Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,210 --> 00:00:02,250 Speaker: When working as a penetration tester, 2 00:00:02,250 --> 00:00:04,019 you need to be familiar with a wide range 3 00:00:04,019 --> 00:00:06,180 of basic laws and regulations. 4 00:00:06,180 --> 00:00:09,510 Especially for performing a compliance based assessment. 5 00:00:09,510 --> 00:00:11,370 There are numerous laws and regulations 6 00:00:11,370 --> 00:00:13,560 that organizations may be subject to, 7 00:00:13,560 --> 00:00:15,300 and it's our job to help test 8 00:00:15,300 --> 00:00:17,640 or prove their compliance with various legal 9 00:00:17,640 --> 00:00:20,529 and regulatory requirements based upon their industry. 10 00:00:20,529 --> 00:00:23,190 Now, in exam objective 1.1, 11 00:00:23,190 --> 00:00:25,530 it states that regulatory compliance considerations 12 00:00:25,530 --> 00:00:26,940 are important to know, 13 00:00:26,940 --> 00:00:31,940 but then it only lists two sub bullets, GDPR and PCI-DSS. 14 00:00:32,369 --> 00:00:35,490 That said, I wanna take a moment and direct your attention 15 00:00:35,490 --> 00:00:36,960 to the bottom of page two 16 00:00:36,960 --> 00:00:40,200 of your official CompTIA PenTest+ exam objectives, 17 00:00:40,200 --> 00:00:42,570 because this is an area that I usually get a lot 18 00:00:42,570 --> 00:00:45,240 of questions from students about when I bring up concepts 19 00:00:45,240 --> 00:00:47,580 that aren't clearly listed as one of the sub bullets 20 00:00:47,580 --> 00:00:48,874 in the exam guide. 21 00:00:48,874 --> 00:00:53,250 Now notice, in big red letters it says, please note, 22 00:00:53,250 --> 00:00:54,900 and then it provides us with a paragraph 23 00:00:54,900 --> 00:00:57,990 of important but often overlooked information. 24 00:00:57,990 --> 00:01:01,200 It goes on to state this, the list of examples provided 25 00:01:01,200 --> 00:01:04,135 in bulleted format are not exhaustive lists. 26 00:01:04,135 --> 00:01:07,200 Other examples of technologies, processes, 27 00:01:07,200 --> 00:01:10,260 or tasks pertaining to each objective may be included 28 00:01:10,260 --> 00:01:12,780 on the exam, although not listed or covered 29 00:01:12,780 --> 00:01:14,670 in this objectives document. 30 00:01:14,670 --> 00:01:17,250 So what does this mean for us as we're studying 31 00:01:17,250 --> 00:01:18,570 for the exam? 32 00:01:18,570 --> 00:01:22,500 Well, it means that even though GDPR and PCI-DSS 33 00:01:22,500 --> 00:01:24,600 are the only sub bullets listed, 34 00:01:24,600 --> 00:01:27,000 on test day you could easily get a question 35 00:01:27,000 --> 00:01:30,660 about GLBA, SOX, HIPAA, FISMA, 36 00:01:30,660 --> 00:01:33,120 or other regulatory considerations. 37 00:01:33,120 --> 00:01:36,450 When you hear the term regulation or regulatory, 38 00:01:36,450 --> 00:01:38,670 this is just a fancy word for a law 39 00:01:38,670 --> 00:01:41,550 with some compliance requirements associated with it. 40 00:01:41,550 --> 00:01:43,890 So you need to ensure you're well prepared. 41 00:01:43,890 --> 00:01:44,858 And to help you do that, 42 00:01:44,858 --> 00:01:46,710 we're gonna do a quick coverage 43 00:01:46,710 --> 00:01:49,470 of the main regulatory compliance considerations 44 00:01:49,470 --> 00:01:51,900 that you should know as a penetration tester 45 00:01:51,900 --> 00:01:54,420 just in case you get one of them on the exam, 46 00:01:54,420 --> 00:01:57,129 and then we're gonna do a bit of a deeper dive into GDPR 47 00:01:57,129 --> 00:02:00,900 and PCI-DSS because those two were specifically called 48 00:02:00,900 --> 00:02:02,820 out in the sub bullets. 