PCI PIN Basics Webinar from the Controlcase Team
ControlCase
941 views
41 slides
Jun 04, 2024
Slide 1 of 41
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
About This Presentation
PCI PIN Basics
Slide Content
PCI PIN Basics
WEBINAR
YOUR IT COMPLIANCE PARTNER
GO BEYOND THE CHECKLIST
WEBINAR
YOUR IT COMPLIANCE PARTNER
GO BEYOND THE CHECKLIST
ControlCase. All Rights Reserved. 2
Agenda
Introduction to
PCI PIN
Brief look into
the standard
Scope and
Applicability
Certification
Process
01 02 03
04 Q&A
05
Agenda
Introduction to
PCI PIN
Brief look into
the standard
Scope and
Applicability
Certification
Process
01 02 03
04 Q&A
05
Biju John
Sr. Vice President
Chad Leady
Director Strategic
Accounts
Presenters:
Sr. Vice President
Chad Leady
Director Strategic
Accounts
Presenters:
ControlCase
Snapshot
© ControlCase. All Rights Reserved.
Snapshot
© ControlCase. All Rights Reserved.
© ControlCase. All Rights Reserved. 5
ControlCaseOverview
Best-in-Class
Compliance
Platform
ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and
frequently changing IT compliance and regulatory requirements
Proprietary software, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery)
Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a
single platform.
One Audit
TM
enables our clientele to Assess once: Comply to Many
Leadership positions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains
Servingover1,000customers
GlobalfootprintwithofficesintheU.S.,LATAM, Europe,India,Canada,andUAE
Leverages anoffshore deliveryinfrastructureforcompetitiveadvantage
ITcompliancemanagerformultipleindustrysegmentsincludingbanking,serviceproviders,retail,
hospitality,andtelecom
GlobalVision
&Solutions
Enhancement
Provider of Compliance as a Service (CaaS)
subscription-based offering bundling proprietary GRC
software and managed services
Founded in 2004
Headquartered in Fairfax,
VA
Offices in U.S., Canada,
India
250+ employees
ControlCaseOverview
Best-in-Class
Compliance
Platform
ControlCase is revolutionizing the way enterprises and organizations deal with the numerous and
frequently changing IT compliance and regulatory requirements
Proprietary software, including appliance and SaaS solutions, that enable CaaS (GRC and Data Discovery)
Compelling proprietary offering combining proprietary software, certification/audits, and managed services on a
single platform.
One Audit
TM
enables our clientele to Assess once: Comply to Many
Leadership positions in the PCI DSS, SOC 2, ISO 27001, HIPAA, HITRUST, FedRAMP and CMMC domains
Servingover1,000customers
GlobalfootprintwithofficesintheU.S.,LATAM, Europe,India,Canada,andUAE
Leverages anoffshore deliveryinfrastructureforcompetitiveadvantage
ITcompliancemanagerformultipleindustrysegmentsincludingbanking,serviceproviders,retail,
hospitality,andtelecom
GlobalVision
&Solutions
Enhancement
Provider of Compliance as a Service (CaaS)
subscription-based offering bundling proprietary GRC
software and managed services
Founded in 2004
Headquartered in Fairfax,
VA
Offices in U.S., Canada,
India
250+ employees
ControlCase Snapshot
© ControlCase. All Rights Reserved. 6
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintainingITcompliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal resources to focus on
other priorities
Offload much of the compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
275+
SECURITY
EXPERTS
© ControlCase. All Rights Reserved. 6
CERTIFICATION AND CONTINUOUS COMPLIANCE SERVICES
Go beyond the auditor’s checklist to: Dramatically reduce the time, cost, and burden of maintainingITcompliance and becoming certified.
Demonstrate
compliance more
efficiently and cost
effectively (cost
certainty)
Free up your internal resources to focus on
other priorities
Offload much of the compliance burden to a
trusted compliance
partner
Improve efficiencies
by doing more with
less resources and gain
compliance peace of
mind
1,000+
CLIENTS
10,000+
IT SECURITY
CERTIFICATIONS
275+
SECURITY
EXPERTS
ControlCase Snapshot – Solution
© ControlCase. All Rights Reserved. 7
Certification and
Continuous
Compliance Services
Partnership
Approach
Compliance
HUB+ =
IT Certification
Services
Continuous
Compliance
Services
&
© ControlCase. All Rights Reserved. 7
Certification and
Continuous
Compliance Services
Partnership
Approach
Compliance
HUB+ =
IT Certification
Services
Continuous
Compliance
Services
&
Certification Services
One Audit
Assess Once. Comply to Many.
© ControlCase. All Rights Reserved. 8
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
MARS- E PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
One Audit
Assess Once. Comply to Many.
© ControlCase. All Rights Reserved. 8
PCI DSS ISO 27001
& 27002
SOC 1,2,3 & SOC
for Cybersecurity
HIPAA
MARS- E PCI P2PE GDPR NIST 800-53
PCI PIN PCI SSF/SLC CSA STAR HITRUST CSF
© ControlCase. All Rights Reserved.
What are the
PCI Standards
What are the
PCI Standards
•Established in 2006 by leading
payment card issuers.
