| Protect Your Data with PCI DSS | KirkpatrickPrice

Protect Your Data with PCI DSS

Related Videos

4 Ways to Treat Risk

5 Focus Areas for AWS Compliance

Achieve Cloud Security with an Expert Who Cares

Achieving High Availability in AWS

Activate Azure Key Rotation Reminders.mov

Auditor Insight: The Top 3 Issues with Your Risk Assessment [WEBINAR]

Auditors Who Make Sure You're Secure

Basic Tools for AWS Security

Be Prepared for PCI Success

Breaking Down AWS Security

Cloud Attacks on the Rise

Cloud Security Posture Management

Cloud Services Are Assets with Risk

Communicating Risk Assessment Results

Connect Your AWS Account Using CloudFormation

Connect with AWS Security Experts

Create Policies for Usage of Critical Technologies

Creating a Data Flow Diagram

Creating a Network Diagram

Defining Likelihood and Impact

Defining Risk, Threat and Vulnerability

Determining Impact to Your Assets

Disclose What Data Is Being Collected

Do All Keys Have Resources Attached?

Do Not Use RSASHA1 for DNSSEC Key-Signing Keys

Do You Have to Do PCI?

Don't Face Cloud Security Alone

Enable Maintenance and Backups for RDS

Enable Role Based Access Control (RBAC) for Azure Key Vault

Encrypt Infrastructure to Further Protect Your Environment

Encrypt Kubernetes Secrets Using Keys

Encrypt Storage for Critical Data with CMKs

Encrypted Cardholder Data and Scope

Encrypting Traffic In and Out of AWS

Encryption Decisions for Your Technology Stack

Encryption Opportunities

Encryption for EBS Volumes

Encryption for S3 Buckets

Enforce Separation of Duties When Assigning KMS Related Roles

Enforcing Strong TLS Ciphers

Ensure KMS Cryptokeys Are Not Publicly Accessible

Ensure Use of CMKs for Unattached Disks

Ensure that Virtual Hard Disks Are Encrypted

Ensure that an Expiration Date Is Set for All Keys in Non-RBAC Key Vaults

Ensure that an Expiration Date Is Set for All Secrets in Non-RBAC Key Vaults

Ensure the Key Vault Is Recoverable

Evaluating Likelihood and Impact

Events that Drive Key Rotation

FAQs for Amazon S3 Security

Getting Started with PCI Compliance

HIPAA and Risk Analysis

HITRUST and Risk Assessment

How to Configure Encryption for EBS Volumes on Existing EC2 Instances

How to Configure Encryption for EBS Volumes on New EC2 Instances

How to Configure Encryption for RDS

How to Configure Encryption for S3 Buckets

How to Restrict Public Access to S3 Buckets

How to Use S3 Versioning and Lifecycle Rules

Identify and Prioritize Your Cloud Security Risk

Industry Standards for Risk Assessment

Install Endpoint Protection for All Virtual Machines

Introduction to Amazon Inspector

Introduction to NIST SP 800-30

Introduction to NIST SP 800-39

Key Rotation and Management

Leverage CIS Benchmarks for Cloud Security

Load Balancers Must Require TLS 1.2

Managing Security Requirements with Multiple Vendors

Monitoring Changing Risk

Only Install Company-Approved Extensions on Your Virtual Machines

Our Security Standards

PCI Compliance One Step at a Time

PCI DSS Assessment Scope: Identify Cardholder Data Flows

PCI DSS Assessment Scope: Identify Third Parties

PCI DSS and Risk Assessment

PCI Requirement 12.8 & 12.8.1 – Manage Service Providers with Cardholder Data Access

PCI Requirement 3.1 - Keep Cardholder Data Storage to a Minimum

PCI Requirement 3.2 - Do Not Store Sensitive Authentication Data After Authorization

PCI Requirement 3.3 Mask PAN when Displayed

PCI Requirement 3.4 Render PAN Unreadable Anywhere it Is Stored

PCI Requirement 3.4.1 Logical Access Management

PCI Requirement 3.5 Document & Implement Procedures to Protect Keys

PCI Requirement 3.5.1 Maintain a Documented Description of The Cryptographic Architecture

