Loading...

PCI-DSS Framework Overview

Course video 10 of 41

This module includes an introduction to many practical aspects of modern enterprise security including awareness, compliance, assessments, and risk management.

Enterprise and Infrastructure Security

纽约大学坦登工程学院

课程 4（共 4 门，Introduction to Cyber Security 专项课程）

This course introduces a series of advanced and current topics in cyber security, many of which are especially relevant in modern enterprise and infrastructure settings. The basics of enterprise compliance frameworks are provided with introduction to NIST and PCI. Hybrid cloud architectures are shown to provide an opportunity to fix many of the security weaknesses in modern perimeter local area networks. Emerging security issues in blockchain, blinding algorithms, Internet of Things (IoT), and critical infrastructure protection are also described for learners in the context of cyber risk. Mobile security and cloud security hyper-resilience approaches are also introduced. The course completes with some practical advice for learners on how to plan careers in cyber security.

查看授课大纲

教学方

Dr. Edward G. Amoroso
Research Professor, NYU and CEO, TAG Cyber LLC

脚本

Hi folks, Ed Amoroso here.

And I want to spend some time in this short video kind of introducing

a framework known as PCI-DSS.

[LAUGH] And that stands for Payment Card Industry Data Security Standards.

It's hard to say that, right?

A lot of sounds in there.

So PCI is really intended to reduce the risk

of cyber attacks to retail businesses.

We've [LAUGH] seen so many attacks to credit card readers and

servers keeping track of retail information and your private account data.

Definitely, your credit card information, my goodness.

See one after another of these kinds of breaches over the last ten years.

So the industry, the payment card industry, credit card industry,

basically, decides this is not reasonable.

We need to improve our industry securities is not acceptable.

People, they stop using credit cards than it's

a big blow to that industry obviously.

So they had to reduce the likelihood of these attacks by increasing trust.

So what they did, is came up with a framework.

This data security standard requirements that they impose a levy on

anyone involved in the payment card industry.

And a whole discipline has emerged, a job, a profession,

called a QSA, or Qualified Security Assessor.

It's a job.

It's a profession. It's something that an auditor might

specialize in.

We're going to go in and either do a pre-assessment or pre-audit

with the business to see if they're consistent with these PCI requirements.

Or going to actually come in, and boom, attest with their stamp of approval

that of particular company has in fact met the PCI requirements.

And they're all these complications around

where you live in the context of the retail industry.

You might be a retail or actually dealing with credit cards, or

you might be say a service provider just kind of supporting that industry and

their different gradations of requirements that are in imposed,

depending on what your role is in that credit card industry.

So, there these different categories.

There's a diagram that we can put up that shows networks and

systems as one category.

A second is the vulnerability management program.

Third is monitoring and testing of your networks.

A fourth is the protection of card holder data.

Fifth, access control measures.

And then the sixth is your information security policy.

And these are all broken up into 12 different sub categories.

These are all requirements that you go one at a time through just like any

framework looking for gaps.

You're looking for

a place where your requirements don't match the requirements that PCI demands.

And if the gap exists, the gap has to be closed.

A QSA has to come in, validate that you've closed it.

There has to be documentation and on and on and on.

This is called security assessment and security audit.

The assessment is the pre-audit,

the real audit activity is done by the QSA with the attestation.

It really is a complicated issue.

Now the foundational problem is that amidst all of this,

we still have retail hacks.

So I think anybody, even a QSA with years of experience,

would tell you that while this reduces risk, it doesn't remove it.

And that's important.

Security assessment and security audit reduce risk, they don't remove risks.

So it's still there.

It just makes things a little better.

It makes our retail system something that we can trust.

A big improvement has been this move from magnetic stripes

on the back of cards to chip in PIN, chip in signature.

Here in the United States, we're a little slower to this sort of thing.

And I think it was October of 2016 that there was a requirement

that businesses really move to a chip kind of model.

Whereas in Europe and other parts of the world that it had been done much sooner.

That certainly reduced risk.

That was something that I think was a real contribution in the retail

industry to greater trust and greater assurance.

But the reality exists that it's still a problem with attacks.

And the fact that there's money involved here makes this very consequential.

So kind of a learning here is that this is a very specific framework,

has a very specific model with 12 subcategories and 6 groupings.

QSAs will commit into pre-audits.

And then full audits to produce an attestation

that businesses need to continue taking credit cards.

The whole process I would claim has in fact reduced risk considerably.

But it hasn't removed it.

That's something that we need to keep in mind.

I hope this has been a useful summary for you.

I'll see you on the next one.

关于 Coursera

课程、专项课程和在线学位均由全世界一流大学和教育机构的顶尖授课教师教授。

Join a community of 40 million learners from around the world

Earn a skill-based course certificate to apply your knowledge

Gain confidence in your skills and further your career

Coursera 致力于普及全世界最好的教育，它与全球一流大学和机构合作提供在线课程。

© 2019 Coursera Inc. 保留所有权利。

通过 App Store 下载

通过 Google Play 获取