PCI DSS Masterclass - From Foundations to Mastery | Taimur Ijlal | Skillshare
Drawer
Search

Playback Speed


  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

PCI DSS Masterclass - From Foundations to Mastery

teacher avatar Taimur Ijlal, Cloud Security expert, teacher, blogger

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

    • 1.

      Introduction

      8:02

    • 2.

      Overview of PCI DSS

      6:10

    • 3.

      Standard structure

      3:29

    • 4.

      PCI DSS process ( Foundation )

      14:11

    • 5.

      PCI DSS process ( Implementation )

      8:01

    • 6.

      Requirement 1

      4:47

    • 7.

      Requirement 2

      4:43

    • 8.

      Requirement 3

      14:11

    • 9.

      Requirement 4

      3:34

    • 10.

      Requirement 5

      2:55

    • 11.

      Requirement 6

      6:28

    • 12.

      Requirement 7

      2:03

    • 13.

      Requirement 8

      3:30

    • 14.

      Requirement 9

      4:14

    • 15.

      Requirement 10

      2:25

    • 16.

      Requirement 11

      5:10

    • 17.

      Requirement 12

      3:25

    • 18.

      Compensating Controls

      2:25

    • 19.

      SAQ and its types

      8:52

    • 20.

      PCI DSS v4 and the key changes

      13:18

    • 21.

      How to get ready

      2:03

    • 22.

      Way forward

      2:12

  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.

40

Students

--

Project

About This Class

The PCI DSS Standard is considered the gold standard across the world for the protection of cardholder data and has been implemented by millions of organizations to date. If you are interested in mastering this standard from scratch, then this course is for you! This course assumes ZERO knowledge of the standard and teaches the core requirements and how to implement the standard in any environment.

Additionally, PCI DSS has gone through a major change with version 4.0 recently being released. This course is one of the first courses in the market to cover the new version of PCI DSS v4.0 in detail and the new requirements that are coming into effect over the next few years.

Take the next big step of your career with this course

Topics Covered:

· PCI DSS overview

· PCI DSS structure of the standard

· PCI DSS process from scoping to final audit

· What are the 12 PCI DSS requirements

· Different types of SAQs

· PCI DSS v4.0 and the key changes in the standard

· The way forward to implement PCI DSS in your environment

In addition to a full overview of the standard, you will get actionable advice from the instructor who has over a decade of implementing PCI DSS across the globe.

Meet Your Teacher

Teacher Profile Image

Taimur Ijlal

Cloud Security expert, teacher, blogger

Teacher
Level: Beginner

Class Ratings

Expectations Met?
    Exceeded!
  • 0%
  • Yes
  • 0%
  • Somewhat
  • 0%
  • Not really
  • 0%

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.

