq dsfafr`i{fa klqi rsiaveqkil>
Drr`kedqkil> {fu
Adqdcduf> li IU> {fu Lfqwish> li
D`` egdlofu qi qgf drr`kedqkil dla IU dsfsfeisafa il d egdlof jism dla drrsizfa c{mdldofmflq
D`` dvqgisk~fa egdlofu dsf qfuqfa rskis qikmr`fmflqdqkil
D ufrdsdqf KQ flzksilmflq jis rsiaveqkil dlalil-rsiaveqkil ku mdklqdklfa
D rfskiake sfzkfw ku rfsjismfa qi fluvsf qgdqvlaievmflqfa egdlofu dsf klzfuqkodqfa
dla ui jisqg
Uqfr ? Rfsjism d sfduildc`f rfsuil gi`kuqke sfzkfw ij d`` hf{ eilqsi`u
Uqfr ufzfl ku klqflafa jis qgf dairqfs qi rfsjism d sfduildc`f rfsuil sfzkfw ij qgf skuhu, eilqsi`icnfeqkzfu, dla qgf eilqsi`u kaflqkjkfa du d sfuv`q ij drr`{klo qgku mfqgiai`io{ Kq ku klqflafa qgdq qgfsfzkfw kle`vafu d `iih dq qgf izfsd`` REK AUU eimr`kdlef skuh ij qgf eimrdl{ qi fzd`vdqf jis qgfriuukck`kq{ qgdq d hf{ skuh wdu izfs`iihfa Fzd`vdqklo dl{ rskis skuh dla eilqsi` sfzkfw sfrisqu md{ cf
kle`vafa du d rdsq ij qgku duufuumflq
Dq qgku riklq, wf gdzf kaflqkjkfa 4+ qgf eskqked` KQ jvleqkild`kq{ dla 3+ wgfsf wf gdzf sf`kdlef il KQOEuQgf{ dsf du ji``iwu>
Uvmmds{ ODKQ Mdqsk jis eimcklfa Jvleqkild`kqkfu 4-1>
@d{fs Egdlof )
Eiljkovsdqkil
Irfsdqkilu Ufevskq{)@ioked`
Deefuu
Drr`kedqkil [fu [fu [fu
Adqdcduf [fu
Irfsdqklo u{uqfm [fu [fu [fu
Lfqwish)kljsduqsveqvsf [fu
Uqfr 7 Afqfsmklf qgf ueirf ij qgf sfzkfw dla cvk`a dl drrsirskdqf afukol dlafjjfeqkzflfuu qfuqklo rsiosdm
Qgku ku `fjq du dl ffsekuf jis qgf ODKQ-S dairqfs ji``iwklo qgf isodlk~dqkilu qfuqklo mfqgiai`iokfu dlajismdq
7/31/2019 PCI Case Studies of Using GAIT for Business and IT Risk (GAIT-R) to Scope PCI Compliance
25/25
Z, Eile`vukil
Du fzkaflefa kl qgf sfuv`qu ij drr`{klo ODKQ-S qi qgf qwi uefldskiu kl qgku eduf uqva{, qgf mfqgiai`io{wishu wf`` jis kaflqkj{klo qgf drrsirskdqf eimr`kdlef sftvksfmflqu sfodsa`fuu ij dl isodlk~dqkilu uk~f is
eimr`fkq{ Drr`{klo d uqdladsa mfqgiai`io{ qi ueirklo REK eimr`kdlef wk`` duukuq qgf dvakqis dla qgiufsfurilukc`f jis REK eimr`kdlef qi jievu il wgdq ku qsv`{ kmrisqdlq qi mffqklo qgf eimr`kdlef icnfeqkzfudla mklkmk~klo skuh qi qgf isodlk~dqkil