(VISA, MasterCard, American Express,
JCB International & Discover Financial
Services, UnionPay)
•Develop and maintain PCI Security
Standards and Programs
•Provide training, tools and
educational resources to support
PCI Security Standards
implementation and compliance
•Maintains the PCI Family of
Standards.
What is the PCI Security Standards Council?
© ControlCase. All Rights Reserved. 10
payment card issuers.
(VISA, MasterCard, American Express,
JCB International & Discover Financial
Services, UnionPay)
•Develop and maintain PCI Security
Standards and Programs
•Provide training, tools and
educational resources to support
PCI Security Standards
implementation and compliance
•Maintains the PCI Family of
Standards.
What is the PCI Security Standards Council?
© ControlCase. All Rights Reserved. 10
PCI SSC Family of Standards
© ControlCase. All Rights Reserved. 11
PCI DSS Security of Environments that store, process or transmit account data
PCI SSS Securing Payment software that handles payment data
PCI SSLC Guidelines to Software vendors to securely develop payment software
PCI P2PE Enables secure payment transactions by securing end- to-end communication.
PCI TSP Requirements for token service providers for EMV Payment tokens
PCI CPP Physical and logical security requirements for card production and provisioning
PCI 3DS Requirements for entities that implement 3DS Payment solution
PCI PTS – PIN Security Secure management, processing and transmission of PIN data
© ControlCase. All Rights Reserved. 11
PCI DSS Security of Environments that store, process or transmit account data
PCI SSS Securing Payment software that handles payment data
PCI SSLC Guidelines to Software vendors to securely develop payment software
PCI P2PE Enables secure payment transactions by securing end- to-end communication.
PCI TSP Requirements for token service providers for EMV Payment tokens
PCI CPP Physical and logical security requirements for card production and provisioning
PCI 3DS Requirements for entities that implement 3DS Payment solution
PCI PTS – PIN Security Secure management, processing and transmission of PIN data
What is PCI PIN Security?
Set of requirements for the
secure management,
processing, and
transmission of personal
identification number (PIN)
data and related encryption
keys.
Applies to online and
offline payment card
transaction processing at
Point of Interaction (POI)
devices – ATMs, Point-of-
sale (POS) terminals,
MPoC devices etc Current Version 3.1
Valid for 2 years
Performed by QPA
Compliance by Card
brands
Standard maintained
under PCI SSC
Report on Compliance
(ROC) and Attestation
of Compliance (AOC)
© ControlCase. All Rights Reserved. 12
Set of requirements for the
secure management,
processing, and
transmission of personal
identification number (PIN)
data and related encryption
keys.
Applies to online and
offline payment card
transaction processing at
Point of Interaction (POI)
devices – ATMs, Point-of-
sale (POS) terminals,
MPoC devices etc Current Version 3.1
Valid for 2 years
Performed by QPA
Compliance by Card
brands
Standard maintained
under PCI SSC
Report on Compliance
(ROC) and Attestation
of Compliance (AOC)
© ControlCase. All Rights Reserved. 12
Who does PCI PIN apply to?
© ControlCase. All Rights Reserved. 13
•Acquiring Institutions
•Processors
•Third-party Agents – Acting on behalf of an
Acquiring entity
•Management of Cryptographical keys
associated with PIN-based payments
•Key Injection Facility (KIF)
•Certificate Authority (Remote Key
Distribution)
•Any other entity as directed by participating PCI
Brands
PCI PIN is NOT applicable for Issuing Processing Entities
© ControlCase. All Rights Reserved. 13
•Acquiring Institutions
•Processors
•Third-party Agents – Acting on behalf of an
Acquiring entity
•Management of Cryptographical keys
associated with PIN-based payments
•Key Injection Facility (KIF)
•Certificate Authority (Remote Key
Distribution)
•Any other entity as directed by participating PCI
Brands
PCI PIN is NOT applicable for Issuing Processing Entities
Involvement of Card Brands
•As mandated by the participating Brand
• 2 Years
•Payment Brand is responsible for
•Tracking and Enforcing
•Penalties, fees, compliance deadlines
•Validation process and who needs to
validate
•How frequently do entities need to
validate
•PIN Assessor requirements around
rotating assessors for repeated
assessments
•Forensic Investigations
Entities and Assessors should consult with the
Payment Brand directly to understand each
brand’s validation criteria and reporting
requirements.
© ControlCase. All Rights Reserved. 14
•As mandated by the participating Brand
• 2 Years
•Payment Brand is responsible for
•Tracking and Enforcing
•Penalties, fees, compliance deadlines
•Validation process and who needs to
validate
•How frequently do entities need to
validate
•PIN Assessor requirements around
rotating assessors for repeated
assessments
•Forensic Investigations
Entities and Assessors should consult with the
Payment Brand directly to understand each
brand’s validation criteria and reporting
requirements.
