Summary PCI ISA Training Complete Solutions Verified
Systems Providing Security Services
Systems providing security services as required by PCI DSS, or that may be
contributing to how an entity meets PCI DSS requirements may include:
-Authentication servers (e.g. LDAP)
-Time management (e.g. NTP) servers
-Patch deployment servers
-Audit log storage and correlation servers
-Anti-virus management servers
-Routers and firewalls filtering network traffic
-Systems performing cryptographic and/or key management functions
-Systems controlling and/or monitoring physical access
PCI DSS scope includes:
-People
-Processes
-Technology
Scoping: People
Examples of roles that may be included in scope of assessment:
-Cashiers and sales clerks
-Back-office clerks
-Call center operators
-Systems and network administrators
-IT support personnel
-Application developers
-Key custodians
-Human resources
-Information security officers
-Physical security officers
-Customer support
-Accounting/finance personnel
-Supervisors/managers for each area
-Senior management and executives
Scoping: Processes
Examples of processes related to payment processing:
-Regular payment processing channels
-Payment cancellations and chargebacks
-Back-up and fail-over processes
-Reconciliation, periodic reporting
-Distribution and storage of paper reports and other physical media
-Legacy processes and data stores
-Onboarding processes for new personnel
Examples of supporting processes:
,-Authorizations and approvals for system access
-Firewall review processes
-Change management
-Scheduling of security patch deployments
-System building and configuration
-Identifying and escorting visitors
-Performing log reviews
-Processes for reporting potential security incidents
-Security policy updates
Scoping: Technology
Examples of types of technologies:
-Servers, applications, networks, devices
-Physical security systems
-Logical security systems
-Payment terminals and point of sale systems
-Electronic communications
-Backups and disaster recovery "hot" sites
-Telecommunications: POTS vs. VoIP
-Management systems
-Remote access systems
Sampling
Sampling is an option for assessors to facilitate the assessment process.
- Sampling is NOT used to implement PCI DSS requirements or to select
requirements to be assessed
Principles of sampling:
- Sample must be representative of the entire population
- Consider business facilities and system components
- Samples of system components must include all combinations
- Samples must be large enough to provide assurance that controls are implemented as
expected
- Assessor's sampling methodology documented in ROC
Planning for the Assessment
Pre-assessment planning may include:
-List of interviewees, system components, documentation, facilities
-Ensure assessor is familiar with technologies included in assessment
-If sampling, verify sample selection and size is representative of the entire population
-Identify the roles and the individuals within each role to be interviewed as part of the
assessment
Sampling Scenario
What to consider?
-What are the different OS/database combinations at each facility?
, -Is each OS/database combination used for the same purpose?
-Is each OS/database combination configured the same way?
-If they are configured the same way, how is this verified?
-Do the different locations follow one single set of operational and security procedures,
or do they each have their own?
-If they follow the same procedures, how is this verified?
-Which facilities/components were reviewed in the previous assessment?
Sampling is not just about technology
Assessment Time and Duration
Allow enough time to perform the assessment
-Size and complexity of environment
-Number of people, processes and system components to be reviewed
-Travel time to facilities being reviewed
Reassessment
-If items are discovered to be not in place, will remediation be performed that requires
reassessment as part of this assessment?
Documentation
-Document findings and observations in ROC
-Assessor quality assurance review
-Final report review, signature, submission
Service Providers and Assessments
-Third party service providers
-Include in Requirement 12.8
-Do providers have an impact on how the entity meets PCI DSS requirements?
-Do providers have access to CDE?
-Identify scope of service
-Identify applicable requirements
-Review evidence to determine if requirements are met
What pre-assessment activities should an assessor consider when preparing for
an assessment?
(choose all that apply)
PCI DSS Format
The following defines the column headings for the PCI DSS Requirements and Security
Assessment Procedures:
PCI DSS Requirements - This column defines the Data Security Standard
requirements; PCI DSS compliance is validated against these requirements.
Testing Procedures - This column shows processes to be followed by the assessor to
validate that the PCI DSS requirements have been met and are "in place".
