Firehost Webinar: Do you know where your Cardholder Data Environment is?

Editor's Notes

• #2: Will: Hello and welcome to the second in our series on the PCI DSS 3.0 compliance changes. Today we’ll be talking about your CDE – your Cardholder Data Environment. We’ll leave some time at the end to take your questions, and you can also submit questions during the webinar through the chat feature. To mute your phone, <instructions>.
• #3: Will: I’d like to introduce our speaker today. I’m Will Morgan and I’ll be moderating our discussion. Kurt Hagerman, FireHost’s Chief Information Security Officer, will be leading today’s session on the guidance you should take now to transition your compliance practices in time for the 3.0 deadline.
• #4: Will: Now let’s take a look at our agenda today. We’ll be talking about the PCI DSS 3.0 changes and what you need to get started on right now. We’ll also talk about defining your CDE and using network segmentation, along with the data flow diagrams you’ll need. Finally, we’ll have some time at the end to take your questions live. Kurt, I’ll turn the discussion over to you as we talk more about the 3.0 changes.
• #5: Kurt: Thank you, Will. - These changes reflect shifting security landscape. Compliance isn’t just about passing audits - it’s about successfully defeating threats like XSS attacks and SQL injections. Cybercriminals get more sophisticated every day. many new payment methods now which means that attack surfaces are now larger. hackers understand multiple points of access to cardholder data As all of you know, the new PCI DSS guidelines went into effect on the 1st of this year. You have until January 2015 to get ready, but there are factors you should start thinking about now to transition your compliance systems throughout the year. That’s what we’re talking about today. Just as before, meeting regulations is critical for avoiding the fines and brand damage that come with a breach. Important not to lose sight of that – doing this work is ultimately to your benefit. - If you didn’t attend our first webinar in the series, do so to make sure you have a complete grasp of the basics.  http://info.firehost.com/webinar-series-new-pci-register.htmll  
• #6: Kurt: Today we’re going to focus on the factors you’ll want to start thinking about right now. First up, you’ll want to talk to your QSA – they are the arbiters of your compliance, so start those conversations now and find out what they think the impact of 3.0 will be on your organization. By identifying issues now that might take longer to resolve, you’ll face less work in crunch time. This includes looking at your business environments and security strategies and strengthening your provider relationship. 3.0 focuses on shifting from annual compliance checklist mindset to proactive, business-as-usual approach to security. Now is the time to begin integrating PCI compliance into your daily operations.  
• #7: Will – let’s jump right into the cardholder data environment, the CDE. Kurt can you take us through… Kurt: 3.0 places more emphasis on defining the in-scope environment on a regular basis - these definitions help by pointing out potential weaknesses in your system. It’s important to remember that your CDE isn’t just about technology – it includes people, processes and technology Which means you must understand exactly who interacts with your cardholder data and how. Consider processes like settlements, charge backs, reconciliations, manual order process – all of those are subject to PCI requirements As far as technologies – that includes network devices, servers, virtualization, security services, and applications that interact with cardholder data. Remember that your 3rd party providers are included in this too.
• #8: Kurt: Your first step: accurately determine CDE scope. First you must define where your cardholder data lives and create network and data flow diagrams that illustrate this. Identifying all locations and flows of cardholder data is critical to make sure no data exists outside of CDE. Next get a solid grasp on your inventory – what are all the devices and applications that interact with cardholder data? Security services and segmentation systems: authentication servers, internal firewalls, resolution or web redirection servers Virtualization components: virtual machines, switches/routers, appliances, applications, hypervisors. Network components: firewalls, switches, routers, wireless access points, network appliances Server types like web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS) All internal and external applications Finally, you’ll need to detail any all segmentation methods you’re using to limit your scope. And once again, you must consider your provider and how their systems influences your CDE.
• #9: Kurt: Now that you understand exactly what your CDE is, it’s time to define where your cardholder data lives. The most efficient way to do this is to develop a methodology for defining data in your environment. This is a two-way street; not only will you need to define the data in your CDE, you need to prove it doesn’t exist outside of that CDE. If you go into this process assuming you already know where the data is, you may overlook areas you’re unaware of – as a result, the data will be vulnerable. So it’s important not to limit your search – it’s necessary to identify where any cardholder data is across the entire enterprise.
• #10: Kurt: You’ll need network diagrams that show: how all components of CDE are connected connections between CDE and other networks How the CDE is related to your overall network How cardholder data flows through your systems and applications Where segmentation is used to limit the scope of the CDE   These diagrams show the success of your network segmentation at isolating the CDE and help you understand and keep track of your scope - without them, devices could be accidentally overlooked and vulnerable to attack - diagrams must be kept current and updated  
• #11: Kurt: The 3.0 is very clear on the need to maintain a complete and accurate inventory of all systems and applications in scope. That includes: Network equipment Server and storage infrastructure Security infrastructure Authentication infrastructure Payment applications Management applications
• #12: Kurt: Segmentation reduces your scope for cardholder data - isolates cardholder data into fewer, more controlled locations Shrinking the organization’s attack surface creates fewer points of entry for attackers - lightens your compliance burden, lowers your risk. without network segmentation, your entire network is in scope and that’s going to be a major headache. You want to address this right now - restricting cardholder data to a few locations means eliminating unnecessary data, and consolidating the right data. That can mean you need to rejigger your usual processes, and even part of your foundational infrastructure sometimes - important to start now. Using network segmentation: properly configured internal network firewalls routers with strong access control lists or other technologies that restrict access to a particular segment of a network.  
• #13: NOTE: Might bleed onto two slides to keep from being too word heavy – defer to Casey Kurt: Compliance validation must be performed on all system components in the CDE – anyone that has access to your CDE or impacts it is in scope. This includes any third-party hosting providers, managed security service providers, DR providers, contractors -their routers, firewalls, databases, physical security and servers After identifying and putting together a clear list of all relevant providers, you’ll need to identify who’s responsible for what.   Don’t make assumptions – get everything spelled out in contracts, whether it’s an MOU, SLA or Terms of Service contract.    Also important to work with a “validated” provider who undergoes their own PCI DSS assessments and can show you evidence of their compliance.  
• #14: Kurt - Next up in March, we’ll have another webinar on PCI 3.0 – this time we’ll talk about what you need to do 9 months out. We’ll talk about the controls you need to test and verify your CDE, including pen testing, credit card searches and more.
• #15: Will: Now that we’ve taken a look at what you need to do now to get ready for 3.0, let’s hear your questions. If you have any compliance struggles or challenges that you’re facing, let us know and we’ll talk about the right actions to take. Just use the chat feature to submit your questions.
• #16: Will: Thank you for joining us today. We hope you enjoyed learning more about getting ready for PCI DSS 3.0 and that we answered all of your questions. Within a day or so, you’ll receive a recording of this webinar in an email. To learn more, please visit us at firehost.com – and don’t forget to attend our next webinar on March 25 for part 3 of “Getting Ready for PCI 3.0.” We look forward to seeing you again.