© ControlCase. All Rights Reserved. 14
Overview of the PCI PIN v3.1 Standard
© ControlCase. All Rights Reserved. 15
Seven control objectives
and 33 requirements
-
Transaction Processing Operations
•2 Normative Annexes
-Remote Key Loading
-Key Injection Facility (KIF)
© ControlCase. All Rights Reserved. 15
Seven control objectives
and 33 requirements
-
Transaction Processing Operations
•2 Normative Annexes
-Remote Key Loading
-Key Injection Facility (KIF)
7 Control Objectives
© ControlCase. All Rights Reserved. 16
Control Objective 2:
Cryptographic keys used for
PIN encryption/decryption
and related key management
secured at all times.
Control Objective 1:
PINs are processed
using equipment and
methodologies that
ensure they are kept
secure.
Control Objective 4:
Key-loading to HSMs
and POI PIN-acceptance
devices is handled in a
secure manner.
Control Objective 3:
Keys are conveyed or
transmitted in a secure
manner
Control Objective 6:
Keys are administered in
a secure manner.
Control Objective 5:
Keys are used to prevent
or detect their
unauthorized usage.
Control Objective 7:
Equipment used to
process PINs and keys
is managed in a secure
manner.
© ControlCase. All Rights Reserved. 16
Control Objective 2:
Cryptographic keys used for
PIN encryption/decryption
and related key management
secured at all times.
Control Objective 1:
PINs are processed
using equipment and
methodologies that
ensure they are kept
secure.
Control Objective 4:
Key-loading to HSMs
and POI PIN-acceptance
devices is handled in a
secure manner.
Control Objective 3:
Keys are conveyed or
transmitted in a secure
manner
Control Objective 6:
Keys are administered in
a secure manner.
Control Objective 5:
Keys are used to prevent
or detect their
unauthorized usage.
Control Objective 7:
Equipment used to
process PINs and keys
is managed in a secure
manner.
Normative Annexes
© ControlCase. All Rights Reserved. 17
Remote Key -
Distribution Using
Asymmetric
Techniques Operations
Remote key distribution
using asymmetric
techniques for the
distribution of acquirer
keys to transaction-
originating devices (POIs)
Certification and
Registration Authority
Operations
Operations of
Certification and
Registration Authority
platforms used in
connection with remote
key-distribution
implementations
Key-Injection
Facilities
Specific requirements
for key- injection
facilities for the
loading of acquirer
keys
A1 A2 B
Normative Annex A Normative Annex B
© ControlCase. All Rights Reserved. 17
Remote Key -
Distribution Using
Asymmetric
Techniques Operations
Remote key distribution
using asymmetric
techniques for the
distribution of acquirer
keys to transaction-
originating devices (POIs)
Certification and
Registration Authority
Operations
Operations of
Certification and
Registration Authority
platforms used in
connection with remote
key-distribution
implementations
Key-Injection
Facilities
Specific requirements
for key- injection
facilities for the
loading of acquirer
keys
A1 A2 B
Normative Annex A Normative Annex B
Important Dates
•1 January 2023: Fixed key is not acceptable. Only Master/Session or DUPKT
•1 January 2023: Key Blocks for external connections to Associations and Networks.
•1 January 2023: PC -based key-loading software platforms or similar devices (e.g., modified PEDs) cannot
be used.
•1 January 2024: L oading of cleartext private and secret key components/shares into HSM must use an SCD.
•1 January 2024: E ncrypted key injection for POI v5 and higher devices for entities engaged in key injection
on behalf of others.
•1 January 2025: Implement Key Block to extend to all merchant hosts, point -of-sale (POS) devices, and
ATMs.
•1 April 2025: Non-console HSM access must use a TLS connection.
•1 January 2026: Encrypted key injection for POI v5 and higher devices for all entities.
18
© ControlCase. All Rights Reserved.
•1 January 2023: Fixed key is not acceptable. Only Master/Session or DUPKT
•1 January 2023: Key Blocks for external connections to Associations and Networks.
•1 January 2023: PC -based key-loading software platforms or similar devices (e.g., modified PEDs) cannot
be used.
•1 January 2024: L oading of cleartext private and secret key components/shares into HSM must use an SCD.
•1 January 2024: E ncrypted key injection for POI v5 and higher devices for entities engaged in key injection
on behalf of others.
•1 January 2025: Implement Key Block to extend to all merchant hosts, point -of-sale (POS) devices, and
ATMs.
•1 April 2025: Non-console HSM access must use a TLS connection.
•1 January 2026: Encrypted key injection for POI v5 and higher devices for all entities.
18
© ControlCase. All Rights Reserved.
What is the PCI PIN Certification Process?
© ControlCase. All Rights Reserved. 19
© ControlCase. All Rights Reserved. 19
© ControlCase. All Rights Reserved.
Why
ControlCase
Why
ControlCase
Summary – Why ControlCase?
Partnership
Approach
Continuous
Compliance
Services
Compliance
HUB
“They provide excellent service,
expertise and technology. And, the
visibility into my compliance
throughout the year and during the
audit process provide a lot
of value to us.”
— Dir. of Compliance, SaaS company
© ControlCase. All Rights Reserved. 21
Partnership
Approach
Continuous
Compliance
Services
Compliance
HUB
“They provide excellent service,
expertise and technology. And, the
visibility into my compliance
throughout the year and during the
audit process provide a lot
of value to us.”