PCI Requirement 3.5.2 Restrict Access to Cryptographic Keys

PCI Requirement 3.5.3 Store Secret and Private Keys Used to Encrypt/Decrypt Cardholder Data

PCI Requirement 3.5.4 Store Cryptographic Keys in The Fewest Possible Locations

PCI Requirement 3.6 Document & Implement all Key-Management Processes & Procedures

PCI Requirement 3.6.1 Generation of Strong Cryptographic Keys

PCI Requirement 3.6.2 Secure Cryptographic Key Distribution

PCI Requirement 3.6.3 Secure Cryptographic Key Storage

PCI Requirement 3.6.4 Cryptographic Key Changes at Cryptoperiod Completion

PCI Requirement 3.6.5 Replacing Weakened Keys

PCI Requirement 3.6.6 Using Split Knowledge & Dual Control

PCI Requirement 3.6.7 Prevention of Unauthorized Substitution of Cryptographic Keys

PCI Requirement 3.6.8 Key-Custodian Responsibilities

PCI Requirement 3.7 Security Policies & Operational Procedures

PCI Requirement 4.1 – Use Strong Cryptography & Security Protocols to Safeguard Sensitive CHD

PCI Requirement 4.1.1 – Ensure Wireless Network Transmitting CHD Use Strong Encryption

PCI Requirement 4.3 – Ensure Security Policies and Procedures are Known to all Affected Parties

PCI Requirements 3.2.1, 3.2.2, & 3.2.3 Do Not Store Tracks, Codes, or PINs After Authorization

PCI v3.2.1 vs. PCI 4.0: What's Changed?

PCI v4.0 - 1.5.1: Security Controls Are Implemented on Any Computing Devices

PCI v4.0 - 10.1.1: Requirement 10 Policies and Procedures Are In Place

PCI v4.0 - 10.1.2: Requirement 10 Roles and Responsibilities Are In Place

PCI v4.0 - 10.2.1.1: Logs Capture Individual User Access to Cardholder Data

PCI v4.0 - 10.2.1.2: Logs Capture All Actions by Someone with Administrative Access

PCI v4.0 - 10.2.1.3: Logs Capture All Access to Audit Logs

PCI v4.0 - 10.2.1.4: Logs Capture All Invalid Logical Access Attempts

PCI v4.0 - 10.2.1.5: Logs Capture All Changes to Identification and Authentication Credentials

PCI v4.0 - 10.2.1.6: Logs Capture All Initialization Starting Stopping and Pausing of Audit Logs

PCI v4.0 - 10.2.1.7: Logs Capture All Creation and Deletion of System Level Objects

PCI v4.0 - 10.2.1: Audit Logs Are Enabled and Active

PCI v4.0 - 10.2.2: Audit Logs Record All Appropriate Information for Each Auditable Event

PCI v4.0 - 10.3.1: Read Access to Audit Log Files Is Limited

PCI v4.0 - 10.3.2: Audit Log Files Are Protected from Modification

PCI v4.0 - 10.3.3: Audit Log Files Are Properly Backed Up

PCI v4.0 - 10.3.4: Utilize File Integrity Monitoring or Change-Detection Tools on Audit Logs

PCI v4.0 - 10.4.1 & 10.4.1.1: Perform Specific Daily Audit Log Reviews Using Automated Mechanisms

PCI v4.0 - 10.4.2 & 10.4.2.1: Periodically Perform Other Audit Log Reviews

PCI v4.0 - 10.4.3: Address Identified Exceptions and Anomalies

PCI v4.0 - 10.5.1: Retain Audit Log History for At Least 12 Months

PCI v4.0 - 10.6.1: System Clocks and Time Are Synchronized

PCI v4.0 - 10.6.2: Systems Are Configured to the Correct and Consistent Time

PCI v4.0 - 10.6.3: Time Synchronization Settings and Data Are Protected

PCI v4.0 - 10.7.1: (Service Providers) Critical Security Control System Failures Are Addressed

PCI v4.0 - 10.7.2: Failure of Critical Security Control Systems Are Handled Appropriately

PCI v4.0 - 10.7.3: Failure of Any Critical Security Controls Are Promptly Addressed

