Don’t Fear PCI DSS!

Don’t Fear PCI DSS! Even Though It Can Be Scary At Times July 16-17, 2009 Napa Valley Marriott July 16-17, 2009 Napa Valley Marriott Dr. Anton Chuvakin [email_address] Security Warrior Consulting

WARNING!
This is a very, very, very basic PCI DSS presentation.
PCI literati … take notice of that 
July 16-17, 2009 Napa Valley Marriott

Agenda
What is PCI DSS?
Who it applies to?
Why is it here?
What should you do?
How to make it easier?
Common myths about PCI

What is PCI DSS or PCI?
Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =

PCI Security Standards Council
New organization formed to promote PCI compliance .
Founded by:
American Express
Discover Financial Services
JCB
MasterCard Worldwide
Visa International
Approves security vendors
Approved Scanning Vendors (ASV) – Quarterly Scans
Qualified Security Assessor (QSA) – On-Site Assessments

PCI Data Security Standard
The PCI Council published the PCI DSS –Data Security Standard
Outlined the minimum data security protections measures for payment card data.
Defined Merchant & Service Provider Levels, and compliance validation requirements.
Left the enforcement to card brands (Council doesn’t fine anybody)
In October 2008 the PCI Council updated the PCI DSS to v1.2
The next change is in 2010

PCI DSS is based on fundamental data security practices PCI Data Security Standard In-Depth
Protect stored data
Encrypt transmission of cardholder data and sensitive information across public networks
Protect Cardholder Data
Maintain a policy that addresses information security
Maintain an Information Security Policy
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Regularly Monitor and Test Networks
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Implement Strong Access Control Measures
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Maintain a Vulnerability Management Program
Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Build and Maintain a Secure Network

Why is PCI Here?
Criminals need money
Credit card = money
Where are the most cards? In computers.
Data theft grows and reaches HUGE volume
Some organizations still don’t care …
… . especially if the loss is not theirs
Payment card brands enforce DSS!

Does it Apply to Me?
“ PCI DSS compliance includes merchants and service providers who accept , capture , store , transmit or process credit and debit card data.”
C O M P A N Y C O N F I D E N T I A L

Can I Pretend It Doesn’t Exist?
Well, yes.
YES-YOU-CAN!!! 
“ It is not necessary to change. Survival is not mandatory.”
William Edwards Deming
In other words, you can do business with cash!

Can I Make It Easier? PCI DSS Tips
Scope
“ Don’t’ touch that … ‘stuff’” (if you can) -> outsource !
Don’t store card prohibited card data (CVV2, PIN, etc)
Don’t store any card data – revisit your storage reasons

More PCI DSS Tips
Protection – comes AFTER scope reduction!
Install and update anti-malware
Change passwords : writing passwords > easy passwords
Vulnerability scans : close the obvious hacker holes

So, What Should I Do?
Less card data -> less work needed!!! (Yes, 3 times  )
PCI is common sense, basic data security; stop complaining about it - start doing it!
After validating that you are compliant, don’t stop: ongoing compliance AND security is your goal , not “passing an audit”

Final Word: “It Can’t Happen to Me!”
It probably already did !

The “PCI Compliance” Book Out Soon!
Get as much information as you can about PCI and how it relates to your organization!
Q: More information?
A: Get THE PCI book: “PCI Compliance” by Anton Chuvakin and Branden Williams (out in Nov 2009!)
Also look at authors blogs:
chuvakin.blogspot.com/search/label/PCI
brandenwilliams.com/blog

Q&A C O N F I D E N T I A L Thank You [email_address]

Eight Common PCI Myths
PCI just doesn’t apply to us , because…
PCI is confusing and not specific !
PCI is too hard
Recent breaches prove PCI irrelevant
PCI is easy : we just have to “say Yes” on SAQ and “get scanned”
My network, application, tool is PCI compliant
PCI is all we need to do for security!
Even if breached and then found non-compliant, our business will not suffer

Don’t Fear PCI DSS!

by Anton Chuvakin on Oct 12, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 22

Statistics

Don’t Fear PCI DSS! — Presentation Transcript