— Dir. of Compliance, SaaS company
© ControlCase. All Rights Reserved. 21
© ControlCase. All Rights Reserved.
Q&A – Open
Forum
Q&A – Open
Forum
Q &A
© 2020 ControlCase. All Rights Reserved. 23
Q1. We understand that PIN applies to acquirers. We don’t manage ATMs and POI devices.
Can we still be certified under PIN?
Ans: Yes, the PIN can be certified to acquirers who handle the PIN transaction regardless of whether
they own or manage ATMs or POI devices. We review the PIN transaction processing area and
validate the applicable controls.
Q2. Is a Host Security Module or HSM mandatory for PIN assessment? If yes, should it be PCI
PTS or FIPS certified?
Ans: HSM is an integral part of PIN assessment. It processes key management and is the only device
that can see clear-text PINs and clear cryptographic keys. PICI PTS or FIPS 140-2 level 3
certification is mandatory. Note that the client should not only be certified but also demonstrate that it
is implemented in compliance mode.
Q2.1 Can they use cloud HSMs?
Ans: Yes, many cloud HSMs are available that are certified under FIPS 140-2 Level 3 and acceptable
for financial transactions.
© 2020 ControlCase. All Rights Reserved. 23
Q1. We understand that PIN applies to acquirers. We don’t manage ATMs and POI devices.
Can we still be certified under PIN?
Ans: Yes, the PIN can be certified to acquirers who handle the PIN transaction regardless of whether
they own or manage ATMs or POI devices. We review the PIN transaction processing area and
validate the applicable controls.
Q2. Is a Host Security Module or HSM mandatory for PIN assessment? If yes, should it be PCI
PTS or FIPS certified?
Ans: HSM is an integral part of PIN assessment. It processes key management and is the only device
that can see clear-text PINs and clear cryptographic keys. PICI PTS or FIPS 140-2 level 3
certification is mandatory. Note that the client should not only be certified but also demonstrate that it
is implemented in compliance mode.
Q2.1 Can they use cloud HSMs?
Ans: Yes, many cloud HSMs are available that are certified under FIPS 140-2 Level 3 and acceptable
for financial transactions.
Q &A
© 2020 ControlCase. All Rights Reserved. 24
Q3. There are additional controls that are applicable based on new dates. Are there any
compensating controls if an entity cannot meet those dates:
Ans: These controls are part of the standard and must be compliant. However, if the controls cannot
be met due to business or technical constraints, compensating controls can be considered. It's
important to note that compensating controls may be reviewed by the brands.
Q4. Visa has updated its PIN assessment guidelines. What are the changes:
Ans: In its recent program update, Visa informed that PCI PIN validation documents need not be
submitted to Visa, and the Visa Global Registry will not be updated. One other notable observation is
that the same QPA may perform the assessment for more than two cycles for the same entity.
© 2020 ControlCase. All Rights Reserved. 24
Q3. There are additional controls that are applicable based on new dates. Are there any
compensating controls if an entity cannot meet those dates:
Ans: These controls are part of the standard and must be compliant. However, if the controls cannot
be met due to business or technical constraints, compensating controls can be considered. It's
important to note that compensating controls may be reviewed by the brands.
Q4. Visa has updated its PIN assessment guidelines. What are the changes:
Ans: In its recent program update, Visa informed that PCI PIN validation documents need not be
submitted to Visa, and the Visa Global Registry will not be updated. One other notable observation is
that the same QPA may perform the assessment for more than two cycles for the same entity.
Thank you for the
opportunity to contribute to
your IT compliance program.
For additional queries/support
Biju John
[email protected]
+1 571-412-9898
opportunity to contribute to
your IT compliance program.
For additional queries/support
Biju John
[email protected]
+1 571-412-9898
950 HOURS
ControlCase Compliance & Certification Process
© ControlCase. All Rights Reserved. 26
AVERAGE TIME SPENT ON COMPLIANCE & CERTIFICATION OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS (PCI DSS, ISO 27001, SOC2 & HIPAA)
BY PARTNERING WITH CONTROLCASE:
CONSOLIDATED
PRE-
CERTIFICATION
ASSESSMENT
STRATEGY
CALL
COMPLIANCE
HUB
SETUP
SCOPING SUBMISSION
TO
ACCREDITATION
BODY
ON-SITE
ACCREDITATION
BODY
REQUIREMENTS
QUALITY
ASSURANCE
REQUIREMENTS
REPORT
RELEASE
COMPLIANCE
1 2 3 4 5 6 7 8 9 10
CERTIFICATION
Collect once & use for
multiple regulations
MANUAL
EVIDENCE
COLLECTION
AUTOMATED
EVIDENCE
COLLECTION
ControlCase Compliance & Certification Process
© ControlCase. All Rights Reserved. 26
AVERAGE TIME SPENT ON COMPLIANCE & CERTIFICATION OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS (PCI DSS, ISO 27001, SOC2 & HIPAA)
BY PARTNERING WITH CONTROLCASE:
CONSOLIDATED
PRE-
CERTIFICATION
ASSESSMENT
STRATEGY
CALL
COMPLIANCE
HUB
SETUP
SCOPING SUBMISSION
TO
ACCREDITATION
BODY
ON-SITE
ACCREDITATION
BODY
REQUIREMENTS
QUALITY
ASSURANCE
REQUIREMENTS
REPORT
RELEASE
COMPLIANCE
1 2 3 4 5 6 7 8 9 10
CERTIFICATION
Collect once & use for
multiple regulations
MANUAL
EVIDENCE
COLLECTION
AUTOMATED
EVIDENCE
COLLECTION
TIME SAVED THROUGH MULTI -REGULATION MAPPING/ONE AUDIT
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
CONSOLIDATED
PRE-CERTIFICATION
ASSESSMENT
STRATEGY
CALL
COMPLIANCE HUB
SETUP
SCOPING AUTOMATED
EVIDENCE
COLLECTION
MANUAL
EVIDENCE
COLLECTION
ControlCase Compliance Process
© ControlCase. All Rights Reserved. 27
Collects region information,
list of instances running in
all regions, and public
IP addresses.
