Don’t Fear PCI DSS! Even Though It Can Be Scary At Times July 16-17, 2009 Napa Valley Marriott July 16-17, 2009 Napa Valley Marriott Dr. Anton Chuvakin [email_address] Security Warrior Consulting

WARNING! This is a very, very, very basic PCI DSS presentation. PCI literati … take notice of that  July 16-17, 2009 Napa Valley Marriott

This is a very, very, very basic PCI DSS presentation.

PCI literati … take notice of that 

Agenda What is PCI DSS? Who it applies to? Why is it here? What should you do? How to make it easier? Common myths about PCI July 16-17, 2009 Napa Valley Marriott

What is PCI DSS?

Who it applies to?

Why is it here?

What should you do?

How to make it easier?

Common myths about PCI

What is PCI DSS or PCI? Payment Card Industry Data Security Standard Payment Card = Payment Card Industry = Data Security = Data Security Standard = July 16-17, 2009 Napa Valley Marriott

Payment Card Industry Data Security Standard

Payment Card =

Payment Card Industry =

Data Security =

Data Security Standard =

PCI Security Standards Council New organization formed to promote PCI compliance . Founded by: American Express Discover Financial Services JCB MasterCard Worldwide Visa International Approves security vendors Approved Scanning Vendors (ASV) – Quarterly Scans Qualified Security Assessor (QSA) – On-Site Assessments

New organization formed to promote PCI compliance .

Founded by:

American Express

Discover Financial Services

JCB

MasterCard Worldwide

Visa International

Approves security vendors

Approved Scanning Vendors (ASV) – Quarterly Scans

Qualified Security Assessor (QSA) – On-Site Assessments

PCI Data Security Standard The PCI Council published the PCI DSS –Data Security Standard Outlined the minimum data security protections measures for payment card data. Defined Merchant & Service Provider Levels, and compliance validation requirements. Left the enforcement to card brands (Council doesn’t fine anybody) In October 2008 the PCI Council updated the PCI DSS to v1.2 The next change is in 2010

The PCI Council published the PCI DSS –Data Security Standard

Outlined the minimum data security protections measures for payment card data.

Defined Merchant & Service Provider Levels, and compliance validation requirements.

Left the enforcement to card brands (Council doesn’t fine anybody)

In October 2008 the PCI Council updated the PCI DSS to v1.2

The next change is in 2010

PCI DSS is based on fundamental data security practices PCI Data Security Standard In-Depth Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Protect Cardholder Data Maintain a policy that addresses information security Maintain an Information Security Policy Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Regularly Monitor and Test Networks Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Implement Strong Access Control Measures Use and regularly update anti-virus software Develop and maintain secure systems and applications Maintain a Vulnerability Management Program Install and maintain a firewall confirmation to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Build and Maintain a Secure Network

Protect stored data

Encrypt transmission of cardholder data and sensitive information across public networks

Maintain a policy that addresses information security

Track and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Restrict access to data by business need-to-know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Use and regularly update anti-virus software

Develop and maintain secure systems and applications

Install and maintain a firewall confirmation to protect data

Do not use vendor-supplied defaults for system passwords and other security parameters

Why is PCI Here? Criminals need money Credit card = money Where are the most cards? In computers. Data theft grows and reaches HUGE volume Some organizations still don’t care … … . especially if the loss is not theirs Payment card brands enforce DSS! July 16-17, 2009 Napa Valley Marriott

Criminals need money

Credit card = money

Where are the most cards? In computers.

Data theft grows and reaches HUGE volume

Some organizations still don’t care …

… . especially if the loss is not theirs

Payment card brands enforce DSS!

Does it Apply to Me? “ PCI DSS compliance includes merchants and service providers who accept , capture , store , transmit or process credit and debit card data.” C O M P A N Y C O N F I D E N T I A L

“ PCI DSS compliance includes merchants and service providers who accept , capture , store , transmit or process credit and debit card data.”

Can I Pretend It Doesn’t Exist? Well, yes. YES-YOU-CAN!!!  “ It is not necessary to change. Survival is not mandatory.” William Edwards Deming In other words, you can do business with cash! July 16-17, 2009 Napa Valley Marriott

Well, yes.

YES-YOU-CAN!!! 

“ It is not necessary to change. Survival is not mandatory.”

William Edwards Deming

In other words, you can do business with cash!

Can I Make It Easier? PCI DSS Tips Scope “ Don’t’ touch that … ‘stuff’” (if you can) -> outsource ! Don’t store card prohibited card data (CVV2, PIN, etc) Don’t store any card data – revisit your storage reasons July 16-17, 2009 Napa Valley Marriott

Scope

“ Don’t’ touch that … ‘stuff’” (if you can) -> outsource !

Don’t store card prohibited card data (CVV2, PIN, etc)

Don’t store any card data – revisit your storage reasons

More PCI DSS Tips Protection – comes AFTER scope reduction! Install and update anti-malware Change passwords : writing passwords > easy passwords Vulnerability scans : close the obvious hacker holes July 16-17, 2009 Napa Valley Marriott

Protection – comes AFTER scope reduction!

Install and update anti-malware

Change passwords : writing passwords > easy passwords

Vulnerability scans : close the obvious hacker holes

So, What Should I Do? Less card data -> less work needed!!! (Yes, 3 times  ) PCI is common sense, basic data security; stop complaining about it - start doing it! After validating that you are compliant, don’t stop: ongoing compliance AND security is your goal , not “passing an audit” July 16-17, 2009 Napa Valley Marriott

Less card data -> less work needed!!! (Yes, 3 times  )

PCI is common sense, basic data security; stop complaining about it - start doing it!

After validating that you are compliant, don’t stop: ongoing compliance AND security is your goal , not “passing an audit”

Final Word: “It Can’t Happen to Me!” It probably already did ! July 16-17, 2009 Napa Valley Marriott

It probably already did !

The “PCI Compliance” Book Out Soon! Get as much information as you can about PCI and how it relates to your organization! Q: More information? A: Get THE PCI book: “PCI Compliance” by Anton Chuvakin and Branden Williams (out in Nov 2009!) Also look at authors blogs: chuvakin.blogspot.com/search/label/PCI brandenwilliams.com/blog

Get as much information as you can about PCI and how it relates to your organization!

Q: More information?

A: Get THE PCI book: “PCI Compliance” by Anton Chuvakin and Branden Williams (out in Nov 2009!)

Also look at authors blogs:

chuvakin.blogspot.com/search/label/PCI

brandenwilliams.com/blog

Q&A C O N F I D E N T I A L Thank You [email_address]

Eight Common PCI Myths PCI just doesn’t apply to us , because… PCI is confusing and not specific ! PCI is too hard Recent breaches prove PCI irrelevant PCI is easy : we just have to “say Yes” on SAQ and “get scanned” My network, application, tool is PCI compliant PCI is all we need to do for security! Even if breached and then found non-compliant, our business will not suffer

PCI just doesn’t apply to us , because…

PCI is confusing and not specific !

PCI is too hard

Recent breaches prove PCI irrelevant

PCI is easy : we just have to “say Yes” on SAQ and “get scanned”

My network, application, tool is PCI compliant

PCI is all we need to do for security!

Even if breached and then found non-compliant, our business will not suffer