Transcripts

1. Introduction: Hello, hi everyone. My name is femoris and I'm the creator of this course, welcome discourse which is called PCI DSS foundations to mastery. Now the PCI DSS, it's one of the hottest topics around and it has been for the past, I think 15 years or so. And it will remain to be hot honestly, as long as payment transactions keep happening. So if you're interested in learning about the PCI DSS standard from scratch, this course is definitely for you if you're already an expert, I mean, you have a few as experience in implementing PCI DSS, then it is still for this course, I would still recommend it as it will be a great recap for you to just go over some of the core concepts and get some practical advice. And also, I will be covering the new updates to the standard which is in PCI DSS version 4. And honestly, no matter how much technology progresses, cardholder data is still one of the most important types of data around and it will always need to be protected. So whether you're a small startup, whether you're a Fortune 500, honestly, the standard is usually applicable to you. This course. I have specifically designed it to help people gain mastery over the PCI DSS standard from scratch, okay? You don't need to be an expert in credit card transactions or the payment industry or even an IT expert. Okay. It's based on my own like a nine or ten years experience and implementing PCI DSS. I've implemented it in multiple standards across multiple geographies. I know the standard inside out the course. It will make you understand and master the PCI, DSS standard. And it gives you all the knowledge that you need to implement it in any environment honestly. And I try to make sure to give you practical advice. I don't want to bore you and make it like a death by PowerPoint. But I'm just reading a slide and you're just like, I'm going to try and give you a, make this as practical as possible. What are the key things you need to know? What are the some of the mistakes which people make so awesome, Let's get started. Just a brief background about me guys don't know who is teaching you this course. My name is Dan Voltage Law. Okay. I've been in various leadership positions for the past 20 years, mostly in the Middle East. Okay. So I will total around 20 years and technology risk. I was responsible for overseeing PCI DSS implementation in their own three or four locations for over nine years. So I have a very diverse experience and PCI, DSS. Okay. So currently I'm based out of London. I'm an author. I have, I'm also like to blog and I'm also a teacher and instructor, which you can see here. I'm also cybersecurity career coach. I usually try to help people if they want to succeed. And really what he called, Go ahead in there and will improve upon their cybersecurity careers. I have a YouTube channel called the Cloud is cloud security guy, which you can take a look at. And I usually talk about stuff pertaining to cloud security, artificial intelligence, and gender cybersecurity advice. So apart from cybersecurity, my journey has been ups and downs. I won multiple awards in the industry, and I've established myself in the Middle East for many years. I've written a book also about artificial intelligence governance in cybersecurity. And I have two more books plan this year. I felt this was a topic that has not getting enough coverage. So I thought I'll do my bit to create as much awareness as possible for my buck to the industry. I was awarded like a UK global talent visa. And I also help people who are applying for UK technician endorsement. I tried to help them out in their applications as much as I can. So this is just a recap on who I am. What I do is to understand who's teaching in this course. While and PCI, DSS guys. So what's the reason? Why should you, if you're attending this course, obviously, you must have a reason. It might be part of your job. Or maybe your company has decided to implement it as a regulatory requirements when you don't have a choice, All you might get fined if you don't implement it all. Or maybe a company is just saying it's a good standard to implement, it's good practice. So let's go ahead and implemented one of the, some of the reasons, okay. My pod guys, VR, what he called the Moving to a cashless society, right? The card-based transactions are becoming more and more common. It might be point-of-sale terminals, CashRegister, smartphones, everything is being powered by cashless transactions. And protecting those transactions is very important guys. If you want to feel, if you feel that, if the customers feel they cannot protect their data, then they will transact with you, which will destroy your business. I mean, if you're a merchant or service provider, right? And people don't want to have transactions with you, this has become a big problem. So this is where PCI DSS comes in and it enforces like a common standard across the world for the protection of cardholder data. This standard, it will remain applicable as long as what do you call people doing transactions, Okay? And it will be very important for the foreseeable future. It's a great thing to have on your CV is a great experience to have. Also, depending on the industry, might not have a choice. You have to be compliant if you are storing, transmitting, or like processing cardholder data, which we'll see. But they are, like I said, they are always good reasons for knowing how to implement a PCI DSS standard, which is one of the reasons I made this course. So what will this course cover? And I hope you understand now why you should note PCI, DSS, okay? What about this course? Or what is it going to teach you? It is going to teach you, first of all, PCI DSS from scratch. I'm not going to read the standard from page one until the end. Okay. Nobody wants that. I honestly, if you want me to read bullet by bullet, this is not the course for you. I'm going to make you understand the intent of the, all the requirements. What are the practical steps in doing that? You do not need to memorize the standard. Lot of people started making that mistake. Okay. What I'm going to do is I'm going to explain how the standard works and what are the best ways to go about implementing. I am going to deep dive into this 12 requirements, the standards, and we will go over each in detail. Okay? I'm gonna give you practical advice, okay? Actually advice based on real-world implementations which I've done. And lastly, the standard is being revised, okay? The latest updates for PCI, DSS for points, what are the key changes you should be aware of? What are the things you should be ready for, whatever you think you should start doing now. Because the two thousand and twenty four twenty five is very close. It looks far away but is going to come. And you might need to do certain things, so I want to make sure that you are ready for this. Okay. Who is this course for? Whether you're a new employee with limited present knowledge or maybe experienced system administrator. This course is going to help you, your organization to become compliant with PCI, DSS or comments. I've made this, I've designed this course like a reference guide, address the most challenging aspects of PCI, DSS compliance. So depending on your background, job role, the organization leaves some sections may be more relevant than others, okay. So you can be an IT auditor who's going to audit their environment against PCI DSS. You can be like, I don't know, a QSEN ISAF, people who are preparing for the exams for PCI, DSS, you might be preparing for this. And this example gives you some great inputs on that. There's some good test questions, practical advices, they are okay. You might be a risk professional. And who wants to understand the standard, how it, what are the risks? What are the things which we have to implement, okay? Or you might be a business professional. Your business might be underscore for PCI, DSS, and you want to understand how to implement it. So these are all the things which were the people who or whom the standard might be applicable to. As a class project guides information which you don't apply, you're going to forget it. Okay? That has been my experience throughout my life. If you don't implement what you're learning, you're going to forget it. So by the end of this course, I want you to fill out in a city or we're gonna go into detail about SAQ is for a physical or an e-commerce merchant. So just think about a hypothetical merchant. They are accepting card-based transactions. Are they doing e-commerce? And I want you to fill out and SEQ for that doesn't really help you to lock it down and really make you understand how to the PCI DSS standard works. So I hope I made you excited for this course and what are the things I'm going to be teaching you? And how are you going to be learning about the PCI DSS. Let's get started, guys. Thank you so much for taking this course. And I will see you in the next section. 2. Overview of PCI DSS: Okay guys, Welcome, Welcome to the first module of this course, which is PCI, DSS, and overview of the standard. But first of all, I want to teach you what PCI DSS is likely or don't want to jump into implementing the PCI DSS standards and requirements, right? You don't understand what we hear ideas, this is how it works. What's the point of this standard, right? We've already have so many standards. By one more. Let's learn about PCI DSS. From the ground-up, I would recommend taking this model even if you have experience of implementing PCI DSS before, because you'll get a good overview and a history of the standard. And I'm going to teach you how the standard is structured and some of the common mistakes I've seen people make in around like ten years of implementing PCI DSS, okay? Okay. First of all, the PCI DSS standard, okay. It was established in 2006 or eight by the major card brands, Visa, MasterCard, American Express, Discovery, JCB, all of them. Why did they do it? Simply put, historically, what used to happen with all of these color schemes? They had their own standards, they had their own programs, so compliance. So let's say you are a merchant, right? We want to employ you want to accept Visa cards, okay? Visa had their own standard you have to comply with before you could do it, then Mastercard it there only if you want to accept MasterCard. And simply with Amazon, again with American Express, I'm making a gesture be. So you can understand, this became a big issue for merchants and service providers. The amount of time and money implemented different standards. Okay? So what happened was all of the standards that came together and they're going to establish a common standard. And this standard is going to be applicable for people who are involved in the payment industry. It eliminated the need for complying with each one separately promise, okay? So this is how, if you are like storing, processing, transmitting this data, you are required to implement the standard to protect it. Based on thousands and thousands of investigations of merchants who had been breached. What was confirmed, what that if they had implemented distended properly. Okay. What do you call they have implemented centered properly. It would greatly reduce the risk of them getting attacked or like compromised. Ok, so the standard is very useful. Does it make you a 100% secure? No, absolutely not. But it is a very good starting step. Okay? So who is it applicable to? Basically remember this storing, processing or transmitting any business that stores, processes or transmits payment card data, you are required to implement the standard to prevent cardholder data, okay? You can be a merchant, it can be a service provider, you can be a bank, you can be a call center. We can be a technology company. Doesn't matter if you're doing these three things. Either of the three things we will come into scope. How much you have to implement, that is where the difference happens. But rest assured you will come into the scope. Okay. So why? You might ask why, okay. I'm already secure. I have implemented controls and all that, etc. Why do I need to do the standard? Okay. What's the need for the standard? Simply put, like based on the old thing that criminals go where the money is okay? The same. In a digital age, merchants have become much in service providers, there becomes a new target for fraudulent activity. Okay? So you might, it might be your cash register, it might be your primary point of sale. It might be a shopping cart, it might be a Wi-Fi network. It might be the PCs or the workstations that you have. Okay? It's become a serious problem because attackers know that even one of these things I can compromise. I might get access to this data. I might be able to commit fraud with this. That's why it's so critical to understand these vulnerabilities. They can happen anywhere in the card processing ecosystem. Like I said, it might happen in mobile devices, point-of-sales, wireless hotspots where shopping applications, it might be transmitted and it might go, it might not be in dry Miami, it might be in a service provider. It might be in your Cloud environment. Okay, So that's why the PCI DSS comes in and really helps you to secure this environment, really makes you understand what I have to do. What don't I have to do? One other due diligence activities I have to implement. Okay? So definitely there is absolutely 0 when he called disadvantage in implementing this standard. Okay. That's why any technology, any company who was, who is processing and involvement payment transactions, I always recommend to implement a PCI DSS standard. Okay. So the timeline from the standard has come a long, long way, honestly. And why it has been revised so much because it is a living document. It has evolved to keep up with the state of e-commerce and most sophisticated cyber threats. And honestly how technologies evolve in 1015 years ago, the Cloud wasn't that important. Smartphone transactions weren't happening that much they were happening but not that much. Okay. Attacks for different who didn't have like containers in Cloud and Sowell as all of these things have come up, that's why the standard keeps changing. We don't need to like it. You don't need to memorize the history and this is just for your reference. But just know that it has gone through various iterations to keep up-to-date with technologies. In 2022, the version 4 was released. Okay? And just to make you understand, in 2022, it has come up, right. And it has expanded upon MFA, multi-factor authentication or their roles and responsibilities. And a lot of new requirements have come up till March to 2024. By that time, the PCA, the old version, which is 3.20.1, it'll be retired and it will be completely replaced by 4. So you do have a little bit of time. And by March 2025, the new requirements will officially become effective. Some optional comments, okay. These are based on projections by the PCA Security Standards Council, the body who maintains the standard. They may be subject to change, but the timeline. So that's why I keep recommending that guys. If you are in scope for PCI, then start looking at the 4 requirements today. Don't put it off. Okay, so this was a basic overview of the standard. In the next module, I'm going to go over the vesicular architecture, how the standard is structured, how it works, and how it's structured. So thank you guys, and I will see you in the next module. 3. Standard structure : Okay guys, so welcome to this module which is about the PCI DSS structure, how the standard works. So simply put, it's very simple. It has six schools and 12 requirements. People usually to focus more on the 12 or comments from one to k, we have to implement it to become PCI DSS compliant. You might be in scope for some I notice for fathers. But this is basically how the standard has been structured is pretty simple. It's not that complicated. So the goals, these are common step requirements, honestly, some of these you might look at and say, Hey, okay, all a lot of these things I'm already doing. But that's the whole point. Because what might seem common sense to you might not be common sense to other environments like other merchant service providers, they might say, Okay, I don't need to implement a firewall, I don't need to do this. That's my mandate states. So what are the six basic categories? It is usually about maintaining and building a secure network to firewalls or other devices. You should be protecting cardholder data wherever it is stored. You should have a vulnerability management program to make sure that your systems remain secure. Okay. Any issues come up, you're aware of it? We should have strong access control measures may be physical or logical. You should be regularly monitoring your network, okay? Don't assume your network is secure. Something might have happened. Of course, from the due diligence perspective, you should have a high level of governance through policies to charters, making sure that training is, are there people are aware of their requirements. Okay. So these are the goals. The goals and what are the requirements will go over each of these in detail, guys. But just to give you a high level requirement for maintaining a firewall, you should have standardization. You should be protecting cardholder data is with securing it over the network, protecting it from Albert, updating your systems. These are the first six. The next six, we're restricting access, be it logically or physically, having unique credentials, okay. No sharing of passwords, please. Having physical security, logging and monitoring what's happening doing VN, VN PT, okay. And document and assessing your risks which are happening. So these were the 12 or comments guys. These might seem like too much. Okay, 12 hour who is going to memorize this? So this brings me to my, some of the common mistakes which people make when they're implementing the requirements. And I want to make sure that you don't make the same ticket for me. Then this quite a lot of times some of the common mistakes is they try to memorize the standard. Okay. Please do not need to memorize the standard and the trunk requirements. Nobody does that. You don't have to do this. You can just understand the intent of feature Comment, okay? And then gone by when you can implement it, as long as you understand what they're basically comment is intending, you can have a lot of back-and-forth with the PCI auditor and you can satisfy, look, I am implementing the standard, maybe XYZ is not implemented, but you have done other stuff. We look into this in details. So that brings me to my next point, which is another mistake which people make is not engaging with the QSR earlier. You should, if you have a PCI auditor who's available, engaged with them right from the start. Tell them, I'm not doing this so that they are aware. Perhaps if you're making any mistakes, you can catch it right from the start. Okay. The audit don't treat treat this like you're trying to hide stuff from the auditor engaged with them right away. So I hope you understood how the standard is structured. What are the key goals, are the key requirements and whatever mistakes you should avoid. So in the next module, we're gonna be starting the process, okay? The PCI, DSS also as a process, it's not that you can just go ahead and start implementing the 12 requirements anyway. There's a standard process we have to follow and we'll deep dive into that. If you understand that the PCI DSS process will become, I can promise you it will become easier. So okay guys, let's jump into the next module. Thank you. 4. PCI DSS process ( Foundation ): Hi everyone, Welcome to this module which is about PCI DSS, understanding the process. So one thing I want to mention is a lot of people make the mistake. A lot of companies make the mistake that they've decided to implement PCI DSS, what they do is they jump, they download the standard and they just go ahead and start implementing it, right? They say, Okay, I have to enable multi-factor authentication. I have to harden my server, I have to patch XYZ, etc. That is not the way you want to start PCI DSS. That is setting yourself up. If you want to be PCI DSS compliant, there is a structured process to follow. You can't just start implementing