49 00:02:02,820 --> 00:02:06,000 Now, you don't have to memorize everything I'm about to say, 50 00:02:06,000 --> 00:02:09,539 but you should be able to do some basic keyword association. 51 00:02:09,539 --> 00:02:11,730 For example, if I say HIPAA, 52 00:02:11,730 --> 00:02:14,340 you should realize that this affects healthcare data 53 00:02:14,340 --> 00:02:17,167 and so if you're assessing a doctor's office, a hospital, 54 00:02:17,167 --> 00:02:18,884 a healthcare insurance company, 55 00:02:18,884 --> 00:02:22,224 then HIPAA is going to affect you and your engagement. 56 00:02:22,224 --> 00:02:24,900 All right, let's first talk about HIPAA. 57 00:02:24,900 --> 00:02:27,420 Now, HIPAA is the Health Insurance Portability 58 00:02:27,420 --> 00:02:29,130 and Accountability Act, 59 00:02:29,130 --> 00:02:31,807 and it's often commonly just referred to as HIPAA. 60 00:02:31,807 --> 00:02:35,190 Now, HIPAA affects healthcare providers, facilities, 61 00:02:35,190 --> 00:02:38,306 insurance companies, and medical data clearing houses. 62 00:02:38,306 --> 00:02:39,721 HIPAA has rigorous requirements 63 00:02:39,721 --> 00:02:41,929 for anyone dealing with patient information 64 00:02:41,929 --> 00:02:45,196 or computerized electronic patient records or other forms 65 00:02:45,196 --> 00:02:49,980 of protected health information, which we call PHI. 66 00:02:49,980 --> 00:02:51,810 Now, if the organization is processing 67 00:02:51,810 --> 00:02:53,400 or storing medical data, 68 00:02:53,400 --> 00:02:55,830 they're gonna be affected by HIPAA. 69 00:02:55,830 --> 00:02:59,400 Now, the Healthcare and Education Reconciliation Act of 2010 70 00:02:59,400 --> 00:03:03,000 also affects both healthcare and educational organizations, 71 00:03:03,000 --> 00:03:05,128 and it increases some security measures necessary 72 00:03:05,128 --> 00:03:07,763 to protect healthcare information too. 73 00:03:07,763 --> 00:03:11,220 SOX, or Sarbanes-Oxley was enacted by Congress 74 00:03:11,220 --> 00:03:13,770 under the name Public Company Accounting Reform 75 00:03:13,770 --> 00:03:16,620 and Investor Protection Act of 2002, 76 00:03:16,620 --> 00:03:19,558 but it's almost always referred to simply as Sarbanes-Oxley 77 00:03:19,558 --> 00:03:22,156 after the two lead senators who sponsored this bill 78 00:03:22,156 --> 00:03:24,480 and fought for it to become law. 79 00:03:24,480 --> 00:03:26,370 If you're targeting an organization that is 80 00:03:26,370 --> 00:03:28,590 a publicly traded US corporation, 81 00:03:28,590 --> 00:03:30,900 it is gonna be affected by this regulation 82 00:03:30,900 --> 00:03:33,030 and it must follow certain accounting methods 83 00:03:33,030 --> 00:03:34,514 and financial reporting. 84 00:03:34,514 --> 00:03:37,530 Failure to follow Sarbanes-Oxley can even result 85 00:03:37,530 --> 00:03:40,710 in senior leadership receiving jail time for non-compliance. 86 00:03:40,710 --> 00:03:43,368 So it's a really big deal for public corporations. 87 00:03:43,368 --> 00:03:47,910 GLBA, or the Gramm-Leach-Bliley Act of 1999 88 00:03:47,910 --> 00:03:50,610 was written to affect banks, mortgage companies, 89 00:03:50,610 --> 00:03:53,940 loan offices, insurance companies, investment companies, 90 00:03:53,940 --> 00:03:55,620 and credit card companies. 91 00:03:55,620 --> 00:03:59,160 Basically, it affects financial institutions of all kinds. 92 00:03:59,160 --> 00:04:01,560 Now, GLBA directly affects the security 93 00:04:01,560 --> 00:04:05,160 of personally identifiable information, known as PII, 94 00:04:05,160 --> 00:04:06,967 and it prohibits sharing financial information 95 00:04:06,967 --> 00:04:10,050 with any third parties as well as providing guidelines 96 00:04:10,050 --> 00:04:12,316 for securing that financial information. 97 00:04:12,316 --> 00:04:14,310 Next, we have FISMA, 98 00:04:14,310 --> 00:04:18,149 or the Federal Information Security Management Act of 2002. 99 00:04:18,149 --> 00:04:20,469 Now, FISMA only affects federal agencies 100 00:04:20,469 --> 00:04:23,070 because it is a federal program. 101 00:04:23,070 --> 00:04:25,320 Now, each federal agency is gonna be required 102 00:04:25,320 --> 00:04:27,600 to develop, document, and implement 103 00:04:27,600 --> 00:04:30,877 an agency-wide information system security program. 104 00:04:30,877 --> 00:04:33,570 FISMA's goal is to create more secure networks 105 00:04:33,570 --> 00:04:36,000 across the whole of the US government. 106 00:04:36,000 --> 00:04:36,833 Prior to this act, 107 00:04:36,833 --> 00:04:40,140 there was the Computer Security Act of 1987, 108 00:04:40,140 --> 00:04:41,730 but FISMA replaced it and added 109 00:04:41,730 --> 00:04:43,661 a lot more stringent requirements. 110 00:04:43,661 --> 00:04:45,763 Another federally focused regulation 111 00:04:45,763 --> 00:04:49,170 is the Federal Privacy Act of 1974. 112 00:04:49,170 --> 00:04:51,685 And this affects any US government computer system 113 00:04:51,685 --> 00:04:55,410 that collects, stores, uses, or disseminates 114 00:04:55,410 --> 00:04:59,160 personally identifiable information, known as PII. 115 00:04:59,160 --> 00:05:02,550 Now note, the Federal Privacy Act only places requirements 116 00:05:02,550 --> 00:05:05,070 directly upon federal government agencies 117 00:05:05,070 --> 00:05:06,690 as they collect information. 118 00:05:06,690 --> 00:05:09,360 It does not apply to private corporations. 119 00:05:09,360 --> 00:05:11,940 For example, my company, DION Training, 120 00:05:11,940 --> 00:05:14,430 does not have to follow the Federal Privacy Act 121 00:05:14,430 --> 00:05:17,160 because we are not considered a US government agency 122 00:05:17,160 --> 00:05:20,020 or organization underneath the US government. 123 00:05:20,020 --> 00:05:22,050 Next, we have FERPA, 124 00:05:22,050 --> 00:05:25,140 which is the Family Education Rights and Privacy Act. 125 00:05:25,140 --> 00:05:27,420 This is a federal law that protects the privacy 126 00:05:27,420 --> 00:05:29,610 of student educational records. 127 00:05:29,610 --> 00:05:32,370 This regulation applies to all schools that receive funding 128 00:05:32,370 --> 00:05:34,320 from the US Department of Education, 129 00:05:34,320 --> 00:05:36,210 including colleges and universities 130 00:05:36,210 --> 00:05:38,370 within the United States. 131 00:05:38,370 --> 00:05:41,850 Next, the Economic Espionage Act of 1996 132 00:05:41,850 --> 00:05:44,134 is gonna affect organizations with trade secrets 133 00:05:44,134 --> 00:05:46,320 and anyone who tries to use encryption 134 00:05:46,320 --> 00:05:48,120 for criminal activities. 135 00:05:48,120 --> 00:05:50,910 Under this act, even intangible trade secrets 136 00:05:50,910 --> 00:05:52,920 like certain processes or procedures 137 00:05:52,920 --> 00:05:54,630 are considered protected. 138 00:05:54,630 --> 00:05:56,880 If anyone tries to steal our trade secrets, 139 00:05:56,880 --> 00:05:59,717 they could be prosecuted under this federal law. 140 00:05:59,717 --> 00:06:01,740 Next, we have COPPA. 141 00:06:01,740 --> 00:06:04,890 Now, COPPA, or the Child Online Privacy Protection Act 142 00:06:04,890 --> 00:06:07,470 is going to impose certain requirements on website owners 143 00:06:07,470 --> 00:06:09,900 and online services that are directed to children 144 00:06:09,900 --> 00:06:11,550 under the age of 13, 145 00:06:11,550 --> 00:06:13,594 as well as other websites or online services 146 00:06:13,594 --> 00:06:15,810 that have actual knowledge that they're collecting 147 00:06:15,810 --> 00:06:18,180 personal information online from a child 148 00:06:18,180 --> 00:06:20,033 who is under 13 years of age. 149 00:06:20,033 --> 00:06:22,762 So if an organization is running a website, 150 00:06:22,762 --> 00:06:24,510 like let's say Facebook, 151 00:06:24,510 --> 00:06:26,321 and they're gonna be collecting data on their users, 152 00:06:26,321 --> 00:06:28,590 they're gonna be subject to COPPA. 153 00:06:28,590 --> 00:06:30,900 Now, a lot of Big Tech companies are trying to say 154 00:06:30,900 --> 00:06:32,400 they shouldn't fall under this law 155 00:06:32,400 --> 00:06:34,980 because they're not targeting people under 13. 156 00:06:34,980 --> 00:06:37,290 In fact, when you try to create a regular account 157 00:06:37,290 --> 00:06:40,170 on Facebook, for example, it's gonna ask for your birthday 158 00:06:40,170 --> 00:06:41,280 to check your age. 159 00:06:41,280 --> 00:06:43,770 And if you're under 13, it won't let you create an account 160 00:06:43,770 --> 00:06:45,210 without your parents' consent. 161 00:06:45,210 --> 00:06:47,880 But what this really does is just have children lying 162 00:06:47,880 --> 00:06:50,550 about their age and selecting a year a little bit older 163 00:06:50,550 --> 00:06:53,100 than they are, that way they can bypass the age check 164 00:06:53,100 --> 00:06:54,900 and create an account anyway. 165 00:06:54,900 --> 00:06:57,000 Now with COPPA, the fines are gonna come 166 00:06:57,000 --> 00:06:59,460 from the Federal Trade Commission, or FTC 167 00:06:59,460 --> 00:07:00,960 anytime there's a violation, 168 00:07:00,960 --> 00:07:04,050 and they charge about $40,000 per violation. 169 00:07:04,050 --> 00:07:06,720 Now, this amount of money could bankrupt smaller operators 170 00:07:06,720 --> 00:07:08,010 and small businesses, 171 00:07:08,010 --> 00:07:11,130 but for a company like Facebook, or Google, or TikTok, 172 00:07:11,130 --> 00:07:13,139 this isn't even a blip on their radar. 173 00:07:13,139 --> 00:07:15,780 COPPA tends to be a pretty controversial regulation 174 00:07:15,780 --> 00:07:18,090 actually, because it puts a ton of extra requirements 175 00:07:18,090 --> 00:07:20,310 on companies that are trying to serve younger markets 176 00:07:20,310 --> 00:07:22,170 with educational content too. 177 00:07:22,170 --> 00:07:24,738 So keep this in mind if you're dealing with an organization 178 00:07:24,738 --> 00:07:26,400 that has products that are gonna be used 179 00:07:26,400 --> 00:07:29,400 by younger users like a toy company, for example. 180 00:07:29,400 --> 00:07:31,182 COPPA is going to apply to them. 181 00:07:31,182 --> 00:07:34,737 All right, now it's time for us to dive into GDPR 182 00:07:34,737 --> 00:07:36,630 and PCI-DSS. 183 00:07:36,630 --> 00:07:39,148 First, we're gonna take a look at GDPR. 184 00:07:39,148 --> 00:07:42,433 Now, GDPR, or the General Data Protection Regulation 185 00:07:42,433 --> 00:07:44,280 is one of the biggest requirements 186 00:07:44,280 --> 00:07:45,541 and one of the best requirements 187 00:07:45,541 --> 00:07:48,600 in terms of consumer privacy protections. 188 00:07:48,600 --> 00:07:51,750 GDPR is a law that was created by the European Union 189 00:07:51,750 --> 00:07:53,280 and it places specific requirements 190 00:07:53,280 --> 00:07:56,160 on how consumer data must be protected. 191 00:07:56,160 --> 00:07:59,250 This regulation applies to any organization or company 192 00:07:59,250 --> 00:08:00,750 that does business with residents 193 00:08:00,750 --> 00:08:02,905 of the European Union and Britain. 194 00:08:02,905 --> 00:08:06,112 GDPR states that personal data cannot be collected, 195 00:08:06,112 --> 00:08:09,390 processed, or retained without the individual's 196 00:08:09,390 --> 00:08:10,675 informed consent. 197 00:08:10,675 --> 00:08:13,320 Now, when I talk about informed consent, 198 00:08:13,320 --> 00:08:16,080 this means that the data must be collected and processed 199 00:08:16,080 --> 00:08:17,454 only for the stated purpose, 200 00:08:17,454 --> 00:08:20,340 and that purpose has to be clearly described 201 00:08:20,340 --> 00:08:22,260 to the user in plain language 202 00:08:22,260 --> 00:08:24,900 and not in some kind of legal jargon. 203 00:08:24,900 --> 00:08:26,904 So if you go to a website and they say, 204 00:08:26,904 --> 00:08:29,787 please enter your name, your email, and your home address 205 00:08:29,787 --> 00:08:31,680 so that we can sell you this product 206 00:08:31,680 --> 00:08:34,140 and then deliver it to your house, well, guess what? 207 00:08:34,140 --> 00:08:36,059 That is the stated purpose. 208 00:08:36,059 --> 00:08:37,980 That doesn't mean they can now send you junk mail 209 00:08:37,980 --> 00:08:39,486 every single week to your home address. 210 00:08:39,486 --> 00:08:41,705 That doesn't mean they can now send you junk mail 211 00:08:41,705 --> 00:08:45,030 every single week to your home address or to your email. 212 00:08:45,030 --> 00:08:46,230 They can't try and just use this 213 00:08:46,230 --> 00:08:47,850 to get you to buy more stuff, 214 00:08:47,850 --> 00:08:51,330 that wasn't part of their privacy policy that you accepted. 215 00:08:51,330 --> 00:08:54,240 Now, additionally, the company must get your permission 216 00:08:54,240 --> 00:08:55,740 for each separate piece of data 217 00:08:55,740 --> 00:08:57,420 that they wanna collect on you. 218 00:08:57,420 --> 00:08:59,340 For example, you could provide permission 219 00:08:59,340 --> 00:09:01,470 to collect your IP address for analytics, 220 00:09:01,470 --> 00:09:03,750 but not give them permission to collect your email address 221 00:09:03,750 --> 00:09:05,010 for marketing. 222 00:09:05,010 --> 00:09:08,520 Basically, GDPR says you have to be upfront with this, 223 00:09:08,520 --> 00:09:10,140 and it also provides a provision in the law 224 00:09:10,140 --> 00:09:12,810 to ensure a user has the right to withdraw their consent 225 00:09:12,810 --> 00:09:14,160 at any time. 226 00:09:14,160 --> 00:09:16,680 It also gives them the ability to inspect, amend, 227 00:09:16,680 --> 00:09:18,900 or erase any data that's held about them 228 00:09:18,900 --> 00:09:21,000 in that organization's database. 229 00:09:21,000 --> 00:09:24,090 This is referred to as the right to be forgotten. 230 00:09:24,090 --> 00:09:27,120 If you're a resident and citizen of the European Union, 231 00:09:27,120 --> 00:09:29,610 you can call up the company or fill out their form online 232 00:09:29,610 --> 00:09:31,984 and say, "I want you to forget everything you've ever known 233 00:09:31,984 --> 00:09:34,470 about me," and they have to go into their database 234 00:09:34,470 --> 00:09:35,970 and scrub you out of it. 235 00:09:35,970 --> 00:09:37,740 That is part of this law. 236 00:09:37,740 --> 00:09:40,320 So if you're a European Union citizen, 237 00:09:40,320 --> 00:09:43,110 GDPR gives you a lot of protections. 238 00:09:43,110 --> 00:09:45,150 But if you're an American citizen, 239 00:09:45,150 --> 00:09:46,890 we don't have those same rights. 240 00:09:46,890 --> 00:09:48,896 So if I'm sitting in Florida and I wanna be forgotten, 241 00:09:48,896 --> 00:09:50,349 I can't do it. 242 00:09:50,349 --> 00:09:52,110 That's not just something that the companies 243 00:09:52,110 --> 00:09:53,370 have to do for me. 244 00:09:53,370 --> 00:09:54,690 Now, I can request it, 245 00:09:54,690 --> 00:09:57,240 but by law they are not required to do it 246 00:09:57,240 --> 00:10:00,300 because I'm an American citizen sitting in Florida. 247 00:10:00,300 --> 00:10:02,616 Now, one of the most unique things about GDPR 248 00:10:02,616 --> 00:10:05,490 is that it actually applies globally to all companies 249 00:10:05,490 --> 00:10:07,620 and organizations that are performing business 250 00:10:07,620 --> 00:10:09,720 with European Union citizens. 251 00:10:09,720 --> 00:10:12,330 So even if the company doesn't have a physical boundary 252 00:10:12,330 --> 00:10:14,160 inside the European Union, 253 00:10:14,160 --> 00:10:16,503 if you're gonna be doing business with citizens there 254 00:10:16,503 --> 00:10:20,190 then you have to meet the compliance requirements of GDPR. 255 00:10:20,190 --> 00:10:22,157 These rules are something that a penetration tester 256 00:10:22,157 --> 00:10:25,110 might be asked to validate to make sure the organization 257 00:10:25,110 --> 00:10:27,990 is in compliance with it during an engagement. 258 00:10:27,990 --> 00:10:31,350 Additionally, GDPR states that businesses must only collect 259 00:10:31,350 --> 00:10:33,840 the minimal amount of data that's needed to interact 260 00:10:33,840 --> 00:10:34,950 with that website. 261 00:10:34,950 --> 00:10:37,511 So there's a lot less data there that could be exposed 262 00:10:37,511 --> 00:10:41,310 in the event of a data breach if you're following GDPR. 263 00:10:41,310 --> 00:10:42,606 Now, if a data breach does occur, 264 00:10:42,606 --> 00:10:44,862 the company must notify all of its customers 265 00:10:44,862 --> 00:10:47,134 within 72 hours. 266 00:10:47,134 --> 00:10:49,410 GDPR also states that if your company 267 00:10:49,410 --> 00:10:51,750 has over 250 employees, 268 00:10:51,750 --> 00:10:53,730 it's gonna be required to audit their systems 269 00:10:53,730 --> 00:10:56,550 and take rigorous steps to protect any data stored 270 00:10:56,550 --> 00:10:59,010 within their system or in the cloud. 271 00:10:59,010 --> 00:11:01,560 Failure to comply with GDPR's requirements can lead 272 00:11:01,560 --> 00:11:05,040 to fines or fees that are levied upon your organization. 273 00:11:05,040 --> 00:11:06,480 If you're gonna perform an engagement 274 00:11:06,480 --> 00:11:08,610 and you wanna include a GDPR check, 275 00:11:08,610 --> 00:11:13,423 there's a great checklist over at https://gdpr.eu. 276 00:11:15,420 --> 00:11:17,520 And you can go there and download it and then use that 277 00:11:17,520 --> 00:11:19,740 to test the strength of the organization's infrastructure 278 00:11:19,740 --> 00:11:22,744 against vulnerabilities known to cause data breaches. 279 00:11:22,744 --> 00:11:26,616 Now, the last thing we're gonna cover is PCI-DSS. 280 00:11:26,616 --> 00:11:30,060 Now, PCI-DSS is technically not a regulation, 281 00:11:30,060 --> 00:11:31,470 it's a standard. 282 00:11:31,470 --> 00:11:33,420 Standards don't have the enforcement that laws 283 00:11:33,420 --> 00:11:35,460 and regulations do, but instead, 284 00:11:35,460 --> 00:11:37,096 they're created by specific industries 285 00:11:37,096 --> 00:11:39,603 and they're followed as a form of best practice. 286 00:11:39,603 --> 00:11:42,186 Now, some standards though do have penalties associated 287 00:11:42,186 --> 00:11:44,280 with them for non-compliance, 288 00:11:44,280 --> 00:11:46,830 and PCI-DSS is one of them. 289 00:11:46,830 --> 00:11:49,492 Because of this, a lot of penetration testers do a lot 290 00:11:49,492 --> 00:11:52,620 of work with PCI-DSS to ensure that companies 291 00:11:52,620 --> 00:11:55,563 and organizations are in compliance with its requirements. 292 00:11:55,563 --> 00:12:00,300 PCI-DSS, or the Payment Card Industry Data Security Standard 293 00:12:00,300 --> 00:12:02,970 is an agreement that any organization that collects, stores, 294 00:12:02,970 --> 00:12:05,532 or processes credit card customer information 295 00:12:05,532 --> 00:12:07,590 has to abide by. 296 00:12:07,590 --> 00:12:09,626 This is not actually a law or regulation, 297 00:12:09,626 --> 00:12:11,940 but instead, it's a contractual agreement 298 00:12:11,940 --> 00:12:14,384 and a standard that must be followed if the organization 299 00:12:14,384 --> 00:12:17,220 wants to handle credit card transactions. 300 00:12:17,220 --> 00:12:20,130 The PCI-DSS standard specifies the controls 301 00:12:20,130 --> 00:12:22,380 that must be in place by the organization 302 00:12:22,380 --> 00:12:25,680 to minimize vulnerabilities, employ strong access control, 303 00:12:25,680 --> 00:12:27,975 and consistently conduct testing and monitoring 304 00:12:27,975 --> 00:12:29,667 of their infrastructure. 305 00:12:29,667 --> 00:12:33,165 PCI-DSS is gonna apply equally to both E-commerce stores 306 00:12:33,165 --> 00:12:36,067 and traditional brick and mortar stores. 307 00:12:36,067 --> 00:12:38,040 To protect cardholder data, 308 00:12:38,040 --> 00:12:40,230 the organization must create and maintain 309 00:12:40,230 --> 00:12:43,020 a secure infrastructure using dedicated appliances 310 00:12:43,020 --> 00:12:45,662 and software to monitor and prevent attacks. 311 00:12:45,662 --> 00:12:47,580 They also must employ best practices, 312 00:12:47,580 --> 00:12:49,920 such as changing default passwords 313 00:12:49,920 --> 00:12:53,670 and training users not to fall victim of phishing campaigns. 314 00:12:53,670 --> 00:12:56,100 They also need to continuously monitor for vulnerabilities 315 00:12:56,100 --> 00:12:59,040 and use updated antimalware protections. 316 00:12:59,040 --> 00:12:59,910 And finally, 317 00:12:59,910 --> 00:13:02,640 they must provide strong access control mechanisms 318 00:13:02,640 --> 00:13:05,490 and utilize the concept of lease privilege. 319 00:13:05,490 --> 00:13:07,530 Now, if an organization fails to comply 320 00:13:07,530 --> 00:13:08,670 with these standards, 321 00:13:08,670 --> 00:13:10,408 they can actually face substantial fines 322 00:13:10,408 --> 00:13:12,930 or even lose their ability to take credit cards. 323 00:13:12,930 --> 00:13:14,490 And for an E-commerce company, 324 00:13:14,490 --> 00:13:17,640 that would completely demolish their ability to do business. 