Internal Audit Training, IT Audit Training Courses, Information Security Training - CPE Interactive

Continuing Professional Education for Audit, Assurance, & Info Security

Course Description

CyberSecurity for credit and debit card processing storage translates to the Payment Credit Card Industry Data Security Standard (PCI DSS). Heavy emphasis is placed on the protection of payment card information, wherever and whenever it is processed, stored, or transmitted, and to ensure that members, merchants, and service providers maintain the highest CyberSecurity standards. Meeting the twelve (12) requirements of this evolving standard can be a daunting challenge… and non-compliance can result in costly fines, loss of valuable retail customers, and continued vulnerability to serious payment card data attacks.

In this practical seminar, you will gain solid familiarity with the current PCI DSS and recent significant changes, and get proven tips on how best to overcome compliance challenges. You will examine a summary of the compliance requirements and cover practical solutions, potential risks, and common pitfalls. Highlights of the CyberSecurity controls necessary to satisfy PCI DSS requirements will be presented using a practical, commonsense methodology that emphasizes a top-down, structured implementation approach to day-to-day business operations.

Learning Objectives

  • Gain familiarity with the content, compliance requirements, and potential non-compliance risks associated with PCI DSS
  • Identify formal audit vs. self-assessment requirements
  • Evaluate the causes of CyberAttacks on stored and/or transmitted payment card data experienced by prominent merchants and service bureaus
  • Identify control areas within the standard that create the greatest compliance challenges
  • Identify tools and techniques useful in achieving cost-effective compliance and gap analysis audits

Course Outline

Overview of the PCI DSS and Its Corollaries

  • Payment Card Industry Data Security Standard (PCI DSS)
  • Self-Assessment Questionnaires (SAQ)
  • Payment Application Data Security Standard (PA-DSS)
  • PIN Transaction Security (PTS)

Compliance Requirements and Strategies

  • Attestation of compliance requirements
  • Merchant and service provider attestation levels
  • Sorting out compliance roles and responsibilities
  • Mapping PCI DSS to other governance and security standards
  • Common vulnerabilities and other PCI DSS related security trends
  • Addressing compensating controls

Vulnerability Management and Testing

  • Benefit and limitations of ASV scans
  • Vulnerability severity levels
  • False-positive resolution
  • Anti-virus/malicious software*
  • Vulnerability/threat alert tracking*
  • Patch management*
  • Network and host vulnerability scanning tools and techniques*

Auditing CyberSecurity Governance

  • Defining an enterprise CyberSecurity architecture
  • Creating a policies, standards, and procedures architecture to address ALL aspects of the PCI DSS

Auditing Physical Security of the IT Environment and Stored Card Data*

  • Building, computer room, media storage, and other limited access areas
  • Securing on-site and off-site document and storage media storage and disposal

Host CyberSecurity and Stored Cardholder Data Protection and Audit*

  • Logical access controls
  • Encryption key management
  • User account administration
  • Account number concealment methods
  • Avoiding critical card data protection pitfalls
  • Virtualization risks and safeguards
  • Point-of-Sale / PIN device risk and security safeguards
  • Methods for detecting payment card data "at rest" and "in motion"

Auditing Security Log Management and Incident Response*

  • Audit log event types and content
  • Audit log protection and retention
  • Report writer and monitoring
  • System clock management
  • File integrity monitoring
  • Intrusion detection/prevention systems
  • Incident response and data breach reporting
  • Digital forensics considerations

Secure Application Design and Testing*

  • Common application vulnerabilities and attacks
  • Change controls, configuration management, and security verification in the system development life cycle (SDLC)
  • Sources of programming standards for secure design and testing
  • Tools and techniques for application CyberSecurity testing: source code to full application
  • Leveraging the PA-DSS and list of certified products

Importance of Web Application Firwewalls to Offset Design Deficiencies of Internal and and Perimeter Network CyberSecurity*

*Included in 3-day lecture course only

Additional Information

Who Should Attend

IT Auditors
Information Security Managers, Analysts, and Architects
IT Architects
Compliance Officers
Consultants

Learning Level

Intermediate

Delivery

Group-Live

Field

Auditing

Advanced Preparation

None

Recommended Prerequisites

How to Perform an IT General Controls Review (AA03) or equivalent training. A basic understanding of IT audit controls and terminology is assumed.

Session Duration

Online: N/A

On Site: 1 or 3 days

CPE Credits: 8 or 24