Report on Compliance ROC Assessment Overview Jeff Messer Director TAAS 01082015 1 Agenda What Why Who ROC Schedule Request for Information RFI Process Overview Onsite Assessment ID: 501134
Download Presentation The PPT/PDF document "PCI DSS v3.0" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
PCI DSS v3.0 Report on Compliance (ROC) Assessment Overview
Jeff MesserDirector, TAAS01/08/2015
1Slide2
AgendaWhat / Why / WhoROC ScheduleRequest for Information (RFI) Process Overview
Onsite AssessmentRemote Assessment and Remediation ActivitiesDraft ROC ReportQuality Assurance and Draft ReviewFinal ReportChallenges from Experience
Questions
2Slide3
What / Why / WhoWhat is a ROC?
Report on ComplianceWhy do we need to do a ROC?Because you’re a Level 2 merchant you are required to have an onsite assessment performed on an annual basis.Who is
involved?BusinessIT
3Slide4
ROC SchedulePeriod 1 - Pre-Assessment
Documentation and PreparationCardholder Data Environment (CDE) ReviewAll the People, Processes and Technologies, involved in Storing, Transmitting or Processing cardholder data (CHD).Period 2 – Assessment
ROC Process - Report on Compliance validation
4Slide5
ROC Process Flowchart5Slide6
RFI Process - Overview
The Coalfire RFI Process is intended to prepare for and facilitate a smooth PCI DSS assessment project.Successful completion of each RFI Phase is critical for meeting timeline expectations for the ROC.
6Slide7
RFI Phase 1
Phase 1 DocumentsExec 1 – Business DescriptionExec 2 – Department Scope Identification ProcessExec 3 – Dataflow Diagram(s) / Campus Scope Narrative
Exec 4 – Network Diagram(s)Exec 5 – CDE Inventory
7Slide8
Exec 1 – Business DescriptionNon-marketing explanation of:Lines of business (e.g. retail, ecommerce, brick-n-mortar, etc.)
Operating locationsRevenuesNumber of employeesNumber of IT employeesMajor IT contract providers.
8Slide9
Exec 2 –Scope Identification ProcessCovers all of the methods and processes used to identify and document all instances of cardholder data (electronic / paper)
Include any data discovery tools, manual or automated processes used to ensure that no cardholder data exists outside of the CDE.
9Slide10
Exec 3 – Dataflow Diagram(s) / Dept. Scope Narrative
Describe all manners in which you accept and process payment card transactions from card data capture through settlement. Descriptions need to be accompanied with data flow diagrams that highlight the flow of CHD Into the CDEThroughout the CDE
Out of the CDE
10Slide11
Exec 4 – Network Diagram(s)Depicting the CDEAll of the CDE boundaries
How it is connected to (and/or segmented from) other networks.The diagrams should be both high-level and detailed.
11Slide12
Exec 5 – CDE InventoryCDE Inventory spreadsheet documents all in-scope systems that make up the CDE.The invent must be align with all information previously provided.
Completion of this inventory is critical for scheduling and sampling purposes.
12Slide13
RFI Phase 2
Phase 2 DocumentsProvide a complete “RFI Phase 2” documentM
apping your documentation to all applicable PCI DSS requirements
Identifying the Owner(s) for each and the Owner Contact(s) for each requirement.
Provide the documentation to Coalfire.
Onsite scheduling:
Interviews (Interview Schedule)
Assessments
Evident Collection
13Slide14
RFI Phase 2 Spreadsheet
14Slide15
Onsite AssessmentAssess all in-scope facilitiesConduct interview sessions with key personnel
Perform all necessary technical validation15Slide16
Remote Assessment & RemediationRemote AssessmentThis time period is to complete any review activity that was not completed during the onsite assessments.
RemediationThis time period is to validate that any issues identified during the assessment, have been addressed (i.e. remediated).
16Slide17
Draft ROC ReportWe begin writing the ROC report as soon as the Phase 1 documentation is collection
and is complete. After all review and remediation activities have completed, the draft report will be issued.
17Slide18
Quality Assurance and Draft ReviewThe draft report will be reviewed both by the Campus and by Coalfire’s QA process. The draft will go through iterations until it successfully completes both reviews.
18Slide19
Final ReportCampus approves the content of the draft report.Final Report on Compliance (ROC) and the associated Attestation of Compliance (AOC) will be signed and issued.
19Slide20
Challenges from ExperienceTake this seriously, you don’t want to be a headline.Most merchants
overestimate their level of control and underestimate the scope of their environment.Read the PCI DSS v3.0 to ensure you understand the requirements.Think out of the box, don’t assume you know your scope, take time to validate it.Surprises found during the penetration testing and vulnerability scanning
Remediation always takes longer than you think.
20Slide21
Questions?21