•Cloud Locations
•Collect Inventory
•Assessor Creates
Samples
Tools required to collect
evidence automatically, run
data discovery, run remote
vulnerability assessment,
and penetration test.
•Determine Environment
•Determine Target Certification Dates
•PCI DSS
•Data Flow &
Processes
•Policy & Procedures
•Physical Security
•HR & Incident
Response
•VAPT
•L&M
•CDD
•ACE
Collects time consuming evidence
such as firewall ruleset,
system hardening,
password policy,
security patches etc.
•Network Mgmt.
•Configuration Mgmt.
•Antivirus
•Patches & Security
Policies
•Logging & Monitoring
1 2 3 4 5 6
Collect once & use for multiple regulations
TIME SAVED THROUGH AUTOMATION
900 HOURS* 350 HOURS*
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
CONSOLIDATED
PRE-CERTIFICATION
ASSESSMENT
STRATEGY
CALL
COMPLIANCE HUB
SETUP
SCOPING AUTOMATED
EVIDENCE
COLLECTION
MANUAL
EVIDENCE
COLLECTION
ControlCase Compliance Process
© ControlCase. All Rights Reserved. 27
Collects region information,
list of instances running in
all regions, and public
IP addresses.
•Cloud Locations
•Collect Inventory
•Assessor Creates
Samples
Tools required to collect
evidence automatically, run
data discovery, run remote
vulnerability assessment,
and penetration test.
•Determine Environment
•Determine Target Certification Dates
•PCI DSS
•Data Flow &
Processes
•Policy & Procedures
•Physical Security
•HR & Incident
Response
•VAPT
•L&M
•CDD
•ACE
Collects time consuming evidence
such as firewall ruleset,
system hardening,
password policy,
security patches etc.
•Network Mgmt.
•Configuration Mgmt.
•Antivirus
•Patches & Security
Policies
•Logging & Monitoring
1 2 3 4 5 6
Collect once & use for multiple regulations
TIME SAVED THROUGH AUTOMATION
900 HOURS* 350 HOURS*
Compliance Evidence Overlap
© ControlCase. All Rights Reserved. 28
Regulation(s) Completed Other Regulations Status Based on Questions Overlap
PCI SOC 2 ISO 27001 HIPAA
100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete
50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded
© ControlCase. All Rights Reserved. 28
Regulation(s) Completed Other Regulations Status Based on Questions Overlap
PCI SOC 2 ISO 27001 HIPAA
100% Complete 49.1% (84) Complete 67% (77) Complete 76.1% (54) Complete
50.9% (87) No Evidence Uploaded 33% (38) No Evidence Uploaded 23.9% (17) No Evidence Uploaded
Question.
No.
Topic Question ControlCase
Integrated
Standard
PCI DSS
3.2.1
ISO
27001
HIPAASOC2
4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets, and other related data elements . CC4 X X X X
28
Data
Encryption
at Rest
Provide the following for all filesystems, databases and any backup media:
•Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
•Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of
itsassociated key management.
•Documented description of the cryptographic architecture that includes:
1.Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date.
2.The function of each key used in the cryptographic architecture.
3.Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory
as part of Q4).
CC37 X X X X
44
Logical
Access
Provide the organizational access control policy. CC63 X X X X
50
Logical
Access
For all assets identified in the sample provide evidence of logical access account and password features to include:
CC69 X X X X
67
Logging and
Monitoring
For the sample, provide the audit log policy settings. CC95 X X X 67
77
Security
Testing
Provide external penetration test reports for network and application layer. CC115 X X X 77
Compliance Requirement Overlap
© ControlCase. All Rights Reserved. 29
- Account lockout policy
- Account lockout duration
- Session timeout policy
- Password length
- Password complexity
- Password history
- Password expiry
No.