the requirements straight away. It won't work. You will waste a lot of time and be Willis the Lewis, a lot of money also. So let's see what is the best way to go about implementing PCI, DSS, and environment? There are two phases. One is foundational, one is the implementation phase. If you do the hard work in the foundational phase phase, the implementation phase will become much, much easier. The implementation phase, but usually takes longer, but it is much more easier because we have a firm direction. Okay, so what are the steps? The key steps you need to do to successfully implement PCI DSS within your environment. Okay, let's start. In this module, I'm going to go over the foundational ones. First step, most important, and sometimes it gets missed out. Gathering, manage, management support. You need management support for your PCI DSS to be successful. Pci DSS, please note this very carefully. It is not an IT project. It, it deals with people, processes, operational technologies that must be tested and protected. It is not, it is a project, but it is not an IT project. A lot of companies, what they do is they empower the IT teams to go ahead and implement it. You can do it, but what is gonna happen? It's gonna be either fail or it'll be a onetime activity. You'll be compliant for the first year, second year, IT will get busy with other things. Did forget all about it. So you've wasted your time and money. You need to change the culture first, we need a management level sponsor, preferably the CEO or the CEO or somebody might have the syllable. You need that guy to send a clear message across organization. Pci, DSS is a priority and we're going to be implementing it and please nominate XYZ formula units. They will approve the budget because it is going to cost you, you need to implement stuff. Don't assume it's gonna be all free, but really management support ensures that your staff, everybody understands the importance of this. And you will make your life considerably easier later on. For larger organizations, if you want to have a continued PCI, DSS compliance, it needs a very strong culture of collaboration, communication, and commitment from executive leadership. Please do not stick this step. Nominate an executive sponsor who will be approving the budget and who will, to whom you will be sending your project updates. Hey guys, this is the status of the PCI DSS. So make it a project, but don't make an IT project. You can run it from your risk department, whatever department you have. But don't make it an IT project and make sure you have management support, okay? Okay. Second step. What is the second step into foundational phase? It is understanding your responsibilities, but what are you? Are you a merchant, your service provider, IU or bank. Okay. Because you have different processes, technologies, things which are in scope, okay? You will be interested, I'm sure you will know you are in PCI, DSS cope or not. But you need to find out what sort of business are you doing. Is that e-commerce is a point-of-sale, is that outsourcing? So usually I recommend reaching out to your career. It might be a bank, it might be a card scheme like Visa, MasterCard and ask them, I am doing XYZ, what what do I have to do to become PCI DSS compliant? Why do I say this? Because the PCA Council, they said down there, they've set down the PCR Standards Council white, but each payment brand new Visa, MasterCard, they have their own. These are validating it. So you should contact the payment brands or the acquiring bank. Okay. That will give you a clear what he called a tone for what? You have to do. A full audit, you have to fill out a questionnaire, do have to submit a Esri scans, these things you can find out from their websites or you can contact them themselves. I would recommend doing both just to make sure there is no ambiguity. And later on, you're not surprised by some use like a comet which suddenly comes up and you're not aware. Okay. So that is number two. What is the number third party? Third part. So you've contacted the payment bank or the acquirer. Now you find out what is your compliance obligation. Is it a self-assessment questionnaire or as a full audit? Sorry. Cq. The first one, SAQ is like a validation to Lisa questionnaire. What you do is you fill it out yourself. You don't have to have anybody else do it. You can do it yourself. Okay. If you're not required to do a full audit, you can just fill out an SAQ. It's a series of yes or no questions for each PCI, DSS or comments, you just fill it out 111, we sign it, and then you submit it as a data. That is one of the easier ways of passing on a PC audit. Okay. So it's exactly what it sounds like. It is a self-assessment questionnaire. You can fill it out yourself and it'll basically say, this is my current compliance posture. Nobody is going to verify it. That your work and you have to be truthful, please don't take this the long way. You have to be truthful, but nobody's going to verify it's really you can have your audit team check-in. That is the first part. Or you might be subject to a full audit, which is that the payment Granville asked for important compliance and also an attestation of compliance, which is an EOC that is basically a full audit. You will need to reach out to your Q essay. You'll need to engage with the company, which is like all UK, USA will discuss that later. They call a qualified security assessor. Okay. Basically, they had a PCI DSS audit. They will do a full audit. They will come assess your environment and say, Okay, this is satisfactory and give you a report that full auto civil get submitted to your payment band to your bank. Okay. But this one is more difficult, but I usually recommend doing the full audit just to make sure it is always best to have a third party come in and check it. Okay? So these are the two compliance obligations you might have. Okay. So now we've understood that, okay, I have to do PCA compliant. And now what do I do? A very, very key step that is, please do not skip. This is setting down the scope. Many organizations have any starch. They asked this question, okay, where do I implement PCA ideas is, if I have like 12 branches across, I don't know, 50 countries and 5 thousand staff do have to prevent PC IDSs and every one of them? No. So like I said, your scope is basically wherever it is storing, processing, transmitting the cardholder data environment. That is very hard to implement PCI, DSS. Many organizations that do have problems figuring out which systems are NPC idea of scope and which are not. Okay. For that, I would recommend dataset document. I'll try to touch it if I can, is called the PCI, DSS scoping and Netflix segmentation supplement. Okay. I think came out in May 2017. It really gives you it gives you guidance to identify what systems need to be in scope, what systems are not in scope, and how you can actually reduce your scope through segmentation. Very important guys, you need to understand your business environment, especially how the systems are interacting with cardholder data. Via cardholder data is being stored and we'll get into this. But you need to really sit down with your business. Don't just sit with the IT guys sit down with your business because the whole flow of cardholder data, you need to implement your controls on top of that. And those are the people, processes and technology on which the 12th PCI requirements will get implemented. Okay, so what, what advice at the scoping is a very important topics are going to take my time on this. So what comes into PCS scope? You need to first list, list, and confirm all the connected systems which are like processing, storing, or transmitted cardholder data. Okay. There are some guidance which the council gift simply put, any system that stores processes transmitted cardholder data or sensitive data, or any system which is on the same network has them. That's pretty simple. I think that's pretty logical, right? And what does okay, Apart from that, any systems which are providing them, which are connected to them, or providing them security. Okay. So what can that be? Okay, a system might be directly connected to your caudal and ramified through internal network connectivity. Or it might be indirectly connected, maybe like a jump server connection. Or it might impact your, the security of your cardinal environment. Maybe it's a web server, a DNS server, or maybe it's a server which is providing security, like network traffic filtering epoxy. Maybe it's distributing patches, single sign-on, or maybe it's a firewall which is segmenting off your card online environment from the other ones. Okay. Your firewalls are configured to block traffic light that will come into scope. Or it is supporting PCI, DSS or comments, maybe time server, your SIM solution. Okay? So this look at this diagram. It will help you to find out, okay? And of course, you can understand this looks like okay, managed kind of thing, a lot of system, the scope. How do you shorten the scope of PCI DSS, okay, there are things you can do to actually reduce the scope of PCI DSS within your environment. And the most important thing is segmentation. Without segmentation, your network becomes like a flat network. What does that mean? It means everything is on the same network. Okay. Your caudal environment, your security systems, your lawn card, older systems which have nothing to do. But you're cardholder data. All of them are the same network. And what happens is if one of the system is compromised, maybe your laptop gets compromised to connection to the Internet. Now the attacker can simply jumped from that server to your caudal environment. Without, because of this flattened, everything will be in scope. That's why you need to segment of your network. And it prevents out of scope system. So you're going to segment off your non cardholder related environment from your cardholder environment, okay? And what it does is it prevents those systems from talking to each other. And even if that non-causal environment is compromised, because it's not going to be as secure, it won't impact your card holder environment, okay? Even if an attacker gets in that document, not have access to the cardholder environment. Okay? So that's why it makes it difficult for the attacker to migrate from the point of entry. Maybe it was like a laptop or workstation to other systems. Okay. So usually what people do, they use firewalls for segmentation or you can create zones within your fibers. And let's take a look at how that happens. So just a simple integral in blue. This is like what a typical flight network will look like, guys. So this looks very institute. You have your network, right? The servers, your midas, heterolytic, your desktops, your point-of-sale machines. All of them have connected to a firewall on the same firewall, and they connected to the Internet. So you can see just said this is like a nightmare waiting to happen. One of them gets like a beach by an attacker. He can access pretty much everything you can jump from there to the cardholder environment. This is not the way to do it. So what do we have to do, guys? We create something called a segmented network. So what we do is we create a segment within the green zones, within the firewall. And we break it down into smaller networks like Cardano network like an on-call don't network like a business network. And you put firewalls or other devices between them. So that restricts their connectivity. This is how a segment and it will look like. So even if one environment is compromised, you cannot jump to your other environment, okay? Because you have other controls, segmentation can be tricky, especially if you don't have a technical background, okay? So I would always recommend having your network team double-check it. They just have your risk guy is the security guys. Check it, double-check all your segmentation. And you can, we're going to look into that. How do we check whether the segmentation is properly done? But I hope you understood guys, why it's so important. And now you can see how it is going to shrink the scope of your PCI DSS network, right? You will have in scope and out of scope. And just to be very clear guys, some funny talking about out of scope. So we're talking about systems. They are not in scope for PCI DSS, So you don't need to implement PCI DSS there. But then they won't have access to the caudal environment. But if they do, then you have to implement PCA, okay? You have to have controls like I mentioned, segmentation and other stuff to stop them from getting getting access. So within the PCA console, they've given some guidance. They say these other things so it cannot process cardholder data. It can't be on the same network, it cannot connect you and you just don't like it pretty much anything. If it does it to be considered out of scope, it needs to satisfy all this gray area and you need to have controls in place to provide the auditor assurance that like, you can't just change this tomorrow, right? You can't just bring this metric on the same network. You need to have other controls like firewalls, physical access controls, multi-factor authentication, restricting admin access, or actively monitoring this metric to make sure there is no network connectivity. Okay? And usually guys, one thing I recommend, and it's not popular. Why it's not required to implement PCI, DSS, an otoscope. But I always do recommend you can consistently implementing shade won't get audited, but it's just security best practice because the PCI, DSS is such a good control standard, you should implement it on out of scope networks also. Okay? So this is what it looks like, a typical network. Okay, That's what I was talking about when I mentioned. So you can see here guys, you have like a Caligula environment at the top right, you have a point of sale machine, your coordinate systems. It is connected to something shared services like Arctic territory, batching, logging. There's a jump server and you have an outer scope network, so there is no connectivity between the CDE, the corporate line, okay. There is a connectivity between the shared services and that. But you understand there is no direct connectivity. If there was any direct connectivity, then definitely it will become in scope. So this is, use this as a high-level guidance for how you want to segment off your network. Okay, So this is what I was talking about, segmentation. It's like an art. Honestly speaking, it changes depending on the size of the network, depending on how much control do you have, how many technical solutions you have, how good your network team is? And I would just recommend you reach out to your auditor before, show them the network diagram before and after how you're going to segment off, get their guidance. Don't assume they're not there to help you. They're not there to failure audit. They're there as partners. We'll help you out. So do reach out to them. It will save you a lot of problem later on. I hope this was useful to you guys and this was completes our foundational phase. So let's move on to the implementation phase now. Thank you. 5. PCI DSS process ( Implementation ): Hi guys, Welcome to this module, which is the second part of the PCI DSS process. Now we finished the foundational part right there. I'm going to talk about the implementation part, which is very important. Now. You've done the foundational, you've laid down all the basics. Now, the fun starts, which is actually implementing PCI DSS within your environment. Okay? So one of the major stuff you will do if you haven't done this already would be to engage UK, USA. Basically, the qualified security assessor. It's a designation which the PCA council gifts to certain people, then definitely they are qualified to perform now PCI suspense and consulting services and audits. To become a PCR, you need to meet certain like education recombinants you to pass a certification and take appropriate training from the PCA council. And then you're gonna be employed by a particular like I've security and auditing firm. And usually they have to be certified this annually. They invited the hierarchy USA. It is an independent third party by organizations who want to compete here, DSS compliant. Okay. And they want to make sure they will come and they will do the audit. They will advise you on how to become PCI DSS compliant. What during the pre-sale audit, the QSIF will determine whether your organization has satisfactorily met the PCF further comments, The Directory, or maybe you haven't mattered, but you put another controls, are compensating controls. If this is enough, then he's going to fill out a ROC and report on compliance, which is like a thick report, and an AUC which is an attestation of compliance. You and him a boat, I can assign that. Then you're going to send it to your payment scheme or your bank for verification. Basically, the three SQS as your friend is not there to make you fail. You're already Zai to help you. If he gives you a lot of observations, believe me, it is in your own benefit to make sure that those are rectified. Okay. A lot of people that just want to pass a PC audit and get done with it. Okay. They feel they've done their job No. Engage with them. Make sure you understand what the requirements are, why he's doing it. Treated like a partner. Okay. Treat him like a partner so that you're able to fully meet the requirement of the PCI DSS. Okay, so now you can get to the Kiva, say all the foundational work we have done now you can have the scope. You segmented off the network. Now you can start working on implementing the PCI DSS requirements. We're going to go into these in detail in the next section. So I'm not going to waste too much time on this. Basically, they are both operational and technical. Always the focus is on protecting cardholder data. We have six categories and 12 or comments and I'm going to go into detail on this. But the PCL or the QS say usually comes in and he does a filamentary like a gap audit. Okay. And he gives you your findings. So this is what it looks like. I'm first-time, I can assure you. First time and you do a gap audit, you're going to have like a like you're gonna be very depressed when you see the findings. They're gonna be lots and lots of findings is going to come in because no matter how much foundation that you've done, all these things you did not know about. You're going to find cardholder data clear in the most like unthought of the places that happens to everyone. This is based on my own experience of doing PCR for the past ten years. Okay. But there'll be lots and lots of gaps. Don't worry, it's a journey, not a destination. So you will make an action plan with a long list of items and start working on this. Okay? Implement a quick wins. There'll be things you can implement right away. Start for working on those and get regular updates, the QSEN, and then focus on the long ones. This is where I told you, remember where you are and what is the desired state. A lot of companies, they have the keywords to do this. You can do this yourself also, by the way, just to let you know or you can have a completely independent company, like a separate company from the USA. Some big companies, I know they have done it like this, okay. Also. So it's completely up to you how you do it. Okay? But like I said, focus on the quick screens and then you're going to have those findings. It's going to take some time. This is where the management support, which I talked about is going to NP-hard. Because if the CEO, the CEO is they're helping you out, believe me, things are gonna get moving. Otherwise, other departments have other priorities. They have other things on their plate day not their job is not doing PCI DSS. You will get a lot of support if you engage with the management support early on. Let's assume you've done it. You fix all the gaps. Now what So now comes the final part, which is the final audit. Before the final, you can test the QC. Okay. Fix everything, come in and let's do the final audit before that happens, gather on your documentation and your security policies, your change control accords, network diagram scan reports, documentation, training on and on. Okay. Makes sure all the stakeholders and align and