By Mark D. Gelhardt, Sr. PCIP, C|CIO, CISM, PMP, ITIL, CC
7/22/2016 1
Why should you care about PCI compliance?
PCI compliance can be hard – So what are you doing to improve – year over year?
How are you using PCI to make your company more secure (not just compliant)?
Author: Mark Gelhardt, [email protected] 2 7/22/2016
3
4
5
Credit Cards are the primary target 2/10 were Processors 5/10 were stolen credit cards at Retailers
7
7/22/2016 Author: Mark Gelhardt,
•Application owners don't know their own app set up
•What servers the app’s are on, what IP’s,
•In cloud or not Application
•No true asset management system
•Your company doesn’t even know its own full network
•Network not segmented well, stuff all over the place
Complex IT Environments
•Business wants fast paced change
•New products more than they want security Business Needs
•Ever changing PCI compliance requirements - v3.2
•What’s next in compliance, privacy, EU Safe Harbor??
Compliance changes
Author: Mark Gelhardt, [email protected] 9
Gap item – remediation
Projects – to fix items
Budget/Money to become compliant
Monthly reviews of PCI items
Company focuses on compliance at lest
annually
Author: Mark Gelhardt, [email protected] 10
Project Plan – Time Line
Scope - Executive Summary
Data Flow Diagrams
Third Party Service Providers
SME Meetings – several
Author: Mark Gelhardt, [email protected] 11
•Two weeks for iRoC
•Two weeks for QSA QA review
•Two weeks for VISA review
Time
•Take your time to research your CDE
•Use your Data Flow diagram discussions
•Use SME interviews
Scope
•SME interviews
•Research your own system/enterprise Data Flow
Diagrams
•SME prep-interviews – prior to assessment
•SME Data Flow interviews
•Sit in on QSA assessment with SME
Subject Matter
Experts
Author: Mark Gelhardt, [email protected] 12
•Project Plan – Prior Planning works Planning
•Do PCI Stuff Monthly – don’t wait until the annual assessment Monthly
•Get the SMEs involved early and often SMEs
•You cant do it all yourself – use networking, app’s team, SMEs Teamwork
•PCI Compliance isn’t security – but it can sure help improve your system Security
•Help your company – get out of your box – do more then compliance Get out of your Box