PCI v4.0 - 11.1.1: Requirement 11 Polices and Procedures Are In Place

PCI v4.0 - 11.1.2: Requirement 11 Roles and Responsibilities Are In Place

PCI v4.0 - 11.2.1: Wireless Access Points Are Properly Managed

PCI v4.0 - 11.2.2: Maintain Inventory of All Authorized Wireless Access Points

PCI v4.0 - 11.3.1.1: Manage Non-High Risk and Non-Critical Vulnerabilities Appropriately

PCI v4.0 - 11.3.1.2: Use Authenticated Vulnerability Scanning Tools for Internal Scans

PCI v4.0 - 11.3.1.3: Perform Internal Scans After Significant Changes

PCI v4.0 - 11.3.1: Perform Internal Vulnerability Scans Frequently

PCI v4.0 - 11.3.2.1: Perform External Scans After Significant Changes

PCI v4.0 - 11.3.2: Perform External Vulnerability Scans Frequently

PCI v4.0 - 11.4.1: Define Document and Implement a Penetration Testing Methodology

PCI v4.0 - 11.4.2: Regularly Perform Internal Penetration Testing

PCI v4.0 - 11.4.3: Regularly Perform External Penetration Testing

PCI v4.0 - 11.4.4: Correct Vulnerabilities Found in Penetration Testing

PCI v4.0 - 11.4.5 & 11.4.6: Test the Effectiveness of Segmentation Controls Regularly

PCI v4.0 - 11.4.7: Multi-Tenant Service Providers Support Customers for External Penetration Testing

PCI v4.0 - 11.5.1.1: Detect Alert and Address Covert Malware Communication Channels

PCI v4.0 - 11.5.1: Implement Intrusion Detection and or Prevention Techniques

PCI v4.0 - 11.5.2: Deploy a Change-Detection Mechanism

PCI v4.0 - 11.6.1: Change-Detection or Tamper-Detection Mechanisms Are Deployed on Payment Pages

PCI v4.0 - 12.1.1: Have and Utilize an Information Security Policy

PCI v4.0 - 12.1.2: Review and Update Your Information Security Policy Regularly

PCI v4.0 - 12.1.3: Ensure Your Information Security Policy Defines Roles and Responsibilities

PCI v4.0 - 12.1.4: Formally Assign Information Security Responsibility to a CISO

PCI v4.0 - 12.10.1: Establish a Comprehensive Incident Response Plan

PCI v4.0 - 12.10.2: Regularly Review the Incident Response Plan

PCI v4.0 - 12.10.3: Ensure Specific Security Personnel Are Available for Incident Response

PCI v4.0 - 12.10.4.1: Utilize the Targeted Risk Analysis to Determine Incident Response Training Frequency

PCI v4.0 - 12.10.4: Appropriately Train Incident Response Personnel

PCI v4.0 - 12.10.5: Include Monitoring and Responding to Alerts in the Incident Response Plan

PCI v4.0 - 12.10.6: Modify the Incident Response Plan as Needed

PCI v4.0 - 12.10.7: Implement Incident Response Procedures Upon Detection of Stored Primary Account Numbers

PCI v4.0 - 12.2.1: Acceptable Use Policies Are Documented and Implemented

PCI v4.0 - 12.3.1: Use Targeted Risk Analyses to Support Flexible Testing

PCI v4.0 - 12.3.2: Perform Targeted Risk Analyses for Customized Approach

PCI v4.0 - 12.3.3: Document and Review Cryptographic Cipher Suites and Protocols in Use

PCI v4.0 - 12.3.4: Review Software and Hardware Technologies

PCI v4.0 - 12.4.1: Service Providers Must Establish Protections for Card Holder Data

PCI v4.0 - 12.4.2.1: Document the Reviews Performed in Requirement 12.4.2

PCI v4.0 - 12.4.2: Ensure Personnel Are Performing Their Duties

PCI v4.0 - 12.5.1: Maintain an Inventory of System Components That Are in Scope

PCI v4.0 - 12.5.2.1: Service Providers Must Document and Confirm Scope Frequently