Topic Question ControlCase
Integrated
Standard
PCI DSS
3.2.1
ISO
27001
HIPAASOC2
4 Scoping Provide your asset list, a list of the software, databases, data storage locations, Sample Sets, and other related data elements . CC4 X X X X
28
Data
Encryption
at Rest
Provide the following for all filesystems, databases and any backup media:
•Details on the method (encryption, hashing, truncation, tokenization) being used to protect covered information in storage
•Evidence (screenshots or settings) showing covered information is protected. For encryption method, please share the evidence of
itsassociated key management.
•Documented description of the cryptographic architecture that includes:
1.Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date.
2.The function of each key used in the cryptographic architecture.
3.Inventory of any HSMs and other secure cryptographic devices (SCD) used for key management (to be provided in inventory
as part of Q4).
CC37 X X X X
44
Logical
Access
Provide the organizational access control policy. CC63 X X X X
50
Logical
Access
For all assets identified in the sample provide evidence of logical access account and password features to include:
CC69 X X X X
67
Logging and
Monitoring
For the sample, provide the audit log policy settings. CC95 X X X 67
77
Security
Testing
Provide external penetration test reports for network and application layer. CC115 X X X 77
Compliance Requirement Overlap
© ControlCase. All Rights Reserved. 29
- Account lockout policy
- Account lockout duration
- Session timeout policy
- Password length
- Password complexity
- Password history
- Password expiry
Average Time for Compliance & Certification
AVERAGE TIME SPENT BY CUSTOMER ON COMPLIANCE & CERTIFICATION OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS PCI DSS ISO 27001 SOC2 HIPAA TOTAL
Compliance / Evidence Collection 400 hrs. 400 hrs. 400 hrs.400 hrs. 1,600 hrs.
Certification Support 150 hrs. 150 hrs. 150 hrs.150 hrs. 600 hrs.
© ControlCase. All Rights Reserved. 30
EVIDENCE COLLECTION & COMPLIANCE TOTAL
Time Saved through ControlCase Multi-Regulation Mapping/One Audit 900 hrs.
Time Saved through ControlCase Automation 350 hrs.
Total time spent on evidence collection by using another auditor 1,600 hrs.
Total time spent on evidence collection partnering with ControlCase 350 hrs.
CERTIFICATION SUPPORT TOTAL
Total time spent on certification support using another auditor 600 hrs.
Total time spent on certification support partnering with ControlCase 600 hrs.
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
TOTAL TIME SPENT
ON COMPLIANCE & CERTIFICATION
USING ANOTHER AUDITOR
2,200 hrs.
*
TOTAL TIME SPENT
ON COMPLIANCE & CERTIFICATION IN AWS
BY PARTNERING WITH CONTROLCASE
950 hrs.
*
TOTAL TIME SAVED
ON COMPLIANCE & CERTIFICATION
BY PARTNERING WITH
CONTROLCASE
1,250 hrs.
*
AVERAGE TIME SPENT BY CUSTOMER ON COMPLIANCE & CERTIFICATION OF 1 ENVIRONMENT WITH 4 PARALLEL CERTIFICATIONS PCI DSS ISO 27001 SOC2 HIPAA TOTAL
Compliance / Evidence Collection 400 hrs. 400 hrs. 400 hrs.400 hrs. 1,600 hrs.
Certification Support 150 hrs. 150 hrs. 150 hrs.150 hrs. 600 hrs.
© ControlCase. All Rights Reserved. 30
EVIDENCE COLLECTION & COMPLIANCE TOTAL
Time Saved through ControlCase Multi-Regulation Mapping/One Audit 900 hrs.
Time Saved through ControlCase Automation 350 hrs.
Total time spent on evidence collection by using another auditor 1,600 hrs.
Total time spent on evidence collection partnering with ControlCase 350 hrs.
CERTIFICATION SUPPORT TOTAL
Total time spent on certification support using another auditor 600 hrs.
Total time spent on certification support partnering with ControlCase 600 hrs.
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
TOTAL TIME SPENT
ON COMPLIANCE & CERTIFICATION
USING ANOTHER AUDITOR
2,200 hrs.
*
TOTAL TIME SPENT
ON COMPLIANCE & CERTIFICATION IN AWS
BY PARTNERING WITH CONTROLCASE
950 hrs.
*
TOTAL TIME SAVED
ON COMPLIANCE & CERTIFICATION
BY PARTNERING WITH
CONTROLCASE
1,250 hrs.
*
1,600 HRS. EVIDENCE COLLECTION* 600 HRS. CERTIFICATION SUPPORT*
350 HRS. EVIDENCE
COLLECTION*
600 HRS. CERTIFICATION SUPPORT*
2,200 hrs. total time
spent on compliance &
certification using
another auditor*
950 hrs. total time spent
on compliance &
certification by partnering
with ControlCase*
Compliance & Certification Time Savings
© ControlCase. All Rights Reserved. 31
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
350 HRS. EVIDENCE
COLLECTION*
600 HRS. CERTIFICATION SUPPORT*
2,200 hrs. total time
spent on compliance &
certification using
another auditor*
950 hrs. total time spent
on compliance &
certification by partnering
with ControlCase*
Compliance & Certification Time Savings
© ControlCase. All Rights Reserved. 31
* Based on 1 environment with 4 parallel certifications (PCI, ISO, SOC2, & HIPAA).
