Mastering the implementation and management of processes based on PCI DSS v.3.2
This two-day intensive course enables participants to obtain necessary knowledge and skills to support an organization in implementing processes based on PCI DSS v. 3.2. Participants will also get recommendations on enhancing information security and the effectiveness of the processes related to emission of payment plastic cards and cardholders data. Participants will develop the skills in implementing the requirements of international standard PCI DSS v. 3.2. and responding to information security risks.
Who should attend?
- Specialists and managers of retail business departments that support the processes of issuing, acquiring and supporting the functioning of plastic payment cards;
- Specialists in the area of internal control and IT audit;
- Specialists in the area of information and operational risks, information security specialists;
- IT specialists;
- Senior Managers responsible for IT governance of the enterprise and the management of information security risks and compliance with the requirements of international payment systems Visa / MasterCard and etch.
Upon finishing the course the participants will be able to\will obtain:
- Identify processes of the payment card industry (emission, acquiring, etc.)
- Understand the requirements of the international standard for the security of cardholders data PCI DSS v.3.2
Introduce processes in accordance with the requirements of the international standard in the plastic card industry PCI DSS v.3.2
Practical skills in assessing the effectiveness of processes to meet the requirements of PCI DSS v.3.2
To prepare the documentation in accordance with the requirements of PCI DSS v.3.2
Vladimir Tkachenko CISA, CISSP, CLPTP, ISO 27001 LI, ISO 27001 LA, ISO 31000 RM
Valentin Sysoev CISA, CISM, CRISC, CLPTP, ISO 27001 LA, ISO 27005 RM, ISO 31000 RM
Section 1: Introduction to payment card industry (9:45 to 11:30)
- Module 1. What is PCI: Definition, Basic concepts, objectives and tasks. Introduction to PCI, main terms and objectives
- Module 2. Processes for card transactions processing and core participants of PCI processes. Payment card emission, acquiring, authorization. Participants of PCI process (regulators, service-providers, banks, auditors, trade and service organizations)
- Module 3. Review of the methods applied to ensure compliance with PCI DSS. Defining the TCO levels and service-providers, main methods to assess compliance: self-assessment and certification audit
Section 2: Introduction to PCI DSS v.3.2(11:45 to 13:00, lunch break, 14:00 to 17:15 )
- Module 1. Introduction to PCI DSS v.3.2
Basic objectives, structure and requirements of the standard Definition of the scope of the standard
- Module 2. Requirements for the organization of network security and information systems.
Description of the network architecture, network security issues (firewalls, intrusion prevention systems, etc.), security issues when using passwords and accounts
- Module 3. Requirements for protection against malicious software and vulnerability management in the developed software
Issues of antivirus protection, vulnerability management in all components of information systems and self-developed software, a vulnerability management program based on the OWASP and SANS methodologies
- Module 4. Requirements for the organization of access control in information systems and the organization of physical access
Implement the processes of logical access to systems, restrict access to premises where data of plastic card holders is stored, processed and transmitted.
- Module 5. Requirements for logging events in networks and information systems, issues of information security testing
Organization of event logging processes, periodic vulnerability scanning and penetration testing
- Module 6. Managing of information security processes
Information Security Policy, IS Risk Management, Raising User Awareness
Section 3: Tips for implementing PCI DSS v.3.2 (11:45 to 13:15)
- Module 1. Analysis of changes in the standard compared to the previous version. Prioritized approach to the implementation of the standard
Analysis of changes in version 3.2. Review of the priority approach, the main recommended steps for the implementation of the standard
- Module 2. Tools for implementing the requirements of the standard and aspects of their application
The use of the PCI DSS V3.2 Compliance Dashboard, checklists and other tools, “an adapted set of PCI DSS documents” (myths and reality)
- Module 3. Processes for assessing compliance with the requirements of the standard
Carrying out self-assessment and certification audit, compensation security measures, temporary schemes to meet the requirements of the standard. Features of version 3.2
This training is based on both theory and practice:
- Sessions of lectures illustrated with examples based on real cases
- Practical exercises based on a full case study including role playings and oral presentations
- Review exercises to assist the exam preparation
- Practice test similar to the certification exam
- In order to maximize the benefits of practical training, the number of participants in the training is limited.