PCI v4.0 - 12.5.2: Document and Confirm Scope Regularly

PCI v4.0 - 12.5.3: Review Scope After Significant Changes to Organizational Structure

PCI v4.0 - 12.6.1: Implement Formal Security Awareness Training

PCI v4.0 - 12.6.2: Review Your Information Security Awareness Program Regularly

PCI v4.0 - 12.6.3.1: Include Specific Threats and Vulnerabilities in Information Security Awareness Trainings

PCI v4.0 - 12.6.3.2: Include Acceptable Use Policies in Security Awareness Trainings

PCI v4.0 - 12.6.3: Hold Information Security Awareness Trainings Regularly

PCI v4.0 - 12.7.1: Screen Personnel Who Have Access to the Cardholder Data Environment

PCI v4.0 - 12.8.1: Keep Record of Third-Party Service Providers that Account Data Is Shared With

PCI v4.0 - 12.8.2: Maintain Written Requirements with Third-Party Service Providers

PCI v4.0 - 12.8.3: Establish a Process for Engaging with Third-Party Service Providers

PCI v4.0 - 12.8.4: Monitor the PCI DSS Compliance of Third-Party Service Providers

PCI v4.0 - 12.8.5: Detail Responsibilities Held by Third-Party Service Providers

PCI v4.0 - 12.9.1: Acknowledge Account Security Responsibilities

PCI v4.0 - 12.9.2: Provide Compliance Information to Clients Upon Request

PCI v4.0 - 2.2.5: Insecure Daemons Protocols and Services Have Additional Security Features

PCI v4.0 - 2.2.6: System Security Parameters Are Configured to Prevent Misuse

PCI v4.0 - 2.2.7: Non-Console Administrative Access Is Encrypted

PCI v4.0 - 2.3.1: Wireless Vendor Defaults Are Changed or Confirmed to Be Secure

PCI v4.0 - 2.3.2: Wireless Encryption Keys Are Changed Accordingly

PCI v4.0 - 3.1.1 & 3.1.2: Have Requirement 3 Policies and Procedures Assigned and In Place

PCI v4.0 - 3.2.1: Only Retain the Minimum Account Data Needed

PCI v4.0 - 3.3.1, 3.3.1.1, 3.3.1.2, & 3.3.1.3: Do Not Retain Any Sensitive Authentication Data

PCI v4.0 - 3.3.2: Encrypt Sensitive Authentication Data If Retained for Any Length of TIme

PCI v4.0 - 3.3.3: (Issuers Only) Store Only the Minimum Amount of Sensitive Authentication Data Needed

PCI v4.0 - 3.4.1: Mask Displayed Primary Account Number

PCI v4.0 - 3.4.2: Do Not Allow Primary Account Numbers to Be Copied When Using Remote Access

PCI v4.0 - 3.5.1.1: Ensure All Hashes Are Keyed

PCI v4.0 - 3.5.1.2: Correctly Utilize Disk-Level Encryption of Primary Account Numbers

PCI v4.0 - 3.5.1.3: Ensure Disk-Level Encryption Meets Requirements

PCI v4.0 - 3.5.1: Store Primary Account Numbers Appropriately

PCI v4.0 - 3.6.1.1: (Service Providers) Document and Describe the Cryptographic Architecture

PCI v4.0 - 3.6.1.3 & 3.6.1.4: Use Fewest Possible Custodians and Locations for Cryptographic Keys

PCI v4.0 - 3.6.1: Use Fewest Possible Number of Key Custodians Locations and Forms

PCI v4.0 - 3.7.1: Utilize Procedures to Generate Strong Cryptographic Keys

PCI v4.0 - 3.7.2 & 3.7.3: Implement Policies and Procedures to Safely Distribute and Store Keys

PCI v4.0 - 3.7.4: Define Cryptoperiods in Policies and Procedures for Key Management

PCI v4.0 - 3.7.5: Properly Retire Replace or Destroy Keys When Appropriate

PCI v4.0 - 3.7.6: Use Split Knowledge and Dual Control for Manual Cleartext Key Management

PCI v4.0 - 3.7.7: Do Not Allow Unauthorized Key Substitution

PCI v4.0 - 3.7.8: Require Key Custodians to Acknowledge and Accept Their Responsibilities