Certification Technology Footprint
© ControlCase. All Rights Reserved. 32
ACE
•Automated Compliance Engine
•Can collect evidence such as configurations remotely
CDD
•Data Discovery Solution
•Can scan end user workstations for card data
1 2
© ControlCase. All Rights Reserved. 32
ACE
•Automated Compliance Engine
•Can collect evidence such as configurations remotely
CDD
•Data Discovery Solution
•Can scan end user workstations for card data
1 2
CONTINUOUS COMPLIANCE
OVERVIEW
33© ControlCase. All Rights Reserved.
OVERVIEW
33© ControlCase. All Rights Reserved.
Continuous Compliance
© ControlCase. All Rights Reserved. 34
“The continuous compliance
monitoring is a big value add to
their audit and certification
services, which is good for
organizations that don’t have the
team in-house. It’s a big
differentiator for them.”
— VP of IT,
Call Center / BPO Company
70% of companies' assets
are non- compliant at some
point in the year.
Go beyond monitoring and alerting to predict,
prioritize and remediate compliance risks before
they become security threats.
Address common non-compliant situations that
leave you vulnerable all year long, including:
•In-scope assets not reporting logs
•In-scope assets missed from vulnerability scans
•Critical, overlooked vulnerabilities due to volume
•Risky firewall rule sets go undetected
•Non-compliant user access scenarios not flagged
“
© ControlCase. All Rights Reserved. 34
“The continuous compliance
monitoring is a big value add to
their audit and certification
services, which is good for
organizations that don’t have the
team in-house. It’s a big
differentiator for them.”
— VP of IT,
Call Center / BPO Company
70% of companies' assets
are non- compliant at some
point in the year.
Go beyond monitoring and alerting to predict,
prioritize and remediate compliance risks before
they become security threats.
Address common non-compliant situations that
leave you vulnerable all year long, including:
•In-scope assets not reporting logs
•In-scope assets missed from vulnerability scans
•Critical, overlooked vulnerabilities due to volume
•Risky firewall rule sets go undetected
•Non-compliant user access scenarios not flagged
“
Continuous Compliance Services
© ControlCase. All Rights Reserved. 35
WHAT IS
CONTINUOUS COMPLIANCE
BENEFITS OF
CONTINUOUS COMPLIANCE
DELIVERABLE OF
CONTINUOUS COMPLIANCE
•Eliminates the need for potential
major last minute audit findings
•Reduces effort for final audit by
approximately 25%
•Reduces the risk of technical
shortcomings such as:
•Quarterly scans missed
certain assets
•Logs from all assets not
reporting
•Quarterly review of 20-25 high
impact/high risk questions
•Technical review of vulnerability
scans, log management, asset
list, and other available
automated systems
© ControlCase. All Rights Reserved. 35
WHAT IS
CONTINUOUS COMPLIANCE
BENEFITS OF
CONTINUOUS COMPLIANCE
DELIVERABLE OF
CONTINUOUS COMPLIANCE
•Eliminates the need for potential
major last minute audit findings
•Reduces effort for final audit by
approximately 25%
•Reduces the risk of technical
shortcomings such as:
•Quarterly scans missed
certain assets
•Logs from all assets not
reporting
•Quarterly review of 20-25 high
impact/high risk questions
•Technical review of vulnerability
scans, log management, asset
list, and other available
automated systems
Predictive Continuous Compliance Services
© ControlCase. All Rights Reserved. 36
Continuous Compliance Component PCI Requirement Met
Firewall rule- set analysis 1
Configuration scanning 2
Searching of cardholder data within environment 3
Secure coding developer training 6
Application security scanning 6
Logging platform 10
File integrity monitoring platform 10
Review of logs and alerts to meet PCI DSS requirements 10
Secure storage and archival of parsed logs 10
Internal vulnerability scanning 11
External vulnerability scanning (ASV approved scan) 11
Internal penetration testing 11
External penetration testing 11
Application penetration testing 11
Distribution and attestation of annual security awareness training 12
© ControlCase. All Rights Reserved. 36
Continuous Compliance Component PCI Requirement Met
Firewall rule- set analysis 1
Configuration scanning 2
Searching of cardholder data within environment 3
Secure coding developer training 6
Application security scanning 6
Logging platform 10
File integrity monitoring platform 10
Review of logs and alerts to meet PCI DSS requirements 10
Secure storage and archival of parsed logs 10
Internal vulnerability scanning 11
External vulnerability scanning (ASV approved scan) 11
Internal penetration testing 11
External penetration testing 11
Application penetration testing 11
Distribution and attestation of annual security awareness training 12
Predictive Continuous Compliance Services
© ControlCase. All Rights Reserved. 37
What is Continuous
Compliance?
Benefits of Continuous
Compliance
Deliverables of
Continuousness
Quarterly review of 20-
25 high impact/high risk
questions
Technical review of
vulnerability scans, log
management, asset list,
and other available
automated systems
Eliminates the need for
potential major last minute
audit findings
Reduces effort for final
audit by approximately 25%
Reduces the risk of
technical shortcomings such
as:
Quarterly scans missed
certain assets
Logs from all assets not
reporting
Quarterly-compliant/non-
compliant status on
dashboard by activity
area
Risk rating every quarter
© ControlCase. All Rights Reserved. 37
What is Continuous
Compliance?
Benefits of Continuous
Compliance
Deliverables of
Continuousness
Quarterly review of 20-
25 high impact/high risk
questions
Technical review of
vulnerability scans, log
management, asset list,
and other available
automated systems
Eliminates the need for
potential major last minute
audit findings
Reduces effort for final
audit by approximately 25%
Reduces the risk of
technical shortcomings such
as:
Quarterly scans missed
certain assets
Logs from all assets not
reporting
Quarterly-compliant/non-
compliant status on
dashboard by activity
area
Risk rating every quarter
ControlCase Snapshot – Automation-driven
© ControlCase. All Rights Reserved. 38
Compliance HUB Portal — Automation- driven Certification and Continuous Compliance
Compliance HUB Portal
Automation Driven
© ControlCase. All Rights Reserved. 38
Compliance HUB Portal — Automation- driven Certification and Continuous Compliance
Compliance HUB Portal
Automation Driven
Quarterly Questions
© ControlCase. All Rights Reserved. 39
No. Meeting Topic: Scoping ControlCase Questionnaire Reference
1
Review of scoping information:
•Review of DFD
•Review of Network Diagram
•Review of Asset Inventory
•Review of in-scope locations
Q1, Q2, Q3, Q4, Q5, Q7, Q8
No. Meeting Topic: Significant Infrastructure Changes ControlCase Questionnaire Reference
2 Review of significant changes records Q41
3 Review new installations for hardening process Q23
© ControlCase. All Rights Reserved. 39
No. Meeting Topic: Scoping ControlCase Questionnaire Reference
1
Review of scoping information:
•Review of DFD
•Review of Network Diagram
•Review of Asset Inventory
•Review of in-scope locations
Q1, Q2, Q3, Q4, Q5, Q7, Q8
No. Meeting Topic: Significant Infrastructure Changes ControlCase Questionnaire Reference
2 Review of significant changes records Q41
3 Review new installations for hardening process Q23
Quarterly Questions
© ControlCase. All Rights Reserved. 40
No. Meeting Topic: Security Scans & Tests ControlCase Questionnaire Reference
4 Review of quarterly VA scan report Q74
5 Review of quarterly ASV scan report Q75
6 Review of quarterly wireless scan report Q72
7 Review of semi-annual segmentation test report Q79
8 Review of semi-annual firewall ruleset review Q11
9 Review of a recent secure code review reports Q37
No. Meeting Topic: PCI Controls Review ControlCase Questionnaire Reference
10 Review quarterly compliance review and communication to Top Management (PCI DSS Charter) Q87
11 Quarterly user access review Q48
12 Store POI (PIN PAD) verification process Q65, Q66
13 Review of platform specific logs for completeness and daily log review process Q68, Q71
14 Review of in-scope third party service providers list and PCI compliance status, due diligence for new vendorsQ90, Q91, Q92
15 Review of sample tickets for new user access creation, modification and removal Q46, Q47, Q59
© ControlCase. All Rights Reserved. 40
No. Meeting Topic: Security Scans & Tests ControlCase Questionnaire Reference
4 Review of quarterly VA scan report Q74
5 Review of quarterly ASV scan report Q75
6 Review of quarterly wireless scan report Q72
7 Review of semi-annual segmentation test report Q79
8 Review of semi-annual firewall ruleset review Q11
9 Review of a recent secure code review reports Q37
No. Meeting Topic: PCI Controls Review ControlCase Questionnaire Reference
10 Review quarterly compliance review and communication to Top Management (PCI DSS Charter) Q87
11 Quarterly user access review Q48
12 Store POI (PIN PAD) verification process Q65, Q66
13 Review of platform specific logs for completeness and daily log review process Q68, Q71
14 Review of in-scope third party service providers list and PCI compliance status, due diligence for new vendorsQ90, Q91, Q92
15 Review of sample tickets for new user access creation, modification and removal Q46, Q47, Q59
Continuous Compliance Technology Footprint
© ControlCase. All Rights Reserved. 41
ACE
•Automated Compliance
Engine
•Can collect evidence
such as configurations
remotely
CDD
•Data Discovery Solution
•Can scan end user workstations for
card data
VAPT
•Vulnerability
Assessment and
Penetration Testing
•Can perform remote
vulnerability scans and
penetration tests
LOGS
•Log Analysis and Alerting
•Can review log settings
and identify missing
logs remotely
1 2 3 4
© ControlCase. All Rights Reserved. 41
ACE
•Automated Compliance
Engine
•Can collect evidence
such as configurations
remotely
CDD
•Data Discovery Solution
•Can scan end user workstations for
card data
VAPT
•Vulnerability
Assessment and
Penetration Testing
•Can perform remote
vulnerability scans and
penetration tests
LOGS
•Log Analysis and Alerting
•Can review log settings
and identify missing
logs remotely
1 2 3 4
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 941
- Slides 41
- Age 547 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
34 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
28 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views