ready. Don't assume they will just drop everything and come to your meetings because usually the QSEN needs to have like scheduled meetings, book everybody's in calendar, put and make sure that they understand the importance of this schedule, those reporting it makes your senior management is involved also, and the key people from IT, security applications, human resources, legal, all of those guys are there. Habits like sort of a team you can you can make a task force for PCA and you can have that loan lobby companies sometimes do that. Guys, please make sure put aside enough time to remediate findings. If your PCI compliance deadline is 15th of May, don't call the auditor and 14th of May, please don't assume they want to find things. You might find something completely unexpected. Have a buffer of two weeks, one month probably depends on your environment to make sure that just in case there's some completely unexpected findings, you have enough time to remediate them. Now. Congratulations. You've possibly say audit. The auditor is going to fill out the report on compliance ROC or that decision compliance or you might not need this with my digits filling out a self-assessment questionnaire. And you did not need the QSR at all. The reports are the official mechanism by which you, as a merchant or a service provider or a bank, you report your PCI compliance to your financial institution like a payment branded Visa, MasterCard. And sometimes you might need to submit SEQ report on compliance. Sometimes you might even need to submit a Stan. Okay. It it really depends. Like I said, it depends on how it's done. Sometimes you might also need to quarterly submit network scanning histories. Can we'll discuss deciliter. It really depends on the payment when it's difficult to just give you one one-size-fits-all for each environment. Okay? Okay. And now you pass the PCR that you've submitted it. What now? Very important guys, please, you need to implement PCA as a BAU process to ensure that security controls continued to be properly implemented, you need to fix it into your BAU processes as part of your overall strategy, like put it inside the other departments, operational manuals, their technical man who said that? No, they know this is something you have to do. Put it in your own calendar, the standards you have to do, the reviews, they have to do the ad. This is a way to monitor the effectiveness of your controls and it's going to maintain. So even if you're there, you're not there, somebody else comes in, maybe you're on leave. Everybody knows what they have to be doing. Okay? So you can monitor your security controls to make sure and you can make sure that if something is failing, maybe a scan is passing one-quarter is not passing the other quarter. If you have some sort of a calendar, this is a great mechanism to know how consistently are PCI DSS is going if you're passing scans every quarter, disk controllers mature now. So please make sure you implemented as part of a BAU. Don't forget about it and then lecture wake up, suddenly have to do this business. So this is how basically you implement PCI DSS in your environment, guys, like I said, it's a living process. It keeps changing, keeps evolving. The first year will be difficult. The second day you will see yourself improving. Third year you might face some huge challenges. Keep on improving the scope. Keep only, I think with the auditor change your auditors regularly. Don't rely on the same auditor for the next ten years. That's not a good practice. Keep on adding new things to your environment and you will definitely see your environment maturing, it will become more easier. And you'll actually start to enjoy the whole process of becoming PCA compliant. Okay guys, so this is completes the BCR process one. Now let's onto deep diving into the standard and the requirements which I've talked about earlier. I'll see you in the next module. Thank you. 6. Requirement 1: Hi everyone. Welcome to this module in which we're gonna do a deep dive into the PCI requirements. Previously we were talking about the process, about the standard itself. Now they're going to be deep diving into each of the trials requirements, okay? As I mentioned, I'm not going to go over each line of each requirement. Nobody wants to eat to do that. That you can do yourself honestly speaking, the main thing is you should understand the intent behind each requirement and try to meet that. Pca is a technical standard. Agreed. But it gives you a lot of room to maneuver. So let's start with the first comment and let's see. And remember, you can always reach out to your cell. So if you're confused about any requirement, treat him like a security partner. Okay, so let's start with the first requirement which is installing and maintaining a firewall. Just to recap, if you remember a fibers purpose, the primary purpose of a firewall. Why do you put a firewall here? Is to filter potentially harmful traffic, is the first line of defense. And simply installing a fiber network doesn't make it secure, right? So if your fiber is not configured and maintained properly and efficacy not secure in the default state. In summary, what I'm saying is a properly configured firewall is going to be the first line of defense is going to block unwanted network access. You're going to want to put it between your net, your systems and the Internet also within your cardholder network and your other networks also. Okay, so you're going to need multiple fibers. Usually that's how they do. And the firewall is usually when you do your segmentation, you're going to create your zones also. So that's i so when the auditor comes in, he's going to check if he finds out that you haven't reviewed your firewall for the past two years, that's gonna be a problem. If he sees that your firewall is still using the default passwords, like a full access open to the Internet. Nothing at all of those things are going to cause problems for you. Just to recap, we talked about before, remember how the segmentation works, right? So your rules and new environment is going to change over time. It's not going to be static. So you're going to make sure the segmentation is there and is reviewed every six months. Minimum. At least every six months you have to review your fiber, lose maintained it as a documentation, have a report there which proves that you actually reviewed the firewall. Whose guys remember that? Otherwise, the auditor will have no way of knowing whether you're doing it or not. And what are the key actions. So, like I mentioned before, a common mistake, a very, very common mistake that people make is assuming that firewall is like a pump plug and play technology. After you install it, additional effort is almost always required to restrict access and protect your cardholder data environment. See the end goal of firewall is to filter potentially harmful internet traffic and other untrusted networks. So like if you were working in, in e-commerce, the firewall would be there between your Internet and you're coddled environment, right? So you need to, this is where the scoping and all that hard work we did before That's going to come in. So you're going to make sure that all those things are there. You're going to have a denial rule. You're going to have pipe packet filtering unit. Anytime you open a port, they need to reprocess the IK unit opening upward. Was this checked by the teams, wasn't verified. If just one person is doing it, Nobody's looking at it. Okay. Remember you need to put it protected. Any inbound and outbound traffic from the caudal environment. You need to have standards for your firewalls, what is allowed, what is not allowed, and you need to have some sort of a review happening. Obviously, nobody is going to be reviewing your firewall or stealing nobody. Honestly, it's not even possible. But usually what people do is they make sure that everything is innocuous and francium. And they are alerts configured. And like, what do you call somebody who's monitoring it. Okay. If you generate a report, I think it generally comes like a three hundred, five hundred rules will come up in a small environment. So that's not even remotely practical, but the auditor is going to check the IU making sure your firewall is not just something you just put it in once and forget all about it. They are like reviews happening, standards are happening. It's being reviewed, it's being monitored, and it's properly placed. So it's going to look at where the fingerprints, the fiber network diagram also. So keep these things in mind and the fiber kilometer is pretty straightforward, I think honestly within your body calls security moment. It's funny. It's one of those things that should be there anyway. But the difference between PCA is how much effort they put so much focus and ports, the regular reviews and your due diligence happening. Running security rule is all that is needed to compromise your firewall environment. So all that I have that concept of trust but verify because the firewall makes sure that they're set up any reason happening and it's a perpetuity, the traffic is blocked. Okay. Make sure you have personally fibers also on your laptops and your PCAs, your mobile platforms. Okay. So it's not just a corporate firewall, make sure the firewall security is consistently applied across your network. So that's pretty much it. It's a straightforward or comment an ID and you can look at the standard to see what are the details like denial. And one of the things that should be happening, just make sure those rules are there. And you're reviewing and monitoring your firewall activity. 7. Requirement 2: Hi everyone, Welcome to this requirement. In this requirement we're going to do over the second one, which is configuration standards and about basically hardening and standardizing, standardizing your cardholder environment. If I was to tell you like one word to describe this, or two words actually to describe this requirement. It could be default settings. Traditionally, any or device, your router or your firewall, your server, it comes with certain default insecure settings, right? So PCM mandates that we have to make sure they are. They don't remain on their default settings and they are secured whatever you're putting in your Caldwell environment. It has been secured from its default. Setting. The easiest way for a hacker to access your internal network. Certified dry default passwords or exploits based on default settings, software settings in your Payment Card Infrastructure. You wouldn't believe that. I've seen many times merchants, they don't change default passwords for the point of sale machines or the cash registers. It's like you have a store and you've left it unlocked at night. Okay? So the vast majority of times it's default passwords and settings for network devices. They are widely known on the Internet. This information provided with some very freely available tools. They can give attackers unauthorized access very easily into your environment. You can secure it as much as you want. You can put as many followers as you want. But if you do, I haven't put in the move those default settings than you left the window open. You've locked the door, but you've left the window open. So what are the key points? How do you make sure that default passwords in different settings are hardened upon installation? Are you using those default password, 123 MVC, you know, the standard passwords. Is there a process present the auditor is going to look at is there anything present with which you can harden your standard IO falling some standard. Okay. Do you know that all the systems that do have like an inventory, like some automated way of finding out how many Southerners are there. What if you have like, you're supposed to have 50 servers, but we have actually a 100 servers and those 50 remaining, they are actually not secure. How would you know about that? Okay. On standards present value falling any industry standards. So these are the things you need to keep in mind. What are the key actions to take? Consistency is the main thing here. If you take away anything from this standard, it is consistency. So once you hadn't a server and you make, you have to make easy supposing you've created a harding standard, right? You say I'm going to follow the CIS benchmark. Okay? You have to apply to all environments and the customer consistent manner. So once you've configured the system and you've made sure everything is there. You have other work to do, right? You have to make sure this inventory is current. It's actually mapping to the environment. A lot of time people use some sort of automated system. Nobody is gonna do it manually. Okay? So that way if there is some system, system in the caudal environment which is not approved for use. It can be discovered, Wait. I usually use some sort of a system management software to assist in getting this inventory. They can report on the hardware which is being used or the software which is there. And as new devices are being bought online than they can enforce standards, okay. Admin will get an alert if your system isn't compliant with your internal standard. Usually a lot of times I've seen company using tools. Okay. So you need to have a secure way to managing the environment and inventory of everything, all the hardware and software and documented configuration standards. You don't need to make them from scratch, use something like the CIS benchmark, okay? And you have to have some secure way of accessing your systems. Makes sure that everything default is removed. How do you do that? There are many tools available, okay. Usually, it looks like this. Okay. So you you bring up a server or a firewall or an appliance in any city or state, your team is gonna do some hardening. They're going to do some scanning. They're going to look at the report. It's going to tell them, Okay. It's not hardened up as per the CIS benchmark. This password is there, these things are there. All these things are password settings are not there. You know, the basic part password settings complexity and all those things. Those are not there that the administrator's going to do the work and they're going to harden it. How do you enforce that consistently? Usually, people use something like a golden image or they have some sort of a script, toggles everything. And on top of that they have a scan which is happening consistently. That scan is happening and checking for any non-compliance. So you should have those tools in your environment. The auditor is going to take a look at that and make sure to find out if there are any deviations from your standards, okay, you should have a process to address that. So make sure those things are, they're just said, just remember no default settings or hardening and standardization and a monitoring process to be there to make sure that everything is standardized in your cardholder environment. Okay, I obviously this is pretty simple. I'm sure you might be thinking this is already there. Well, if it's already there, then formalize it and look at the requirements if there's anything that you're not meaningfully. Okay. Thanks guys. I'll see you in the next video. 8. Requirement 3: Hi everyone, Welcome to this module. Now, this is quite possibly the most important requirement for PCI DSS are a lot of times when people talk about PCI DSS, they're talking about this particular requirement only because it basically captures what PCI DSS as n. It's one of those unique things which PCI DSS has. Okay. And I'm talking about the protection of cardholder data. I don't remember what I told you earlier about not memorizing any requirements. It doesn't apply to this one. You should definitely know this requirement inside out because this is where the auditor is going to focus the most. Okay. This is where if you goof up and you don't follow it properly, you could potentially failed audit. So this is very, very important. So when we talk about cardholder data, basically we are talking about any information printed process, transmitted, or stored on a payment card, okay? If you are like accepting payment cards and you're expected to protect that data, whether it's printed or stored on a database or internal public network, or maybe a cloud. So the essential parties know where you're storing that data and what you don't need to not store it. And have some way of finding out where you're storing that data. You don't want the auditor finding it. You want to find it out yourself, okay? So those are the things. So PCI, DSS is very, very clear about what you can and cannot store. And you should know what you're storing, where you're storing, how you're storing it to make sure you are falling PCI DSS standards. So just to take a look, when you talk about carnival, the elements, what are we talking about? There is something called the account number, the cardholder number, basically the pan which we will call it, That's a 16 digit number. We have things like the cardholder name, the expiration date, the service code. On the back you have to track to data, the magnetic stripe data, and you have the CVD code you can use for e-commerce transactions. Basically, when you're storing this data, it has to be protected. Then you store it was showing this data. It has to be protected when you are printing the Delta, it has to be protected. The problem usually comes as people, unknowingly, they end up distorting and not protecting this data, which is where the vast majority of problems comes in. So what does PECSA and see like what should be stored? Okay? First of all, so it divides the data into two elements, okay? You're talking about cardholder data and sensitive authentication data. Okay. So your pan, you're cardholder name exploration service code, that is cardholder data. You can store it, but you have to protect it. And the other one which is sensitive authentication data like the data, the CVD code, the pin and the pin block, the pin, the pin you put in when you're doing a transaction that is sensitive authentication data or SAD, do not store it. If you're not, you do not have to store it after the transaction is authorized. Okay. Then the vast majority of times, those big compromises which happened, malicious people, they can, they find out this data being stored and they use it to reproduce your card and conduct a fraudulent transactions. The CPP code is you notice that three digit code that you use for e-commerce transactions card not present transactions. So the pin block is of course the pin which you are using. It, it becomes a pin block. It gets encrypted. But even if, even if it's encrypted, you cannot store it, guys, to just remember this, I think things you can store if it productions. So I think things you cannot store, okay? And this is the main thing you have to keep in mind if you are storing the Guardiola name and what do you call if you're storing the pan, you have to encrypt it. Or possibly if you're showing it, you have to do other things. So I'm gonna, what I'm gonna do is because they have many, many ways of doing it. What do you call protecting it. Then you're storing it when you're showing it, when you're printing it. I want to go one by one. What are the steps which PCA tells you? So firstly is masking or what is masking videos usually when you're displaying it on screens or receipts of printouts. It's not to be confused with the other requirements like storing, okay? So when you're showing on the screen, when you are vertical and that person does not have a requirement to see it. Okay? So what you can do is you can mask the pan, basically you can XXX way the card numbers are. Apart from that, you get the maximum. You can show us the first six and the last four. Everything else you can simply mask out. So you can see this is the storage tank. When it's being shared on the screen you can completely mascot, okay, we're not talking about how the data is stored. We're talking about when it's being shown. Okay. When people Missy's computer screens and when there is no business need to view the entire pan sometimes like your call center agents or some other people, they might have a neat to see the full pan, okay, you need to document that. But nine times out of things you don't have a need. Okay? So it