PCI v4.0 - 4.1.1 & 4.1.2: Have Requirement 4 Policies and Procedures Assigned and In Place

PCI v4.0 - 4.2.1.1: Maintain Inventory of Trusted Keys and Certificates

PCI v4.0 - 4.2.1.2: Utilize Strong Cryptography When Transmitting Primary Account Numbers on Wireless Networks

PCI v4.0 - 4.2.1: Properly Secure Primary Account Numbers During Transmission

PCI v4.0 - 4.2.2: Secure Primary Account Numbers When Transmitting via End User Messaging

PCI v4.0 - 5.1.1: Have Requirement 5 Policies and Procedures In Place

PCI v4.0 - 5.1.2: Have Requirement 5 Roles and Responsibilities In Place

PCI v4.0 - 5.2.1: Deploy Anti-Malware Solutions on All System Components

PCI v4.0 - 5.2.2: Utilize Sufficient Anti-Malware Solutions

PCI v4.0 - 5.2.3.1: Define Frequency of Periodic Evaluations of Systems in the Targeted Risk Analysis

PCI v4.0 - 5.2.3: Periodically Review Systems Not Protected by Anti-Malware Solutions

PCI v4.0 - 5.3.1: Keep Anti-Malware Solutions Up to Date

PCI v4.0 - 5.3.2.1: Define Frequency of Anti-Malware Scans in Targeted Risk Analysis

PCI v4.0 - 5.3.2: Ensure Anti-Malware Solution Performs Scans or Continuous Behavior Analyses

PCI v4.0 - 5.3.3: Utilize Anti-Malware Solutions for Removable Media

PCI v4.0 - 5.3.4: Enable and Retain Audit Logs for Anti-Malware Solutions

PCI v4.0 - 5.3.5: Do Not Allow Anti-Malware Solutions to Be Altered or Disabled

PCI v4.0 - 5.4.1: Have Protections in Place to Prevent Phishing Attacks

PCI v4.0 - 6.1.1: Requirement 6 Policies and Procedures Are In Place

PCI v4.0 - 6.1.2: Requirement 6 Roles and Responsibilities Are In Place

PCI v4.0 - 6.2.1: Bespoke and Custom Software Are Developed Securely

PCI v4.0 - 6.2.2: Train Personnel Developing Custom Software in Secure Software Practices

PCI v4.0 - 6.2.3 & 6.2.3.1: Bespoke and Custom Software Is Reviewed Before Being Released

PCI v4.0 - 6.2.4: Utilize Software Engineering Techniques to Secure Bespoke and Custom Software

PCI v4.0 - 6.3.1: Identify Security Vulnerabilities in Software

PCI v4.0 - 6.3.2: Maintain a List of Bespoke and Custom and Third-Party Software

PCI v4.0 - 6.3.3: Remediate Known Vulnerabilities Through Security Patches

PCI v4.0 - 6.4.1: Protect Public-Facing Web Applications

PCI v4.0 - 6.4.2: Use an Automated Solution to Protect Public-Facing Web Applications

PCI v4.0 - 6.4.3: Payment Page Scripts Are Managed Properly

PCI v4.0 - 6.5.1: Have a Documented Change Process for All System Components

PCI v4.0 - 6.5.2: Ensure Applicable PCI DSS Requirements Are In Place After Significant Changes

PCI v4.0 - 6.5.3: Pre-Production and Production Environments Are Separated

PCI v4.0 - 6.5.4: Separate Duties Between Production and Pre-Production Environments

PCI v4.0 - 6.5.5: Live Primary Account Numbers Are Not Used In Pre-Production Environments

PCI v4.0 - 6.5.6: Ensure Test Data and Accounts Are Removed Before Going into Production

PCI v4.0 - 7.1.1: Have Requirement 7 Policies and Procedures In Place

PCI v4.0 - 7.1.2: Have Requirement 7 Roles and Responsibilities In Place

PCI v4.0 - 7.2.1: Have an Access Control Model In Place

PCI v4.0 - 7.2.2: Grant Access Appropriately

PCI v4.0 - 7.2.3: Access Privileges Are Granted by Authorized Personnel

PCI v4.0 - 7.2.4: Periodically Review Access Privileges

PCI v4.0 - 7.2.5.1: Review Application and System Access Privileges

PCI v4.0 - 7.2.5: Assign and Manage System and Application Access Privileges Appropriately

PCI v4.0 - 7.2.6: Restrict Access to Query Repositories of Cardholder Data

PCI v4.0 - 7.3.1: Have an Access Control System In Place

PCI v4.0 - 7.3.2: Access Control System Is Configured Correctly

PCI v4.0 - 7.3.3: Access Control System Is Set to Deny All By Default

PCI v4.0 - 8.1.1: Have Requirement 8 Policies and Procedures In Place

PCI v4.0 - 8.1.2: Have Requirement 8 Roles and Responsibilities In Place

PCI v4.0 - 8.2.1: All Users Are Assigned Unique User IDs

PCI v4.0 - 8.2.2: Group Shared or Generic Accounts Are Only Used When Necessary

PCI v4.0 - 8.2.3: (Service Providers) Use Unique Authentication Factors to Remotely Access Customer Premises

PCI v4.0 - 8.2.4: User IDs and Identifier Objects Are Managed Appropriately

PCI v4.0 - 8.2.5: Revoke Access for Terminated Users Immediately

PCI v4.0 - 8.2.6: Inactive User Accounts Are Removed or Disabled

PCI v4.0 - 8.2.7: Properly Manage Accounts Used By Third Parties

PCI v4.0 - 8.2.8: Require Reauthentication if User Session Has Been Idle for More Than 15 Minutes

PCI v4.0 - 8.3.10.1: (Service Providers) Change Customer User Passwords and Passphrases Once Every 90 Days

PCI v4.0 - 8.3.10: (Service Providers) Provide Password and Passphrase Guidance to Customer Users

PCI v4.0 - 8.3.11: Assign Authentication Factors to Individual Users

PCI v4.0 - 8.3.1: Access to System Components Is Properly Authenticated

PCI v4.0 - 8.3.2: Use Strong Cryptography on All Authentication Factors

PCI v4.0 - 8.3.3: Verify User Identify Before Modifying Any Authentication Factor

PCI v4.0 - 8.3.4: Limit Invalid Authentication Attempts

PCI v4.0 - 8.3.5: Set and Reset Passphrases and Passwords Appropriately

PCI v4.0 - 8.3.6: Ensure Passphrases and Passwords Meet Minimum Levels of Complexity

PCI v4.0 - 8.3.7: Passwords Are Not the Same as at Least the Previous Four Passwords

PCI v4.0 - 8.3.8: Authentication Policies and Procedures Are Documented and Communicated

PCI v4.0 - 8.3.9: Passwords and Passphrases Are Changed Once Every 90 Days

PCI v4.0 - 8.4.1: Multi-Factor Authentication Is Implemented for All Non-Console Access

PCI v4.0 - 8.4.2: Multi-Factor Authentication Is Implemented for All Access to Cardholder Data Environment

PCI v4.0 - 8.4.3: Multi-Factor Authentication Is Utilized for All Remote Network Access

PCI v4.0 - 8.5.1: Multi-Factor Authentication Systems Are Implemented Appropriately

PCI v4.0 - 8.6.1: Interactive Logins Are Managed Properly

PCI v4.0 - 8.6.2: Passwords and Passphrases For System Accounts Are Not Hardcoded

PCI v4.0 - 8.6.3: Passwords and Passphrases Are Protected from Misuse

PCI v4.0 - 9.1.1: Requirement 9 Policies and Procedures Are In Place

PCI v4.0 - 9.1.2: Requirement 9 Roles and Responsibilities Are In Place

PCI v4.0 - 9.2.1 & 9.2.1.1: Monitor and Restrict Physical Access to Cardholder Data Environment Areas

PCI v4.0 - 9.2.2: Restrict the Use of Publicly Accessible Network Jacks

PCI v4.0 - 9.2.3: Access to Network Access Points Is Restricted

PCI v4.0 - 9.2.4: Console Access in Sensitive Data Area Is Restricted

PCI v4.0 - 9.3.1.1: Physical Access to Sensitive Areas Within the Cardholder Data Environment Is Controlled

