• Save
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Risk Factory: PCI Shrink to Fit

Uploaded on

5 ways to reduce the scope of your PCI compliance program.

5 ways to reduce the scope of your PCI compliance program.

More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 14

http://www.linkedin.com 14

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Oldest crime on record – not prostitution First recorded case of identity theft Bible: Genesis XXX


  • 1. PCI: Shrink to Fit
  • 2. A simple, easy to use, online, B2B procurement portal for purchasing products and services to identify, minimise and manage the security threat to business data. www.riskfactory.com
  • 3. Cheap FastGood
  • 4. The Standard
  • 5. Applies• Any systems that process, store or transmit cardholder data (credit or debit)• Any systems that connect to them
  • 6. #1 Discover &Document • Conduct inventory: hard & softcopy card data • Can’t shrink what you have not measured • What do you have & Where do you have it? • Run discovery software across internal network IPs • Create network diagram depicting card data flow • Heat map: processes, stores & transmits • Establish hardware asset register • Results = Card Data Environment (CDE)
  • 7. Discover & Document
  • 8. Leakage Laptop / Desktop Server CD / DVD Piggybacking USB iPodDumpster (Skip) Diving Social Engineering Memory Stick Contractors Road Apple PCMCIA Eavesdropping Memory Card Readers Bluetooth Endpoint Communication Infrared Databases Firewire File Systems Serial / Parallel Ports File Servers NAS Data-At-Rest Virtual Machine SANs / iSCSI Storage Screen Scrapers Voice Mail Data Loss Trojans Other Threat Vectors Video Surveillance Key Loggers Phishing / Spear Phishing E-Mail HTTP/S Printers SSH Backup Tapes / CD / DVD FTP Laptop / Desktop / Server Data-In-Motion IM Fax VoIP Physical Photocopier P2P Mobile Phone / PDA Blogs Digital Camera (incl. Mobile Phone Cameras) Incorrect Disposal Printed Reports
  • 9. #2 Destroy & De-Scope • Both hard & soft copies • If you don’t need it – delete it. • Take your time. Use your CDE map. • Stakeholders sign off • Remember: VoIP & mail servers, MS Outlook archives, fax, scanner & copier memory cards • Include 3rd parties & back up systems • Be ruthless
  • 10. #3 Outsource &Oversight • What can you outsource? • Risk transference vs. risk mitigation • Compliance requirement in SLA • Should not be cost plus • See proof (ask for copy of their RoC) • Conduct annual onsite audit • Still need program • The liability is still yours
  • 11. #4 Separate & Segment• Led by “need to know”• Always ask: Why?• Should not be vendor led• Firewall, VLAN, software…• Subnets• Wireless networks• 3rd party suppliers!“Any systems connected” to the CDE
  • 12. Point to Point Encryption
  • 13. Point to Point Encryption • Card brand specific technology requirements • PoS configuration requirements • Bank-owned vs. Merchant-owned devices • Compliance requirement in contract & SLA • Who’s responsible for a breach? • Still have compliance validation requirement
  • 14. #5 Tokenise • Can significantly downsize scope • Card data replaced by “token” (surrogate value) • Card data stored in centralised vault • Servers processing, storing or transmitting card holder data in scope • Servers processing, storing or transmitting surrogate values not in scope
  • 15. Model
  • 16. Tokenisation • Where tokens and card data meet = in scope • Tokenisation hosting solution critical • Be careful of “hybrid” solutions • See PCI Standards Council site for guidance • Test the solution! • This is no silver bullet • Validation still required
  • 17. 5 Ways to Reduce PCI Discover & Document Destroy & De-scope Outsource & Oversight Separate & Segment Tokenisation
  • 18. Best Way Understand that the PCI DSS is a “risk management framework” Not a checklist
  • 19. 26 Dover Street London United Kingdom W1S 4LY +44 (0)20 3586 1025+44 (0)20 7763 7101(fax)