Peter Verderber , CISSP, CISA, PCI QSA Principal Consultant Ben Rothke , CISSP, CISA, PCI QSA Senior Security Consultant M...
Agenda Evolution of the PCI DSS PCI SSC Updates – The Impact of QA Inspections Key messages and take-aways Introductions P...
Introductions <ul><li>Peter Verderber  </li></ul><ul><li>US & Canada Security Practice Lead CISSP, CISA, PCI QSA </li></ul...
BT and PCI <ul><li>PCI Environment Discovery and Scoping  </li></ul><ul><li>Security Architecture Design </li></ul><ul><li...
PCI Timeline 2001 Visa establishes CISP (Card Information Security Program)
PCI Timeline 2001 Formation of the PCI Security Standards Council (PCI SSC)  2004 PCI SSC is an open global forum for the ...
PCI Timeline 2001 PCI DSS version 1.1 released 2004 2006 PCI DSS (Data Security Standard) is a worldwide information secur...
PCI Timeline 2001 PCI DSS version 1.2 and PA-DSS 1.2 released 2004 2006 2008 PA-DSS is the Council-managed program formerl...
PCI Timeline 2001 PCI wireless guidelines released 2004 2006 2008 2009 Wireless guidelines recommend use of Wireless Intru...
PCI Timeline 2001 PCI will continue to gain traction 2004 2006 2008 2009 and beyond <ul><li>Greater details </li></ul><ul>...
PCI Security Standards Council Updates <ul><li>What’s new in 2009? </li></ul><ul><ul><li>More breaches of “PCI Compliant” ...
<ul><li>Gray Areas Remain </li></ul><ul><li>But then again, all regulations have gray areas </li></ul><ul><li>Defend your ...
Conclusions <ul><li>In our opinion </li></ul><ul><li>PCI is a very prescriptive standard, closely aligned with ISO 27002 a...
Questions from the floor….. <ul><li>The future may be bright, but focus on the present for now </li></ul>‘ ’
Contact Information  Peter Verderber [email_address]   561-206-2064 http://www.linkedin.com/in/peteverd Ben Rothke ben.rot...
www.bt.com/security
Upcoming SlideShare
Loading in …5
×

Verderber Rothke What’s New With PCI

906 views

Published on

Presentation by Peter Verderber and Ben Rothke at the 2009 BT Managed Security Leaders Conference

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
906
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Verderber Rothke What’s New With PCI