Guidance - This column describes the intent or security objective behind each of the
Systems Providing Security Services
Systems providing security services as required by PCI DSS, or that may be
contributing to how an entity meets PCI DSS requirements may include:
-Authentication servers (e.g. LDAP)
-Time management (e.g. NTP) servers
-Patch deployment servers
-Audit log storage and correlation servers
-Anti-virus management servers
-Routers and firewalls filtering network traffic
-Systems performing cryptographic and/or key management functions
-Systems controlling and/or monitoring physical access
PCI DSS scope includes:
-People
-Processes
-Technology
Scoping: People
Examples of roles that may be included in scope of assessment:
-Cashiers and sales clerks
-Back-office clerks
-Call center operators
-Systems and network administrators
-IT support personnel
-Application developers
-Key custodians
-Human resources
-Information security officers
-Physical security officers
-Customer support
-Accounting/finance personnel
-Supervisors/managers for each area
-Senior management and executives
Scoping: Processes
Examples of processes related to payment processing:
-Regular payment processing channels
-Payment cancellations and chargebacks
-Back-up and fail-over processes
-Reconciliation, periodic reporting
-Distribution and storage of paper reports and other physical media
-Legacy processes and data stores
-Onboarding processes for new personnel
Examples of supporting processes:
,-Authorizations and approvals for system access
-Firewall review processes
-Change management
-Scheduling of security patch deployments
-System building and configuration
-Identifying and escorting visitors
-Performing log reviews
-Processes for reporting potential security incidents
-Security policy updates
Scoping: Technology
Examples of types of technologies:
-Servers, applications, networks, devices
-Physical security systems
-Logical security systems
-Payment terminals and point of sale systems
-Electronic communications
-Backups and disaster recovery "hot" sites
-Telecommunications: POTS vs. VoIP
-Management systems
-Remote access systems
Sampling
Sampling is an option for assessors to facilitate the assessment process.
- Sampling is NOT used to implement PCI DSS requirements or to select
requirements to be assessed
Principles of sampling:
- Sample must be representative of the entire population
- Consider business facilities and system components
- Samples of system components must include all combinations
- Samples must be large enough to provide assurance that controls are implemented as
expected
- Assessor's sampling methodology documented in ROC
Planning for the Assessment
Pre-assessment planning may include:
-List of interviewees, system components, documentation, facilities
-Ensure assessor is familiar with technologies included in assessment
-If sampling, verify sample selection and size is representative of the entire population
-Identify the roles and the individuals within each role to be interviewed as part of the
assessment
Sampling Scenario
What to consider?
-What are the different OS/database combinations at each facility?
, -Is each OS/database combination used for the same purpose?
-Is each OS/database combination configured the same way?
-If they are configured the same way, how is this verified?
-Do the different locations follow one single set of operational and security procedures,
or do they each have their own?
-If they follow the same procedures, how is this verified?
-Which facilities/components were reviewed in the previous assessment?
Sampling is not just about technology
Assessment Time and Duration
Allow enough time to perform the assessment
-Size and complexity of environment
-Number of people, processes and system components to be reviewed
-Travel time to facilities being reviewed
Reassessment
-If items are discovered to be not in place, will remediation be performed that requires
reassessment as part of this assessment?
Documentation
-Document findings and observations in ROC
-Assessor quality assurance review
-Final report review, signature, submission
Service Providers and Assessments
-Third party service providers
-Include in Requirement 12.8
-Do providers have an impact on how the entity meets PCI DSS requirements?
-Do providers have access to CDE?
-Identify scope of service
-Identify applicable requirements
-Review evidence to determine if requirements are met
What pre-assessment activities should an assessor consider when preparing for
an assessment?
(choose all that apply)
PCI DSS Format
The following defines the column headings for the PCI DSS Requirements and Security
Assessment Procedures:
PCI DSS Requirements - This column defines the Data Security Standard
requirements; PCI DSS compliance is validated against these requirements.
Testing Procedures - This column shows processes to be followed by the assessor to
validate that the PCI DSS requirements have been met and are "in place".
Guidance - This column describes the intent or security objective behind each of the