325 00:13:17,640 --> 00:13:20,939 So while PCI-DSS isn't a law or regulation, 326 00:13:20,939 --> 00:13:24,112 it is followed extremely closely by most organizations 327 00:13:24,112 --> 00:13:26,351 to ensure they remain compliant. 328 00:13:26,351 --> 00:13:29,910 Now, PCI-DSS requires a consistent process 329 00:13:29,910 --> 00:13:32,490 of assessment, remediation, and reporting 330 00:13:32,490 --> 00:13:34,740 when using their prescribed controls to secure 331 00:13:34,740 --> 00:13:38,160 an organization and maintain the highest levels of security. 332 00:13:38,160 --> 00:13:39,870 All organizations that process credit cards 333 00:13:39,870 --> 00:13:42,694 are gonna be categorized under four security levels 334 00:13:42,694 --> 00:13:45,600 based upon the volume of transactions that they perform 335 00:13:45,600 --> 00:13:47,010 in a given year. 336 00:13:47,010 --> 00:13:48,930 Level one is for large merchants, 337 00:13:48,930 --> 00:13:50,370 and these are merchants who process 338 00:13:50,370 --> 00:13:53,010 over 6 million transactions per year. 339 00:13:53,010 --> 00:13:55,890 These level one merchants must have an external auditor 340 00:13:55,890 --> 00:13:58,260 perform their PCI-DSS assessment, 341 00:13:58,260 --> 00:13:59,550 and the auditor must be 342 00:13:59,550 --> 00:14:04,020 an approved qualified security assessor, known as a QSA. 343 00:14:04,020 --> 00:14:06,932 Now, a QSA is actually a designation for authorization 344 00:14:06,932 --> 00:14:10,050 of independent security organizations that are certified 345 00:14:10,050 --> 00:14:12,270 to the PCI-DSS standard. 346 00:14:12,270 --> 00:14:13,770 Now, this is not a certification 347 00:14:13,770 --> 00:14:15,870 that you or I as individuals can obtain. 348 00:14:15,870 --> 00:14:18,510 It's only assigned to the organization. 349 00:14:18,510 --> 00:14:20,763 Now, a level one merchant must also complete a report 350 00:14:20,763 --> 00:14:22,593 on compliance, known as an ROC. 351 00:14:23,520 --> 00:14:26,340 This is gonna detail an organization's security posture, 352 00:14:26,340 --> 00:14:29,892 environment, systems, and protection of cardholder data. 353 00:14:29,892 --> 00:14:32,490 Level two is gonna be for merchants who process 354 00:14:32,490 --> 00:14:35,790 between one and 6 million transactions per year. 355 00:14:35,790 --> 00:14:38,100 A level two merchant must also submit a report 356 00:14:38,100 --> 00:14:40,830 on compliance just like a level one merchant does, 357 00:14:40,830 --> 00:14:43,619 but a level two merchant does have the ability to not 358 00:14:43,619 --> 00:14:46,732 have to use an external auditor to perform that assessment. 359 00:14:46,732 --> 00:14:49,489 Level two, level three, and level four merchants 360 00:14:49,489 --> 00:14:52,260 can instead conduct a self-test that proves they're 361 00:14:52,260 --> 00:14:55,380 taking the active steps to secure their infrastructure. 362 00:14:55,380 --> 00:14:56,956 Level three is for merchants who process 363 00:14:56,956 --> 00:15:00,810 between 20,000 and 1 million transactions per year. 364 00:15:00,810 --> 00:15:03,060 And level four is for merchants who process 365 00:15:03,060 --> 00:15:05,910 less than 20,000 transactions per year. 366 00:15:05,910 --> 00:15:08,942 Now, PCI-DSS also requires vulnerability scans 367 00:15:08,942 --> 00:15:11,340 that have to be conducted routinely. 368 00:15:11,340 --> 00:15:13,470 These should be conducted every 90 days 369 00:15:13,470 --> 00:15:16,323 and after any major change inside of your infrastructure. 370 00:15:17,750 --> 00:15:19,811 (upbeat music) 28866