  1. 1. Peter Verderber , CISSP, CISA, PCI QSA Principal Consultant Ben Rothke , CISSP, CISA, PCI QSA Senior Security Consultant Managed Security Leaders Conference What’s new with PCI? November 18, 2009 Check out the SecureThinking blog: http://bt-securethinking.blogspot.com . Follow us on Twitter: http://twitter.com/securethinking
  2. 2. Agenda Evolution of the PCI DSS PCI SSC Updates – The Impact of QA Inspections Key messages and take-aways Introductions PCI DSS Updates – Gray Areas & Emerging Trends
  3. 3. Introductions <ul><li>Peter Verderber </li></ul><ul><li>US & Canada Security Practice Lead CISSP, CISA, PCI QSA </li></ul><ul><li>10+ years in the field Information Security </li></ul><ul><li>Working with PCI Standard since its inception in 2004 </li></ul><ul><li>Ben Rothke, CISSP, CISM, PCI QSA </li></ul><ul><li>Senior Security Consultant </li></ul><ul><li>In IT sector since 1988 and information security since 1994 </li></ul><ul><li>Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill) </li></ul><ul><li>PCI QSA since 2007 </li></ul>
  4. 4. BT and PCI <ul><li>PCI Environment Discovery and Scoping </li></ul><ul><li>Security Architecture Design </li></ul><ul><li>Compliance Assessments (Gap Analysis) </li></ul><ul><li>Remediation Planning, Support, and Integration </li></ul><ul><li>Compliance Validation and Reporting </li></ul><ul><li>Internal and External ASV Scanning </li></ul><ul><li>Network and Application Penetration Testing </li></ul><ul><li>Managed Security Event Monitoring </li></ul><ul><li>Managed Log Retention Services </li></ul><ul><li>Managed Firewall and IDP Services </li></ul><ul><li>Digital Security Surveillance Solutions </li></ul>
  5. 5. PCI Timeline 2001 Visa establishes CISP (Card Information Security Program)
  6. 6. PCI Timeline 2001 Formation of the PCI Security Standards Council (PCI SSC) 2004 PCI SSC is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. Mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards. Founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.
  7. 7. PCI Timeline 2001 PCI DSS version 1.1 released 2004 2006 PCI DSS (Data Security Standard) is a worldwide information security standard assembled by the PCI SSC. Standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. PCI DSS applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands.
  8. 8. PCI Timeline 2001 PCI DSS version 1.2 and PA-DSS 1.2 released 2004 2006 2008 PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). Goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS
  9. 9. PCI Timeline 2001 PCI wireless guidelines released 2004 2006 2008 2009 Wireless guidelines recommend use of Wireless Intrusion Prevention System (WIPS) to automate wireless scanning for large organizations. Wireless guidelines clearly define how wireless security applies to PCI DSS 1.2 compliance. Guidelines apply to the deployment of WLANs in cardholder data environments (CDE) – which is a network environment that possesses or transmits credit card data.
  10. 10. PCI Timeline 2001 PCI will continue to gain traction 2004 2006 2008 2009 and beyond <ul><li>Greater details </li></ul><ul><li>Greater enforcement </li></ul><ul><li>Increased rigor </li></ul><ul><li>Federal adoption </li></ul>
  11. 11. PCI Security Standards Council Updates <ul><li>What’s new in 2009? </li></ul><ul><ul><li>More breaches of “PCI Compliant” entities </li></ul></ul><ul><ul><li>Prioritized Approach </li></ul></ul><ul><ul><li>PCI Council QA refresh and enforcement </li></ul></ul><ul><ul><li>New QA model and scoring matrix established </li></ul></ul><ul><ul><ul><li>945 validation points (1000+ with sampling) </li></ul></ul></ul><ul><ul><ul><li>Limited auditor discretion </li></ul></ul></ul><ul><li>Impact to your organization: </li></ul><ul><ul><li>Extensive documentation </li></ul></ul><ul><ul><ul><li>Application interaction and data flows </li></ul></ul></ul><ul><ul><ul><li>Card processing &and third-party relationships </li></ul></ul></ul><ul><ul><li>Defensible position a must </li></ul></ul>PCI Guiding Principles
  12. 12. <ul><li>Gray Areas Remain </li></ul><ul><li>But then again, all regulations have gray areas </li></ul><ul><li>Defend your interpretation </li></ul><ul><li>A strong security foundation can certainly deal with every new regulation / standard </li></ul><ul><li>Scoping (limit PCI scope, ASV scan and penetration testing scope) </li></ul><ul><li>Compensating Controls </li></ul><ul><li>Emerging Trends </li></ul><ul><li>Tokenization </li></ul><ul><li>Data encryption </li></ul><ul><li>Virtualization </li></ul><ul><li>Outsourcing / Third Party </li></ul><ul><li>Cloud Computing </li></ul><ul><li>Mobility </li></ul>PCI Data Security Standard Updates
  13. 13. Conclusions <ul><li>In our opinion </li></ul><ul><li>PCI is a very prescriptive standard, closely aligned with ISO 27002 and security best practices </li></ul><ul><li>The increased rigor and advancement of the PCI Council proves that PCI is not going away </li></ul><ul><li>Expect greater expansion and adoption of PCI in the form of legislation </li></ul><ul><li>Emerging trends will continue to introduce new “gray areas” and drive the evolution of PCI </li></ul><ul><li>Take-aways / food for thought: </li></ul><ul><li>Understand risks to your organization and business strategy involving PCI; stay ahead of the curve </li></ul><ul><li>Align security resources to adequately mitigate risk and maintain compliance </li></ul><ul><li>Ensure that your security program drives compliance as a byproduct, not the other way around </li></ul>
  14. 14. Questions from the floor….. <ul><li>The future may be bright, but focus on the present for now </li></ul>‘ ’
  15. 15. Contact Information Peter Verderber [email_address] 561-206-2064 http://www.linkedin.com/in/peteverd Ben Rothke ben.rothke@bt.com 973-489-0838 www.linkedin.com/in/benrothke www.twitter.com/benrothke
  16. 16. www.bt.com/security

×