Presented at
BSidesDC 2017,
Oct. 8, 2017, 9 a.m.
(50 minutes).
The Payment Card Industry Data Security Standard has a bad rap with the security community and for good reason. We're doing it wrong. Penetration Testers in particular can play a key role in the effectiveness of PCI, but most have never read the Standard and even fewer really understand it. In this talk we'll cover how testing should be performed, give you the tools to drive the engagement and take this from being a checkbox test to the best pen test your client has ever had.
**Intended Audience
**
1. Pen Testers
2. Sales Teams
3. QSA’s
**Lessons Learned (Audience Takeaways)
**
1. Understand the individual Requirements that can affect the Pen Test.
2. Define the scope of internal and external pen testing and identify the specific PCI DSS resources to justify this interpretation.
3. Review common success criteria to help determine when you’ve met the Requirement.
4. Review what is required for Requirement 11.3.4 and Segmentation Testing.
5. Review the contents of the final and post-remediation reports.
Presenters:
-
Joseph Pierini
- Vice President, Technical Services at PSC
as JOSEPH PIERINI
**Joseph Pierini
Vice President of Technical Services CISSP, GCIH, PCI: QSA, PA-QSA, PFI, ASV**
Joseph Pierini, Vice President of Technical Services at PSC, is responsible for the development and execution of the penetration testing programs supporting PCI and other privacy laws and regulations. Years of security and compliance experience make Joseph an expert at understanding issues clients face in achieving and maintaining compliance. Having served as the Primary Point of Contact for the PCI Security Standards Council’s Approved Scanning Vendor for nearly a decade, Joseph has developed extensive knowledge in the area of weaknesses and vulnerabilities threatening client's network infrastructure and applications. When not leading his team, Joseph presents at security conferences promoting best practices in penetration testing for merchants, service providers and card processors seeking to meet and maintain compliance. Joseph is also an active penetration tester performing internal, external, wireless and social engineering engagements for clients. His field skills range from internal and external vulnerability analysis, web application testing and exploitation to mobile application analysis, antivirus evasion and post-exploitation.
Prior to joining PSC, Joseph held various high-level positions at McAfee (previously ScanAlert), the world’s largest, dedicated security technology company. As Director of Enterprise Services, Joseph was responsible for a team of security analysts assisting in the pre-sales cycle and post-sale customer support. He also functioned as the Primary Point of Contact for both the PCI Security Standards Council and Domestic and International Resellers.
Previously, as the Manager of Security Engineering and Compliance at MarketLive, a high-volume eCommerce website developer and hosting company in San Francisco, Joseph was responsible for the development of the security organization, the oversight of the security awareness program and the compliance of clients with the Payment Card Industry Data Security Standard.
Over the course of his career, Joseph has performed penetration tests and application assessments for over half of the Internet Retailer Top 500, Fortune 1000 and many of America’s top defense contractors. He is also a published vulnerability researcher, having discovered vulnerabilities in applications ranging from Apache Tomcat, Caucho's Resin Application Server, Search Engines, Web Application Firewalls and various Ecommerce Shopping Carts.
Links:
Similar Presentations: