Implementing PCI DSS 2.0
Implementing PCI DSS 2.0 (IPD) is a hands-on training course designed to help delegates understand the requirements of the Payment Card Industry Data Security v 2.0 Standard (PCI DSS) and develop the competences needed to implement an effective PCI DSS compliance programme. Through the hands-on exercises, delegates will work on developing an PCI DSS compliance programme, beginning by performing a gap-analysis of the current security posture and defi ning a clear and optimized scope. The course also addresses the use of tools to identify card details in order to more accurately scope a given environments and to ensure that machines containing card details have been identifi ed and removed from systems prior to decommissioning. Finally, delegates are given an opportunity to refl ect on a number of practical issues in meeting the requirements of PCI DSS, and learn common mistakes to avoid and effective ways of going from a noncompliant state to a compliant one.
"IPD I is about acquiring practical skills of working with PCI within your organisation - not just generic theory of the standard itself."
Who Should Attend
This course is ideally suited for:
- Finance/Banking Officers
- Internal Auditors
- Information Security Consultants
- Regulatory Compliance Staff
“The class will benefit anyone who wants to gain practical knowledge in the domain of implementing and reviewing implementations of the Payment Card Industry Data Security Standard”
Prerequisites
The course is “hands-on”, focused on both understanding and attaining PCI compliance. It is aimed at those individuals who already have a degree of understanding of banking and how credit card payments are processed. The course is not highly technical, but a basic understanding of general computing is necessary to get the most out of the course. Although not essential, any existing exposure to general Information Security principles will be beneficial.
Duration:2 days
About the course
IPD is a hands-on course developed around a set of real-life case studies used to simulate real PCI DSS compliance activities on cardholders environments. Specifically, the course will address the following scenarios:
- Identifying in-scope Systems and Processes
- Minimising PCI Scope wherever possible
- Analysing existing areas of PCI Compliance within your organisation
- Remediating non-compliant areas
Laptop Requirements
A laptop is required to be able to work through all the practical hands-on workshops. Failure to meet the requirements below may result in the delegate not being able to carry out one or more of the practical workshops and thus not taking full benefit for the PCIICP I course. The minimum laptop requirements are:
- x86-compatible 1.5 Ghz CPU Minimum or higher
- DVD Drive
- 1GB RAM minimum or higher
- 10 Gigabyte available hard drive space
- VMware Player or VMware Workstation.
IPD Toolkit
Each student will be provided with tools and templates used to carry out the practical exercises and challenges
Course Outline
Day |
Details |
| 1 | The course begins with the background of the PCI DSS standard and the organisation that controls and disseminates it. We look at related documentation that can be used to better understand and more accurately apply PCI DSS. Later, we cover the relationship between the Information Technology (IT) and Finance/Banking side of PCI DSS. |
| 2 | We proceed with a hands-on card detail discovery and secure removal scenario lab session. This practical exercise is also given context with a case study showing where it should be used. Finally, we cover the project planning, policy and documentation aspects of a PCI Compliance Programme. |
Course Breakdown
Module 1: What is PCI DSS?
1.1: What the PCI DSS Standard is
1.2: How PCI DSS Originated
1.3: Organisational PCI DSS Classification
1.4: How PCI Applies to Different Categories of Organisation
1.5: Enforcement and Compliance Channels
1.6: Overview of Related Standards (PA-DSS, PCI PTS/PCI PED)
Module 2: The Standard Itself
2.1: How the Standard is Structured
2.2: The 12 Requirements of PCI DSS
2.3: Associated Documentation
Module 3: Prioritised Approach
3.1: What is the Prioritised Approach?
3.2: Usage of the Prioritized Approach to Minimize Risk and Aid Compliance
3.3: “Safe Harbour” and Enforcement Implications of Prioritized Approach
Module 4: IT Controls and Requirements
4.1: Overview of IT-Related Controls of the Standard
4.2: How to Assess your IT Security Status
4.3: Recommended IT and Finance Department Interaction models
4.4: Compiler Back End
4.5: Detecting Compilers
Module 5: Supporting Documentation
5.1: Classification of other SSC-issued Guidance Types
5.2: How to use the Related Documents
5.3: Primacy and Hierarchy of PCI Literature
Day 2
Module 6: Defining the Scope of your Environment
6.1: Scope’s Relationship with Assessment and Attestation of Compliance
6.2: Consequences of Poor Scoping
6.3: Methods that can be used to achieve a more accurate Scope
6.4: Means of minimising Scope
6.5: De-scoping Systems that can be decommissioned
Module 7: PCI Policy and Documentation Requirements
7.1: Policy Overview
7.2: Incorporating PCI into existing Information Security
7.3: PCI DSS Requirement 12 detailed review
7.4: Incident Response
7.5: End user Messaging
Module 8: Planning a Compliance Programme
8.1: Project Planning Requirements
8.2: Timeframes and Compliance Life-Cycle activities
8.3: Ensuring ongoing Compliance
Module 9: PCI DSS Certification
9.1: PCI DSS Certification Process
9.2: QSAs and ASVs
9.3: Pre-certification checks
Why us?
"Our trainers are security consultants with many years of experience, highly dedicated to teach and share their knowledge."
"IPD is about acquiring practical skills and competence - not just theory."
"We focus on competance and understanding through hands-on excercises"
Dr. Almerindo Graziano
CEO Silensec
About the Authors