basically conceding certain digits during display, even a holiday, regardless of how the pan is being stored, you can mask the taste. Okay, So the first step is masking. Find out where you're going need to mask it. And actually, masking should be the default only with somebody who has a business requirement. If your system has the ability to mask it, I just turn it on across the board after you check with the business. Okay. So this was the first one which is masking. The second inverse is truncation. You can also truncate the data when you're storing it. Truncation is similar to masking, but there you don't XXX our data, we simply discard those digits. So you can see here, this is a full pan number. And when you are storing it in a database, you could use simply discard it, okay? So basically it makes the card unreadable. Removing a segment of that data. And it usually is used, I've seen it being used in databases and files. So even if an attacker is able to get access to this day, they can't do anything because those digits have been removed. Sometimes companies can use this as a method also. This is more on the storage, okay? Okay, What else is there? You can do one way hashing. Then you're storing data. What is the one-way hash? It's like a cryptographic process. It takes your data and it converts it into a different type of string. So every time you do it on a pan, it's going to show a different result. Why do you call it a one-way hash? Because it's still reversible. So you can't get that vertical from the hash. You can't get the card number back. Okay? So a lot of time people use it to check if data has been modified or not, but you can also use it for storing it, okay? So it basically, you are creating an irreversible one-way hash of your data. It's up to you if you want to use this process. I've seen it being used. Just remember you cannot go back from that hash. You can't use it for future transactions, okay? Because that data is being irreversibly changed. Like sometimes we need candy you don't have to store, like you do is no need for masking. It isn't only for truncation and you don't need this data, you can store it as a hash. That's one way as possible. So we've talked about truncation guys just to go back. So this was Caucasian. When you're storing it, this is hashing. Now you know the difference. One thing very, very important guys. You cannot store truncated and hashed versions of the same payment card. Virginia caudal environment. Okay? Because what happens is these can be correlated. What do I mean by that? If attacker has access, what do you call to the truncated and that band and the hashed versions of record number, they can actually get back the original plan based on these two data. So when you're storing it in databases and flat files like spreadsheets or maybe like backup audit logs, you might have to protect it and do not store them together. Okay. He was one of the two, but do not store them together. A lot of people's I've seen sometimes they forget about this requirement and it's truncation and hashing is being done at the same time. Please do not do this. Okay, what else is there? Tokenization. Tokenization is a very simple process. What happens is sometimes you've seen that when you hash it, you truncate it. The 16 digit format changes, right? It's no longer as 16 digit number. Tokenization is a process that replaces the original card number. Another 16 digit number. That too it's called a token. The token may look like a legitimate cardholder number, but it's not, it has no value to an attacker. Ok? So usually what happens is this is reversible, so you can do tokenize that you have something called a token volt. So with the form that token, you can back, get back the original card number, okay, you can get it back. So tokenization, usually I've seen it, It's being used when people just want to store card holder, cardholder data for future transactions. But they want to make sure it's secure and they don't want that format to be changed. So I mean, you can there are multiple ways of doing it. You can do it from the pan. You can generate it randomly. You can have a token, a token vault being created, which is the tokenizing and D tokenizing data. There are multiple ways of doing it. Just understand the token it preserve storage, format the 16 digit pan, and you can reverse it so it can tokenize and D tokenize it. Sometimes your databases, they can store large amounts of data which would come out if you're hashing it and they need a 16 digit number. So tokenization helps you out. Tokenization also sometimes I'll even taking it out of scope. But there's a lot of work to be done around that. So this is the basic difference between tokenization and other functions. Lastly is encryption, which is the most common thing. Encryption is a bit similar to tokenization in that Japan is being replaced by other data that has no value. But encryption is somewhat different because first of all, it doesn't preserve the original format. And it uses a key manager like a wall with a cryptographic key. And it uses like a key manager because your kid, it uses a key and an algorithm to generate a huge number, which you cannot get back the original card number from that data. Okay? So typically the data size increases like it doesn't preserve the original format. So it's really up to you what you want to use. Some people prefer tokenization because they want to restore that format in the 16 digit of some people prefer encryption. Usually depends on your business requirements. Just know one thing. I talked about a key like you need a key to encrypt that data. So that key, you have to encrypt that key also with another key, and you have to store that separately. It's like you can refer to the requirement. Just know when you encrypt data, a cardholder data, you have to encrypt it with a key and you have to protect that key also, you have to encrypt that key again. So just remember that when you're talking about encryption, I know it's a lottery ticket guys. Just go through this, revise it and slowly, slowly you start to understand it. You don't have to implement all of these things are number that you can just make do with encryption or hashing or tokenization. Just know these different departments. Okay? Then you talk about, like I remember, I talked about finding our data. So you need to review your data sources to make sure that the NADH storing cardholder data unencrypted. You don't have any sensitive authentication data. Look at your transaction logs, the transaction data, your trace. Try as you know, sometimes people turn on tracing for troubleshooting. A lot of times that starts storing unencrypted data, okay. Look at your database schemas. Schemas might show you if there's any card number there. Okay. Look at your backups, any existing memory crash dump files. Okay. Your DLP, lots and lots of things are, they're just starting from the left. You can look at your payment terminals, whether you're mastering or truncating all the data you are storing any sensitive authentication data. You're not storing any data undetermined. Look at your screens and reports. Okay. Is there anybody who has a requirement to view data, cardholder data, if not, just muslin truncated on the reports, can use this extremity, this desolate data. What if you can stick it out? Okay. What if somebody has remote access, they can stick out this data. Do we have any DLP controls? What about databases and storage? Okay. So when you're storing that data, do we have a proton encryption there? Is there any sensitive authentication data? Usually people, what they do is they have some sort of a tool that scans the databases and it gets them report. You cannot do it manually. There will be millions of records, you cannot do it manually. And lastly, file share. A lot of times file shares or a blind spot. People don't know that employees are putting cardholder data in Excel sheets or what he called flat files and they don't know it and suddenly doing the audit, it comes up. So make sure you're scanning those also, and made sure that it cannot be exfiltrated out. These other things, guys, I've spent more time on this because this is very, very important to know. So key actions. Find out first video cardholder data is don't just use the technical method, talk to the people also, draw cardholder data diagram. Sit with your business and find out what the flow of data is from the point that data is captured, the cardholder to till such time it's authorized and stored. Okay. So you'll find it in databases, file shares, even e-mails, you'll find it a cloud outsource providers. And lastly, I want to talk about, okay, what if you can't implement PCA control soviet? I want to keep this in mind. We're going to talk about something called compensating controls later on. So that is something you have to keep in mind. What if you can't encrypted because it's a legacy application, right? So what are you going to do that? So this is something I want you to keep in mind. Okay. What does so you need to have a data retention policy. Maybe you don't need to stop cardholder data after 30 days, okay. Just delete it then there's no need to keep it. You should have a data flow diagram. The auditor is going to ask, how do you find out, first of all, where your data is stored? Do we have some sort of a tool which is regularly scanning your servers, databases, laptops, and most important guys, please do not store sensitive authentication data. After your card authorization is done. Remove your truck to data or MOOC. We don't stop in blocks masking out pines on customer receives. And if you are storing it, the cardholder information, then please mascot or truncated or security to encryption. Make sure that it's the databases or their storage is accessed by as few people as possible. Okay. So this was the requirement, guys. I hope it wasn't too much. Just take your time, go to the standard. The main thing is find out where your cardholder data is and protected accordingly. Then don't store data unless you do not need it. So just go through this model one more time. It will revise. So you have a better idea of it and make notes and then try to implement it within their environment. I can guarantee you. If you are in the card business, you will find cardholder data where you did not expect to find it. That's a common thing. Don't don't get scared by it. Just make sure you have a process to remediate it going forward. Okay, guys, I'll see you in the next section now. Hopefully, you got a better idea now and I'll see you in the next module. 9. Requirement 4: Hi guys, Welcome to this module. This module is relatively short. It's pretty simple, which is securing data, open and public networks. This is pretty simple. I think. I don't think I need to explain this too much but calculate it. I mean, if you're sending it over and open and public network, you have two encrypted, right? You don't want people just looking at this data. This is going to be sending it to a third party processor, maybe backups, maybe over the Cloud. And most importantly, cybercriminals can maybe intercept this transmission over Guardiola data. So it's important to put in controls their encryption can use it. You can put any encryption using strong cryptographic unit TLS and all these other controls. You might have point-of-sale terminals, which are sending data over the internet or wireless or GPRS. You have encryption over that, over your violinists and other cellular technologies. Okay. And what about messaging? Like email, instant messaging, SMS, chat. You can send cardholder data with that also. So you need to put in policies, you need to put in controls like DLP. So it's very, very important to have those things. There is some mixture of technical and operational controls. You might think It's very simple, but believe me, especially if you're using point-of-sale terminals, a lot of time what happens is point-of-sale terminals they using old versions of TLS, TLS 1.1, and we're not using the newer versions like 1.21.3. You need to make sure that you have a plan to migrate them. Just build off the dataflow diagrams we talked about earlier in common three, you will know the cardo date it is coming from NBC being sent outside. I want to make sure it's encrypted. When being sent over open public networks. You don't want to make sure that those encryption or they're having in-house policy not to send clear card numbers over SMS, over chat, over Slack teams. Please do not have that. Okay? You want to check your point-of-sale terminals to make sure they're encrypting get appropriately. If you're not maintaining them, you have a vendor reach out to the vendor and make sure those point-of-sale terminals, they're not susceptible to any known exploits, like standard vulnerabilities. Usually it's the vendor who tells you you can do your own testing. Also. A lot of times what these companies do, they make sure their point-of-sale terminals are already certified to PCI DSS. You can check the modal number. You can go to the website and actually putting the mortar lumbar, putting that version and see where there is lifestyle certified to is usually called the pink transaction PDF Standard. And I think there's one more standard, but you can check it on their website. It will tell you right away whether this device is secure or not is certifying data as per the PCI DSS standard. This is pretty much what it is. You guys make sure you have an inventory of all your data which is sending get out. Lot of times it's the point-of-sale terminals. Make sure you have control over your end-user messaging like emails, slack time, whatever you using. Those controls have to be there to prevent cardholder data for being sent out over the open public network. Okay, that wraps up this particular section. And we'll lastly, just make sure you're not using TLS 1, disable all those insecure protocols. You don't want to be using those early implementations of SSL and TLS because that's very easy to compromise. It's not considered to be secure. So check with your point of sale when their point of BI vendor and have some sort of a plan. If you find out that your point of sale devices are using it, you need to have a risk mitigation plan and a migration plan by leave it in the next 12 months or 18 months, I'm going to migrate everything to TLS 1.2 because believe me, the auditor is going to ask you that. Okay, that wraps it up, guys. I will see you in the next module. Thank you. 10. Requirement 5: Hi guys, Welcome to this section. This requirement is, I think distributed easiest for you, which is talking about if you don't have this, then there's only a bigger problem than not being PCI DSS certified. This requirement deals with antivirus, anti-malware that needs to be installed on all the systems commonly affected by malware. You need to make sure that you have an antivirus solution there, which is on there, that everything within the cardinal environment, you want to make sure it's there. It's regularly standing, is regularly up-to-date. And you should have a process to find out if there is some new attack happening. How will you find out if there's a zero-day exploit happening or some malware is there suddenly affecting all the systems? Do you have some sort of a way of finding out what's happening, what are the alerts coming in, okay. So make sure usually a PCSS that implement anti-malware on systems which are commonly affected. People take it to be in Windows, but you should put it on Linux also, lot of the Linux server flavors which are there, they do support anti-malware. Make sure it's there. Don't get lazy on Linux. And made sure that you have implemented anti-malware across-the-board. You're scanning it. And what happens. A lot of time people like they put an anti-malware, but if an alert comes, nobody's looking at it. Okay? So you want to make sure that those alerts are going somewhere in some ways actually taking an action based on that alert so that window of compromise, it needs to be very short. Those things make sure that your antibodies is up-to-date and it's sending alerts. Okay, don't assume anything here. Like I said, the key points are deploying antivirus on commonly affected systems and non commonly affected systems also, please guys, if you have some sort of like Linux or some other thing, if there is a possibility to implement anti-malware, please deploy. Don't get lazy, okay, make sure it's getting updated if set to scan automatically and if anything happens, those alerts are going somewhere. Okay. Your definition should be current. It should not be able to your IT administrator but can't just go and disable antivirus white, make sure there is a segregation of duties there. And you should make sure some sort of practices there that when you call them to regularly assess systems, like maybe you have an old legacy systems AS 424 tandem HP don't stop all those old systems which a lot of people don't use anymore. But have some sort of a regulatory risk assessment being done to find out if there are any industry alerts coming out. Maybe there's some new virus has come out recently which you don't know, and it's affecting those systems. So please make sure those controls are there and that is documented, that they can give that auditor that assurance like usaid that you have a process is dead and you are going well above and beyond. Okay? You're looking at the industry trends and you're putting in controls that have to be there. So this is a pretty easy standard to meet. I don't think any difficulties should be there. Usually people who run into problems when they're looking at those legacy systems. But apart from that, I think it should be straightforward to implement. Thank you guys. I'll see you in the next module. 