PCI v4.0 - 9.3.1: Procedures Are In Place for Physical Access to the Cardholder Data Environment

PCI v4.0 - 9.3.2: Implement Procedures for Visitor Access to the Cardholder Data Environment

PCI v4.0 - 9.3.3: Visitor Badges or Identification Are Surrendered Before Leaving

PCI v4.0 - 9.3.4: Maintain a Visitor Log

PCI v4.0 - 9.4.1, 9.4.1.1, & 9.4.1.2: Media with Cardholder Data Is Physically Secured

PCI v4.0 - 9.4.2: All Media with Cardholder Data Is Classified

PCI v4.0 - 9.4.3: Properly Secure Media with Cardholder Data Sent Outside the Facility

PCI v4.0 - 9.4.4: Management Approves Sending Media with Cardholder Data Outside the Facility

PCI v4.0 - 9.4.5 & 9.4.5.1: Inventory Logs of Electronic Media with Cardholder Data Are Maintained

PCI v4.0 - 9.4.6: Hard-Copy Materials with Cardholder Data Are Destroyed

PCI v4.0 - 9.4.7: Destroy Digital Media With Cardholder Data

PCI v4.0 - 9.5.1.1: Maintain an Up-to-Date List of Point-of-Interaction Devices

PCI v4.0 - 9.5.1.2 & 9.5.1.2.1: Periodically Inspect Point-of-Interaction Devices

PCI v4.0 - 9.5.1.3: Provide Training for Personnel in Point-of-Interaction Environments

PCI v4.0 - 9.5.1: Point-of-Interaction Devices Are Protected

PCI v4.0 - A1.1.1: (Multi-Tenant Service Providers) Logical Separation Is Implemented Appropriately

PCI v4.0 - A1.1.2: (Multi-Tenant Service Providers) Each Customer Can Only Access Its Own Data and Environment

PCI v4.0 - A1.1.3: (Multi-Tenant Service Providers) Customers Can Only Access Resources Allocated to Them

PCI v4.0 - A1.1.4: (Multi-Tenant Service Providers) Logical Separation Control Effectiveness Is Tested Regularly

PCI v4.0 - A1.2.1: (Multi-Tenant Service Providers) Ensure Appropriate Logging Is Enabled

PCI v4.0 - A1.2.2: (Multi-Tenant Service Providers) Implement Processes to Support Forensic Investigations

PCI v4.0 - A1.2.3: (Multi-Tenant Service Providers) Implement Processes for Reporting and Addressing Security Incidents

Partner with an Expert on Cloud Security

Periodically Regenerate Access Keys

Preparing for a Risk Assessment

Preventing Public Accessibility on DB Instances

Re-Keying for Decryption

Real-world Risk Assessment

Requirement 4 - Encrypt Transmission of Cardholder Data Across Open, Public Networks

Requirement 4.2 – Never Send Unprotected PAN by End-User Technologies

Rotate KMS Encryption Keys Regularly

Route 53 Support for DNSSEC

Step One for Risk Assessment

Take Advantage of Automatic Key Rotation within Azure Key Vault

The AWS Shared Responsibility Model

The Assessment of Fraud for SOC 2

The Importance of a Gap Analysis

Thinking About Likelihood and Impact

Third Parties and Your PCI DSS Assessment

Understanding NIST SP 800-39

Use CMEK To Secure GKE Storage

Using AWS KMS

Using Prowler to Evaluate AWS Security

Using TLS 1.2 to Encrypt Data in Transit

Using Your Risk Assessment Results

Utilize CMKs for OS and Data Disks

Utilize Private Endpoints for Azure Key Vault

What Are The Steps to Risk Assessment

What Data Does PCI DSS Apply To?

What Is the Process for Risk Assessment

What Risk Assessment Documentation is Necessary

What Risk Assessment Method is Appropriate

What Should Be Included in Your Risk Assessment

What Threats Should Be Considered

What's the Point of PCI DSS?

Who Does PCI DSS Apply To?

Who Is Involved In PCI?

Who is Involved in a Risk Assessment

Your PCI Audit Goes Wrong: What Do You Do?