11. Requirement 6: Hi everyone, welcome to this lesson. And in the view VHDL, we're halfway through the array to cram and six, which is developing and maintaining secure systems. Okay? And this is one of those departments which a lot of people hate because it has to do with patching. Again. I don't think anybody likes patching, but unfortunately, it is a mandatory part of any security system. And you need to, you need to have a system in place as propitiate to patch vulnerable systems. Why do you do that? It's pretty simple, right? Security vulnerabilities in systems and applications. They can allow criminals to bypass controls and access cardholder data. Most of these vulnerabilities can be eliminated by installing security patches. When they provided patches, we went from Microsoft or your third party vendor. And it's like it plugs into the security hole and what we call Asper PCIe. All critical systems, they need to have the recently released software patches installed within, I think it is as soon as possible within 30 days. And other ones you can do it within 90 days, but this is really one of the most difficult things to accomplish. You can understand why. Because critical servers, servers are very critical and you can't just have downtime happening. And at the same time you have attackers who are paid, possibly exploiting this. And it becomes more dangerous when it isn't. One interesting thing. So like you need to have a very strong patch management process in place for implementing critical security patches, guys, it is one of the most difficult and most important to comments and PCI. Okay? So what do you have to do? Well, you have to make sure the patch management policies in place and have a process. How do you know that some critical patches come in? You need to have that also a change management process has to be there for any chemical changes. How do you know that your changes are not introducing any new new security issues, right. And like I mentioned, have a month, one month, what we call installation there. Sometimes the companies cannot meet it. You need to have it than other compensating controls in place. You need to have a system for patching quickly, deploying patches on test environment, and then rolling it out to production. It is very, very difficult to meet, I know, but it is something from your security posture. Pci, DSS can actually help you out here because IT, IT teams can sometimes become lazy when it comes to implementing patches and PCI DSS will really help you out here. And it will help you to push the technology teams to implement patches as quickly as possible. This is more from the OS perspective. It applies to applications. Also, you will have application level patches coming in. But from the application side, requirements six introduce a certain new things which I need you to be on the available about understanding. What are they. So when you develop applications guys, your developers, they need to have training on application security vulnerabilities you will be familiar with, all right? It's likely a common standard for application security. They should be trained on what these vulnerabilities are. At the same time, your source code should be reviewed. Also. You should have some sort of a thing in place which actually is reviewing your code, letting you know if there are new vulnerabilities here and your development and drama, it cannot have any live cardholder data. Sometimes people do that for testing. They put Guardiola environment in testing or UAT or something like that, please. You cannot absolutely cannot have the thing happening. Okay. And then when you move to production Raman day should be a proper change management process there. If it's like an internet facing application, you need to mitigate. How do you mitigate that risk? You can either have a web application like a pen test happening, okay? Like abstract happening, which if I let you know if there any vulnerabilities or you can have a web application firewall, you know, I'm sure you must be aware of that. Ideally, I would recommend both. I don't believe that one replaces the other. You should have a vav and you shouldn't have an application security testing happening dies. So all of them work together. You have to understand, you're doing code review, your training developers and CCA-secure recording techniques. You're making sure no cartilage, there is datas than testing or UAT. You making sure the proper chain management is there. And then you have a web app scan and apps the coupling. So all of these really helped to mitigate the risk of some issue happening somebody, you know, how common application level vulnerabilities are there, right? But all of these, if you implement them properly, they really go a long, long way in mitigating application security risks. And they really helped to bring improve your security posture. Okay. Moving on guys. So what are the key actions which are there? Just to remember, you should have an application security policy formulas and distributed to your developers. You should have a secure coding training happening and a code review. Something which lets you know if there's insecure code and it doesn't let it propagate to production. You can use common commercial tools are there which really help the developers. You can have like open source tool also. Thirdly, how do you know if there is a pan in the development environment? You need to extend your scanning there. You need to make sure that there is no Only mask or like a interrupted or it has not even encrypted. You only master truncated or like completely numbers there. The development environment. Like I mentioned, you should have a Web Application Firewall plush and application security pen testing happening. And of course the chain management. So remember applications security will never ever be perfect, okay? They will never be a time to say now my application security has become perfect. I can stop it. No, no. That's why you have to keep refining this process. It only takes one security hole for the attacker to come in and to compromise your environment, right? So patching and application security, all of them but got together. This is one of the more difficult to comments, but it has one of the most benefits to your security posture posture if you implemented properly. So I hope you understood now, As all of this works together, like I said, I'm sure you will find in secret applications, you will find like old Windows versions which cannot be patched. So you need to take it into account. Either remove them from your current environment or put in other controls. They always ways of doing it. Many times I've seen applications which are running on old legacy applications. You can maybe visualize it, you can containerize it. You can put in some, in some sort of like a Citrix, something that's encapsulated, set or removes the day. A lot of ways of doing it reach out to your USA and I'm sure he will help you out. But just make sure that you are aware of these vulnerabilities and they don't catch you on a vase, okay. Okay, guys, I'll move on to the next recommit. Thank you. And I'll see you in the next lesson. 12. Requirement 7: Hi guys, Welcome to this lesson. This is one of them easier to comments, especially after the last one. And this has to do with restricting access, okay? Basically, if you're following the principle of least privilege, if you're not following, you should be following it. But if you add them, this becomes easy because your cartilage damage very sensitive. You should have something like a role-based access control, which makes you sure that only the people who have a legitimate requirement to view cardholder data is doing it right. You don't want your advanced user accounts which don't have any reason to look at cardholder data, they're coming in. So PCA, it requires an up-to-date list, like a role-based access control matrix. I'm sure you will have that matrix, right? You should have that. The auditor is going to take it. That list doesn't have each role. What role does what sort of things that has access to, what's the current privilege does it is it really needed? So based on that and you should be regularly certifying this, right? You should be looking at does IT have access to, I don't know, like they do programmers have access to production, right? Do system administrative access to application database writer, should they have that right? So these things you need to, you need to document it and you need to formalize it. On top of that, you need to be having regular reviews happening. So yeah, this is what we need. What are the key actions are written policy for all like detailing access controls, documented access control. You should map it to the job classification, right? So if there is like an Network Security Administrator, you should not have access to your production database, right? Why would you need access to that? Makes all those words in public should be defined least privilege, that is the key thing here. And you should have a detailed written policy only these grows will have access to cardholder data. Only the database administrator can have read access to the database and all these things. This will really, really help you out and you should have these regularly on a quarterly basis, on a daily basis, make sure these are being reviewed and recertified from all the users. So this is a pretty simple economy to make. A lot of companies have seen they already have some sort of thing in place, either manual or automated. So you just need to formalize it for your card holder environment. This wraps it up for this requirement. Let's move on to the next one. 13. Requirement 8: Hi guys, Welcome to this particular class. And this is one of the, again, rather easily requirement to meet if you're following good security hygiene already, which is using uniqueID potentials. So PCS states that basic good credentials like your parser should we change every 90 days, which should have length and complexity. Previously used to be seven characters now they're finally updated it. But if you're using something like Active Directory or a single sign-on, usually they do enforce strong password policy. You don't want to have a password which can be easily broken by a hacker to automated tools, right? Because computing power keeps increasing every year, computing power is getting more and more powerful. Brute forcing is becoming more and more easy. So you need to have complex passwords, make it very, very difficult for an attacker to compromise it. Okay? You don't want to have standard usernames, don't have administrator or KPIs leading him that I still see those people using some very basic stuff. So you don't want to have these things like which can be easily broken through social engineering attack or a brute forcing attack. Okay, This is very basic stuff, but it is so important that PCAs made it a separator climate. Another very important topic guys is MFA, multi-factor authentication. If you don't know what it is, like, I am sure you must be aware of it, but in addition to the user ID and password, you need another factor for, in PCI DSS for remote access or administrative access. So this can be something you have like a onetime password, like a token or something you are like a bio-metric, you know, like this can be things like something you have, can be a smartcard, physical, logical security token, onetime password in your smartphone, okay. And something you are would be a bio-metric like fingerprint retinal scan, pumps print, iris scan, any other thing which is unique to you from your biological perspective. So you can use one of these two in addition to the user ID and password. But remember, they have to be independent of each other, like if one gets compromised or there is not affected. So for example, if your smartphone is compromised rate and an attacker gets access to the onetime password OTP, he still won't have access to your user ID and password, right? So they have to be independent of each other. So remember that in this particular comment, you should have administrative access for remote access and multi-factor authentication for remote access and multi-factor authentication for your administrative access. 1 to note guys, this is going to become much more tougher NPCI version four. Okay, I'll get into more detail in another section where we're going to just discuss the PCA version four requirements, but just keep this in mind. The council is making this a little bit more tougher now going forward. Okay, So what are the key actions to take guys? Definitely you should have a password and MFA standard across the board consistently enforced. This is the p-value. These are the minimum positive comments and these are the MFA requirements for demote or administrative access. Make sure your remote accounts. A lot of times you got access to vendors, business partners, consultants, right? And they have to be monitored and disabled when they're not in use. You should only have them. Then as and when they use. A lot of people put in third-party applications like VDI or something like that. I mean, it's up to you how your environment is configured, but just have that in place. And that will really, so basically this is like a simple common sense requirement. I'm sure a lot of these things you will already have. If not definitely, you should be having MFA for your administrative environment, especially if it's the cardholder data environment. Definitely have that enforced. Okay guys, So that wraps up this will comment. Let's move on to the next one. 14. Requirement 9: Hi guys. Welcome to district comment. It says like one area which I always think of it as a blind spot, which is when it comes to PCI, DSS, which is physical security. A lot of companies, they put in a lot of technical controls, but they forget the physical side of things like printouts, reports. Lot of companies, you know, they have back-office is whichever repeat billing like they save the card number. They keep physical copies of current card. And you won't believe these are openly available, right? So you need to have things in place to protect things like data theft and sensitive access to sensitive areas. You should have physical security policies and procedures. You can only keep like for example, only keep confidential information. Workplace secured them in a locked area. Outsiders can't just walk in. Non-employees have to wear badges, are not storing sensitive information. The open V in my, one of my companies we used to clean the streets after office hours. We used to go and check that everybody has clean up their desk, right? There's no sensitive information there. So these are controls which are common sense, but they unfortunately that you get missed out for some reason, right? So what are the things you need to have? It need to have a proper physical security policy highlighting which other sensitive areas. One thing I forgot to mention is your network jacks, right? You don't want like people just plugging in their laptops and connecting your target environment. The physical media or backup and other things should be secured and strict control should be there. What if somebody cannot compromise the environment? What if is able to access gag, get access to the backup tape, right. Which has all the information you need to have like a put it into security, are clearly marked for that. Documents should have things like confidential to be shredded and you have to be able to destroy media, right? Diego said destroy it based on its classification. A lot of these things, again, they probably are doing, but you might not be extended it to your card holder environment. Make sure they get extended. You should be coordinating with your physical security teams to make sure that you have proper training is happening. Sensitive areas are cordoned off. Not every employee can just walk into your light sensitive areas. So all these controls Metrodorus unforced to have proper cctv coverage. It should be a mixture of preventative and detective controls. Basically the same things you put in your environment, right? Your technical environment like segmentation. Segmentation, you block off that area. Cctv is like an auditory and white badge and password badge and pins. They are like MFA. All those things, you just replicate it to a physical environment. One unique environment, guys, if you have like point-of-sale terminals, like point-of-sale machines. You should have a complete inventory of that. You should have an up-to-date inventory of those. You should know where they are. What's the physical location, serial number, naked model. Why? Because it should be inspecting it. What if somebody has tampered with it, but if somebody has replaced it with another C, then another environment, usually a lot of companies they maintain like advantages of it, right? What if somebody has gone in, tampered with it, injected some device and you don't know about it, right? You can do it basically, could do it every day, every month is based on yet like what sort of level you have, okay. You should have cctv coverage. Those, these are very subtle devices, okay? Make sure that top it's completely restricted. And you should be providing awareness for staff who are interacting with these things on a day-to-day basis, like a cashier, who is who has that point-of-sale type of machine, right? You should know if somebody has replaced it. If there's some device there, you should be able to know if somebody has like, you should be able to check the serial number. The basic physics. These are simple things you can have like a video training. You can visit physically and teach them and like, but just to make sure that the risk of substitution, somebody substituting the device when something or there's some other device maliciously or like tampering, tampering with that device, putting some other device on top of it. Those that vest has to be mitigated. From the perspective of PCI DSS. They are like many, many common trainings available even from the PCAOB website, you can find it. It's like a unique thing from PCI, the other physical controls you might already be doing. But this is something unique and you should make sure you have it in your environment, okay? Okay, that wraps up this recommit. Let's move on to the next one. 15. Requirement 10: Hi guys, Welcome to this lesson which is now we've reached almost the end, which is a common ten, logging and monitoring. Logging and monitoring. You know, it's one of those things which almost a lot of companies do. Almost every company does, but very few companies do it correctly. Because what happens is a lot of times they're just recording stuff. But nobody is taking any like intelligent action based on those alerts, right? Sim solutions, you got security information and event management. You are sending all the logs there, but you're not really looking at creating actionable alerts. You're not really refining same things. You need to capture everything which is where within the cardholder data environment, PCI actually has like a minimum list of events which should be captured. Okay? Most systems software generate logs securing operating system, browser pause, firewall, all of these things you should be capturing, okay, So make sure those things are there. Whether you have a SIM solution or some other thing, you need to be capturing everything. And I having actionable alerts based on that. Okay. So what are the things we started is going to be checking is gonna be checking whether you have an automated audit log tracking for all security events. How are you doing it? Is it like if somebody you're not going to have somebody looking at it and essentially write some automated system. Is there you have a process to review logs and security events daily. Usually it's like an SIM solution. Maybe you might have a SOC team, or you might have like shifts, or you might have us take a system administrative gets alerts. It really depends how you're doing it. You might have, if you're doing it in the Cloud, you might have automation, but the process needs to be there. Your audit logs, they need to be there at least one year and the last three months. They need to be online logs. You should be you can't have be archiving the last 90 days, okay. You need to have it online. And what are they eventually to be capturing PCI, DSS is very specific about it. Like admin activity is failed logins, changes to account privilege escalations. And you should carry capturing what they knew who the user was, what the event was, what the date and time, whether it was a success, what a failure where it happened, all those things. You'll easily find it within the standard. But make sure you're capturing it. Make sure you have those slots available and test it out. Don't assume that you will have these logs okay. A test it out and make sure that you have those events being captured. A lot of SIM solutions, they already have predefined templates for PCI DSS through it should not be that difficult. Just make sure those are turned on. That this one was pretty straightforward. Let's move on to the next. 16. Requirement 11: Hi guys. We're at the second last requirement, which is conducting vulnerability scans and PET is okay. Why do we do these things, guys? So simply put, these, you need to find out what are the weaknesses within your environment, right? You don't want to wait until an attacker comes and compromises your environment, right? Vulnerability scans and PTs are one of the best ways to find out what type of attacks you're susceptible to. Va is like a vulnerability scanner is an automated high-level scan. Okay. You just run a scan. They usually have it. You have some sort of a software that scans the environment, gives you a report, right? You have to run this internally and externally on a quarterly basis. And PT I'm sure you already familiar it's like a detail hands-on. Usually there's a real person there who tries to detect and exploit weaknesses in your system. And this, again, this has to be internal and external, both in your environment. Pcr requires these things to happen at multiple layers, okay? You can just do it in one layer and call it effective. We'll go into detail what I'm talking about, what sort of layers I'm talking about before we go. One thing very important guys, if you have public-facing Guardiola environment, right? Public IPs. Pcr requires businesses who conduct like external via scan and they call it and ESV scan to find out if they have any potential flaws. This you cannot do it yourself. You have to be done by a company called an Approved Scanning Vendor is called an ASP. Okay? You cannot do it yourself. You have to leach out to this company. So what happens is because you will be charged to this company and they will do the scan on a quarterly basis. You have to remediate any highest high vulnerability. So you have to keep on doing it until you pass. And they will give you a passing scan. And usually that you have to submit to the car schemes or to the blank. So this is not something you just scan it and forget about it. You have to do it on a minimum quarterly basis and you have to pass it. That is one of the most important thing. It's usually a very good requirement because public facing is like a high-risk environment. You need to be able to scan it and know what the vulnerabilities are. Okay, so just keep this in mind. Your bank or your payment scheme usually will tell you whether you, we talked about the obligations earlier on rate. So your bank or your payment brand will tell you if you are required to do this or not. But remember, I told you we have to do it at multiple levels. So this is what I was talking about. Just take a high-level view. If you're looking from the internet, you need to have ASP scans happening and a PD happening. Okay. From the external perspective, within your cardinal environment, you didn't have quarterly via scans, annual pay a PT is happening and something called file integrity monitoring. What is a file integrity monitoring? If you're not aware, basically, it's a software which stands for environment for any critical changes to files, okay. You might have sensitive files in your environment. You don't expect them to change a file integrity monitoring software will tell you if this file of change and will raise an alert. So you need to have that also within your environment. So supposing you're coddled application has a sensitive configuration file that is not supposed to change. What if that gets strange? Okay, So that file integrity monitoring solution will raise an alert and send it to you that should be there. And apart from that, if you have a wireless happening wireless environment, you need to release candidate for wireless cans also to make sure that the new insecure or maybe rogue wireless access points. Having created, usually we have three tools and commercial tools. You can scan the whole environment and we'll find out if there are any vulnerability or any road violence points there. And we talked about segmentation. Remember? We said that, okay, for the segmentation perspective, they should be something there is dropping. And so that will usually be a firewall and IDS and IPS. So we do something which is called a segmentations can, what is the segmentation scan? Segmentations can somebody actually tries to compromise the segmentation? So from the cardholder environment, he tries to jump to the non-cloud environment or from the non Guardiola umami taste The jumped to the cardo, the environment. He checks the adequacy of the segmentation which has happened, whether it is good or not. So this is why it's so important guys, as the all of these things you have to be doing, the different times that they are somehow I knew somehow half a semi-annual put it in your calendar. We talked about having a BAU process, right? This is what I was talking about. Usually what companies do and PCL mandates you should have a methodology for penetration testing. And you put what are external, internal, like what, what's going to happen annually? What's going to happen after every change? If segmentation changes, how are you going to test that? How are you going to do the application level one? How are you going to lay a switch? Can all have their documented in a proper formula is document and make it available to everyone. So this way, you won't get like a cotton surprise and you miss out on some critical scan that you're supposed to be doing. This is a high level, like a bit simplistic, but this tells you what the standards should be happening in your environment. So I hope this, this was like it gives you a clarity. Start with it. Initially becomes very overwhelming and slowly, slowly becomes like a BAU for you. Once you put it in your BAU process, you'll find that it becomes much more easier. Okay, guys. Okay, that wraps up the second last one. So we should move on to the last one. 17. Requirement 12: Hi everyone, welcome to this lesson. Now, we've reached the last requirement of parameter Alpha, which is documentation and risk assessments. So previous one was a very technical requirements regarding pen testing and b, a and P, D and all those things. Now we're talking about something which is much more simpler, documentation and risk assessments. So here guys, we're talking about something that you have to do like, from the due diligence perspective, the auditor needs to know that heavy formalized all your information security policies, other stuff away of what they should be doing and they should not be doing. This helps to protect you in case something happens, there's a breach. Then you can prove that you did everything from your perspective. You need to make sure your security policies have been approved and body called, communicated, and signed off by all the employees they've acknowledged at it. Okay. If you are a service provider, you need to have something called a PCI DSS charter. It says that who is responsible for PCI DSS and who's going to implement the program and who is accountable for PCI, DSS. It has to tell you who is the person responsible and how it will communicate with executive management, okay. Apart from that, you also need to have an inventory of any third-party vendors, outsource people or third party vendors who have access into your cardinal environment. Because if they get compromises potentially this to your environment, you need to have a list of all third party service providers and whether they are PECS certified or not. Okay. You need to have the list. Most of them has usually available and you can make this as part of your calendar, but make sure those dark, dark documentation is overdue. So this is pretty straightforward to comment is mostly about documentation. It takes a long time. But if you work with your TSA, a lot of times they are ready-made templates already available. So you should be able to save some time with this. Just like I mentioned, you have to have a written compliance and security policy. The charter should be here for your service provider. You need to make sure I have a quarterly review to make sure that everybody is following the requirements everybody has signed off on the security of illustrating. And lastly, a very important risk assessment, PCR requires everybody to perform an annual risk assessment to identify critical assets. Scratch vulnerability is okay because this will help you to prioritize risks. And if you take a proactive approach to this, this really pays off in the long run. This is something she says something people think this is like a formality afternoon every year. But if you do it properly and you give it the proper time and respect, I can tell you risk assessments can identify so many issues proactively, much more before then the auditor finds that I want to flag this before, because risk assessments are going to become very, very important in the upcoming revision, which is PCI DSS version for it. If you do, if you have not focused too much on this, this could become a problem for you. So definitely start focusing on this. I'll talk about it more in the future class, in the next class which I have, which are about PCI DSS 4. But please do not take risk assessment, likes art form formality that you have to do and forget about it. Okay? So really focus, there's won't copy paste what you did last year to the next year and really focused on it and it will definitely pay off in the long run. Okay, so that finishes off your lawsuit coming guys, I hope this was useful to you. Let's go on to a very important topic which we have to cover, which is compensating controls. That is what happens if you're not able to meet a requirement. I see you in the next class. 18. Compensating Controls: Hi guys. So very, very short class, but this is very important. So now you've covered all the trails requirements, right? But what happens if you can't miss a PCI requirement? Okay? Like, let's take an example. You have to apply patches within 30 days, right? Critical patches. What if we can't apply a patch? Or what if you can't implement file integrity monitoring? What happens then? So there's something called a compensating controls. This happens when a, when a party cannot meet a preset apartment, you do illegitimate reason. It's not there being lazy, maybe the system does not support it or they don't. There are some constraints there. But what you do is you put another controls there, okay? Maybe you can't patch it. But you have 24-seven monitoring and you have other tools which will alert you immediately if somehow somebody tries to exploit that patch. Okay? So it really depends. Data is really like an art. What do you say? It's like you have to sit with the QSEN, make him understand what you've done, how you've mitigated that risk and vary the effectiveness of this. It changes from environment to environment from few aesthetic USA. Okay? But remember that you really have to be good in risk assessments to do this. So the compensating control in short, you have to fill out a sheet to shore to the auditor. What does it look like? It's like this one. Like I took the example. This is, you have to finish this out. You have to show what are the constraints, okay, why you can't meet at a comment like why can't you patch this quarter or why can't you like implement file integrity monitoring, then you have to have the old definition. What are the controls you've implemented? What are the objective of this controls? What's the risk that because of the patching not be there or something, And how has the auditor validated dense compensating controls? And how are you going to make sure that nobody tampers with those controls? So this is something that we'll review. And you have to really satisfy him to make sure that this is not just you've just something you've put in there to escape? No, this is something you've thought about and you implemented it properly. So please, compensating controls are very important topic. They are going to be not replaced, but they are a new way of doing things which is coming up, which is called the customized approach. I'm going to talk about it in the PCI DSS version for module. But just know they're compensating controls are what you have to do if you're not able to meet a particular requirement. And there are other ways of doing this which are coming up. Okay guys, so this wraps up the requirements module. I hope you enjoyed it and I hope you learned a few things and see you in the next module. Thank you. 19. SAQ and its types: Hi everyone, welcome to this lesson. Now that are going to be talking about the types of self-assessment questionnaires you've completed the PCI, DSS requirements, right? And just to quickly recap, the SAQ, the self-assessment questionnaire. It's like a validation tool for merchants and service providers to report the results of the PCI DSS assessment. If you are not required to do a full audit and submit a ROC, write a report on compliance. It depending on the way you process transmitted stored in data, they are different SET was that he must fill out. Like if you don't have like an e-commerce store, you might be quite to fill out something else. Or if you have any constant, It's something as if you're required to. The way you're processing data, it changes the type of vesicular. I've seen sometimes people get confused when it comes to execute. So the types of them because they're like around it. So I thought it would be good to get like just give some guidance on what type of SEQ is required for what type of scenario. So let's take a look at this. Just a quick recap. What is the basic you guys just to let you know, if you're not required to do a full audit, you're required to fill out an SAQ is usually for small merchant service providers. It's a series of questionnaires. It can be quite long. It's like the runs up to sometimes 87 pages, yes or no questions. And like I said, there are eight times, so basically use and depending on what type of environment you have, you're going to after select that one. Don't try to do it yourself the first time you can check with the USA or your payment plan. And they asked them what sort of SEQ am I supposed to fill out. So it should not be difficult provided you do your homework properly. These are the types of SKUs. I'm not going to read off a boring table. I know nobody wants me to do that. But these are the terms around eight type of audio call acyclic. So let's take a look. Much the self-assessment questionnaire. So what does the PCA guidance says? This is if your company has completely ourselves the collection and processing of cardholder data to PCI compliant third-party service provider. If you're not doing anything regarding cardholder data, you've completely outsource everything. So usually what happens is, I've seen this in scenarios where there's a complete e-commerce, much like an e-commerce environment where you're not doing anything on your website when the user clicks by these, like they get redirected to somebody else and that is where the transaction happens. And you just come back and say, Okay, that transaction has been successful. You don't have to do anything. For these type of scenarios. I've seen a SAQ is most suited as a complete, complete outsourcing. And it's like you don't store process transmit card related at any point in time. So this is for the basic QA, is usually the best fit for that scenario. There's another one called SQL API. So again, there's an e-commerce environment and the collection of processing of cardholder data has been outsourced okay, to a PCI compliant third party. So it's similar to the previous one, but in this one, what is happening? You are controlling the flow of cardholder data to the service provider. Okay? So usually what happens customers, they want more customization on the environment. So they control how the website is sending cardholder data and they are what you call. They don't take cardholder data, but they do control the flow of how the users get redirected to the website for payment collection. Usually this happens when they don't like the third party is what you call default pages and they want to have some customization done. So for these sorts of scenarios where secure API, that is usually the correct choice for your compliance documentation. Okay. Questionnaire B. B. These are those four that mail-order, telephone order transactions you'd like bank approve payment terminals. They're usually does analog lines, not analog phone lines. So they don't have any electronic processing and storage of data. Basically, we are talking about phone lines and they're not connected to even voice-over IP like analog. You'll see these merchants which are usually kind of cut off from the world like far for every merchants they just feeling for what he called the terminals and the payment terminals which are connected to the phone lines because they don't have Internet connectivity and they don't have anything like that. They're using that for those sorts of questions. Seq B is the one being used. I haven't used it. I have not seen it being used that much. That is the scenario where you will use this one. What is SEQ BIP? So in this one, again, we have the mail-order, telephone order transactions and payment terminals, but you're also receiving it in person. And it's connected to an IP network. So what do you call? It's not, it's not like an analog connection here you have an IP connection. Suddenly they might have access to the internet or wireless like that. Usually results in faster processing times, but then you need to put in more colors, are more security controls in place, and you need to segment of that network, okay? Because in this case the payment data is being transmitted over the network. So this is where the BIP comes in. If you can check it from the name. Ip. In the previous 22 is just analog phone lines here. It's an IP network. Okay. What does essay Q. C. Okay. Yeah, So in this one, you're receiving the cardholder data in-person, and again, mail-order transactions and you're using a point of sales system. What was that in the previous one. So that was like a payment terminal of justice. But here you have a point of sale terminal and that does not show the full card data. Remember remember where he talked about, right, storage of card data. So usually here you have those cash registers and they're connected to a back of a server. And that server might be hosted outside. But this is what the scenario. So head, you have like a Point-of-sale terminal that is not configured to store the fuel card data. And you have like an accurate to about a back-end server. Usually, I've seen those retail merchants using those big cash registers, right? This is where the SAT usually applies to C v, t. And for this one, even just from the name itself, you can say this is like a Verbit's virtual terminal. So in some cases you don't have a physical terminal. Okay? So here you have a purpose virtual terminal. And usually there's like a workstation which is dedicated in a particular place for processing payments. Sometimes when you allow your customers could do self-service and all that, right? This is where this is coming in. Okay, P2. So P2, P0, P2P stands for point-to-point encryption. So this is a standard which the PCI council has introduced. The, all the, all the data is encrypted from the point of capturing kill the point sends back for processing. So if you're a merchant, you don't have to do it. It's a completely offshore standard, but it reduces the scope of Piaget compliance. I've seen a lot of service code isn't bank offer this as a solution to merchants if they want to reduce the complexity, we don't want to have the hassle of worrying about payment and all that. Usually has to have special terminals dedicated for this. Okay? Then the transaction gets back to send back to the service provider for decryption and processing. So here, the main thing is we're using validated point-to-point encryption terminals. Okay? If you're using that, then this is a questionnaire. This questionnaire is much more simpler than the other ones, and that's the whole point. You want to reduce the compliance burden. You don't want to fill out those big, big question is this, and this becomes like an incentive for merchants to adopt this type of solutions. Okay? And now we're at the last one, which is the security much and so anything which does not apply to the previous criteria. And you don't want like, you're storing cardholder information and you don't use like a point-to-point stratified system. And basically any of the previous criteria does not apply to you as security. A lot of times I've seen merchant start with this because in this scenario, you're just taking the safest approach and just fill up their security because they don't want to go to the hassle of finding out what exactly like what are the fine-tuning data secure comments, they just fill up their security and the submitted. So this is applies to merchants and the service providers, also service provider. I used to be in a service provider for many, many years. Basically, it's not like a payment went like Visa, MasterCard, and you're not like a bank, right? But you are conducting your processing, storing, transmitting cardholder data on behalf of a bank offer merchant. So you basically offload everything, okay? Usually service providers, they get the full audit done because their environment is much more critical. You are you don't have data. Entity, you have beta. God knows how many entities are hundreds of banks, hundreds of thousands of merchants. So they usually do the full audit, but you can fill up their security. You should check with your permanent run and find out what it thinks is applicable to you. I would recommend if you are a service provider to do the full audit, don't rely on a secure key because it's not independently verified. Tried to do with go over the full audit always. Especially if you're a service provider. Okay, guys. So that closes the body called SEQ part. And I'll see you in the next module, which is very important, which has to do with the key changes in their version 4 of the standard. Thank you guys. I'll see you next lesson. 20. PCI DSS v4 and the key changes: Hi everyone. Okay, So we've reached the final chapter, which is the final one and which is the most forward-looking, which is the key changes in the version 4 zeros. So you might be aware that version 4 husband released into the public. This was a result of various efforts by the PCA council to update the standard. You don't make it more relevant. You can the reason I didn't I made this a separate section is because I want you to keep calm and keep focusing on your compliance efforts with the current version of the standard. At the same time, take some time to read and plan for PCI DSS version 4. Do not try to implement 4 right now you will get older because it is a major change. It is not something you can just start implementing right away. You need to fully understand what the changes are and how they will fit into the larger picture. Okay guys, so just a cable, you don't get all excited and start implementing right away. So what are we talking about? First of all, why has the standard change? So if a major revision happened, well, that might be a question. You might say, why did the PCA console do such a major rewrite of the PCI DSS. And the PCI DSS is a fairly mature standards for reasons they want to make sure that it needs a security standards, the needs of the payments industry, right? Because technology is evolving. We didn't have cloud before and other things before, right? And they've made it more mature from a security perspective. Security was not so much like what we call link here to risk management and mature processes. Companies now have innovative technologies which they can meet the intent of the requirements. You remember what I told you before? Try to understand the intent. Don't try to just memorize the standard, okay? Because that will not help you. And it gives you a lot of flexibility, also support of additional methodology. So they've made it much more flexible, much more open-ended. You can have lots of discussions with the QS is just remember, but very, very important. But guys, you need to focus on risk management as a methodology. Don't just be technical. Understand how it is. How does management works? If you don't know already. The key timeline, just to me to make sense of this diagram, the standard, the new one remains option until March 31st, 2024. And then this version three will go the older version, 3.2.1, it gets retired. After that, your audits are going to be start happening against PCI DSS version 4.2 only. Some of the new requirements, they're also not become mandatory until March 31st, 2025. Until that time it will be considered best practice. Okay. So many comments have been added to the standard, their future dated March 2055, like I said, in order to allow the new processes to be developed before I need to do comments can be enforced. So that's the reason I focus. I made it a separate standard because I didn't want to confuse you, right. I'm going to be focused on the major changes. So you have until 31st, March 2024 to understand and roll out the new requirements to the standards. And the QS is we're going to be coming. They can start auditing against the standard. Okay. Now two years seems like a lot, but they're really not dice. Please don't underestimate just how quickly time passes by and how quickly things change. You will get a strong cup. Other things. I'll teach you how to focus on whatever things to focus on and what are the things you should be doing, okay? Okay? So the first thing is that it's not that big of a chain, but scoping. So previously scoping, if you look at this kind of scoping was like it was starting to any initial discussion. It was in the introduction. It wasn't part of the requirements of the standard, but now the council have moved it into the requirements standards. Okay? And they've made it a traceable requirement effective immediately for version 4. So this is not like future data into other ones. Okay? So you will need to document your scoping exercise. If you're a merchant, you have to do it annually and if any changes happen or something like that, if you're a service provider, you will need to do it every six months. Or a patron is data structure data. So if you're a merchant, make sure you're doing your, you should be doing you're scoping anyways, start documenting your scoping exercise on an annual basis. It might be a bit of a hassle first time, but then it becomes easier. If you are a service provider, know that after March 31st, 2025, you need to be doing this after every six months. But after any major changes, like something changed in a manner that people's systems processes, you need to take into that into account. Okay. What else is there a storage of sensitive authentication data? Well, you shouldn't be storing sensitive authentication data, but after authorization. So we already discussed this before, right? Some organizations. So before the transaction is authorized, they do keep store the data temporarily. It was recommended that okay. You storing it for a minute, half an hour, whatever it was recommended, you should try to encrypt a protected right. It wasn't required. Well, it's no longer it won't be a recommendation after March 31st, 2025. What has happened is they've seen a lot of attacks. Attackers can try to compromise it vanished within memory, this temporary storage, they try to compromise it. Okay. So even if you're storing it for five-minutes, then they will know and they try to get it from memory. So you will even within memory, but then temporary storage, you will need to encrypt it. Okay. So just keep this in mind. And this wouldn't be a recommendation after March 31st, 2025. Okay. What else is there remote access. So if you're using remote access into the cardholder environment, okay? Then you must prevent the copy and relocation of cardholder data case. Somebody can copy paste this data out. This is this has been mentioned before in the standard recommendation is going to be a requirement. A lot of companies have seen what they used to do things to put a policy around this. But it now it needs to be enforced by a technology, okay? Usually, it just should not be too difficult. Usually if you have settings in your remote access software that prevent copy paste or you have DLP functions, okay? So depending on what you have and your current process despite be very easy, it might be a bit difficult. You might need to invest in a few more technology is all you need to put some controls around this. So just keep this in mind for this requirement. Okay, Web Application Firewall. So this is pretty straightforward guys. Remember, I told you that you can have Web Application Firewall or application painters. It was a recommendation. Well, now you need to have it. It's no longer optional. Okay. You need to have a valve after March 21st, 2025. Honestly, you should have a rough like I told you before, don't try to make do with secure coding reviews or upset, you should have a web application firewall by default. So if you're not doing this, start doing it right now, start budgeting for it. Skips on payment pages. So this is quite enough interesting. This used to be like a supplement from the PTA Council. This must not initially not part of the PCI standard. If you have e-commerce pages with scripts which are running, you have to now what do we have to do if your scripts are being loaded? You need to make sure that they're authorized and nobody can tamper with those scripts. And you have an inventory of all the scripts which are running. Why? Why is this happening? Because phenomena called skimming payments, skimming, what attackers used to do it is to compromise these payment pages and inject their own scripts or tamper with the existing scripts. Okay, so it's like you're entering your data, but that data is actually being entered on attacker's page and the pH is genuine, right? But they just compared with the script. So it's not even like a phishing attack because the URL will remain the same. That's why now this is a very good comment personally because e-commerce has started. It's like almost e-commerce is slowly taking over the physical world. And you should have these controls. So definitely take a look at that. If you have an e-commerce engine which has come spring loaded, start taking a look at the how you're going to be implementing this. And you can take a look at the e-commerce supplement from the PCA council. That is also a very good document that goes into more detail. Okay. What else is the MFA requirements? So MFA has been expanded a little bit. So what do you call now if we received was to be for admin and remote access right now it's going to be expanded to cover access into the cardholder environment. Okay. So one more thing. So they've added a detail. It can be a little bit tricky. So what is this that previously what used to happen? Usually in most MFA solutions you will put in your user ID and password right? Click Enter, and then another screen comes up. Then you have to put in your MFA code right? Now. All of this has to happen at the same time. So it's not like a first-time user ID password. And then they enter the other factor right under the token. Now, they have to be happen at the same time and they can't tell you which way the user ID password field into token fail. You can't reveal that information. So most vendors should be updating it. But something to keep in mind. Other thing was finally good view. So like I told you before, the PCI DSS password requirements used to be like seven. Now they finally upgraded it to 12. They should not be a bigger issue. But if you have some of your systems which needs upgrading, maybe you need to change the password policy or something like that. Keep that in mind. A minor issue is they changed, they've removed the references to firewalls and routers. Now they mentioned it in effect, security controls and anti-malware. They've made it more in sync with what the industry terminology is. Most companies now they don't use a construct of antivirus reuse something anti-malware. Okay. What else is there? Authenticated scanning. So internal via scanning it now has to be authenticated. It now it means you can just scan your ports and services and call it a via scan. So if you have like a server or something like that, usually what you do is you give it a you will provide the appliance or user ID and password. It'll log into that machine and do a complete scan. Okay, get ready for a much larger report if you're not doing this already, honestly, we should be doing this already. You should always be doing authenticated scanning. Okay, but if you're not and when you turn this on yoga, because now it is going to be looking at, is going to authenticate and actually do a much deeper scan. A lot of things will come up, Okay guys, so be ready for the start doing this right now. Important part of this new requirement is that the, the credentials you enter, they have to be entered and stored securely. Okay. So take a look at that. If you have something like a password vault or maybe you can integrate a lot of these solutions they do integrate with Password works, so you don't have to manually enter it and store it anywhere. Okay. Just keep that in mind. Lastly, okay, the most, personally in my opinion, the biggest change has been the introduction of Customize Controls. So what used to happen? Like I told you before, if previously companies could not meet the requirements, they could propose something called a compensating control and use it to get around not meeting their comment. For example, you can't encrypt cardholder data legacy system located, put another controls. And that is like a mitigating that risk. A lot of time curious is they do get asked the question, right. The auditor The companies have asked me, okay, we have a security but I can't meet the specific requirement, but I have secure controls. Okay. The response used to be okay because you can implement a compensating control, which is a temporary solution until you meet the requirement, until you finally fix this. Okay? So version four of the standard, they have tried to resolve this scenario by introducing this concept of customized approach. So customer companies that have mature security, okay? And they have other controls, they can meet the requirement in other ways. So it's not a compensating control is so much like a much more complex and a much more better way of meeting the requirement. Okay? So previous things, the previous way of doing it and it was called a defined approach. Pci has been implemented is called a defined approach. Now you're going to have a separate section called the customized approach, okay? And basically you're going to be proposing a new control, that means the requirements. So you're not compensating you're not compensating for a gap. Okay. You're putting in a new that is meeting the PSA objective and that is of course, it'll be assessed by the PCI auditor. This is a great solution for companies who cannot directly meet the requirements, but they have mature risk management practices in place, and they have innovative technologies. Okay? How would it look like? It's a little bit like this. So the old one that defined approach was, well, I have a PCI requirement and I cannot meet it, so I'm going to put in a compensating control. I'm compensating for a lack of control and I'm documentary get short-term. The auditor used to say, Okay, we accept it now maybe after one year, five years, we have to implement some solution. Okay, now, I have a pizza I cannot meet, I have a customized control, I've made it and it meets the objective of the requirement. The PCI standard is saying This XYZ should not happen, cognitive should not get stolen. Okay, I'm meeting the requirement and I've implemented this. So you can still do compensating controls, but these new approaches are much more strategic way of meeting it. So like I said, just remember you're not compensating like in a short-term way. Now you're implementing a long-term approach for properly securing your PCI requirements. Okay? So this is how the standard is look like so that they can take a look at it and style it. You don't have to start implementing it right away. And it might seem a bit overwhelming. So I'm gonna give you the advice for that award. What to do about this, how to focus on it, okay? And just to be clear guys, this management and documentation is a big focus on the new strand. So when you're doing your activities, you need to do a targeted risk analysis of why you're doing stuff. You need to make sure those are signed off. You if you put in customized controls, they will need to be signed off by your Chief Risk Officer or CEO. Somebody senior, okay. This is not something like I mentioned before. Pci DSS is not an IT project. But in the new one they have much more emphasis on that. That you need to have clearly defined roles and responsibilities. Customized controls need to be signed off. And targeted risk assessment needs to be done. Don't think you can just make an Excel sheet with one column saying, I've done a risk assessment. No, it won't be accepted like this. How do you do it? 21. How to get ready: If you know Michael Lumia earlier before about gap assessment, same thing. Okay. What are the most important things to focus on right now? First of all, read the PCI DSS version for Standard, get familiar with the biggest changes that can impact your compliance process, then start making a gap assessment okay? To me, implement changes. Probation for input. You have time, start early and you won't have problems during your conversation. Okay, don't forget to keep implementing your current standard, 3.211, but start thinking about how you're going to be doing risk assessments. More like more formal risk assessment is documentation that required, okay? And most organizations will need to add processes and gain skills to do this correctly. Find out what sort of certifications are there. Start concerting with you. And the cube, even though they can't conduct a 4 assessment right now until they have been formally trained. But it's going to happen very, very quickly. Okay. But kind of get us this will give you advice, but please do not wait until 2024 to begin switching over to PCI DSS for fido, spread your efforts over the next couple of years and you will be just fine, okay? Okay. Just remember these things. Even have an increased focus on documentation. Targeted risk management started investing in this tree and there are many, many certifications for risk management. You can look at those certifications. I'm not going to nominate any specific one. You can take a look at that. It would be a great idea to invest in getting certifications for and risk management. These are not technical, but they will teach you the methodologies for doing proper risk assessments. Okay guys. Okay, so this wraps up the version 4. I hope you understand now the big changes which are coming in, how you can go about doing it. It seems like, like I said, two years, it seems far away. It can be very short, it can be very long. Spread your efforts out and have a proper action plan in place and you should be just fine with this. Okay, guys, I hope that was useful. That wraps it up and thank you for attending this training. Now we're gonna move on to the conclusion. And in this course, thank you so much for staying with me during this time. 22. Way forward : Okay guys, congratulations on reaching the end of this course. I hope you found it interesting. It wasn't boring. I tried to make it as practical as possible and give you as much actionable advice as I possibly could for the class project. I just want to remind you, remember we talked about Essex. I want you to collect an SAQ, make it as simple as security or anyone's for a physical on e-commerce merchant that will really teach you about the different standards, different departments. It'll give you a good idea of what other comments also, fill it out. Let me know how you go about it and if you face any challenges since reach out to me and let me know. Okay. What else can you do, guys? You can take a look at the PCI ISA program, internet security assessor, that's an internist certification which you can do for your company. It makes you almost equivalent to what USA, but you are not, you're, you're not like at usaid, you over your own internal auditor, but it gives you the full training for how to conduct these audits. If you're interested in this definitely which it out. Like I said, don't wait for the audit. Please start implementing this knowledge right now. And you will definitely this is the best way to retain that knowledge or say, one actionable tip I can give you create a PCI document or manual for your company for the e-commerce, how to implement these requirements daily rate for your organization. And you will learn a lot, believe me, you will learn a lot about your company and how the different comments are fitting in. And most importantly, start gapping against the PCI DSS version 4 is 0 today, don't put it off for next year or the year after that, otherwise, you will have serious problems. Start actioning it today. Take the knowledge I've taught you and present it to your management and these are the things we have to be doing. Okay, guys, that wraps it up. Thank you very much for attending this training. Please do leave a review. If you thought this training was useful, wonderful, please let me know. If you caught this training was like the worst thing you've ever attended, please let me know so I won't be offended. And I will use that to improve on its training or take. If you are interested, you can reach out to me on my channel, like the cloud security guy and other courses I have here, okay, do connect with me on LinkedIn. I'm happy to help you out if you have any problems. Okay, And that reaches the end of this course, guys, thank you so much. I hope you enjoyed this training as much as I enjoyed making it. Take a look at my other courses and do reach out to me. I wish you all the best in your PCI DSS journey and see you in other courses. Thank you very much and good luck.