PCI 2010: Trends and Technologies


Published on

PCI 2010: Trends and Technologies webcast deck.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Scope! Scope!! Scope!!! PCI DSS is an industry standard that highlights the following: The PCI Data Security Standard is endorsed by the “Participating Brands”: Visa, MasterCard, American Express, Discover Card, JCB and Diners’ Club. Standardized Security Requirements Consistent validation requirements and protocols Common evaluator credentials and approvals Clear procedures for review and reassessment Slide Point of Contact: Eduardo Perez
  • Scope! Scope!! Scope!!!
  • Whether someone’s writing a check at the gas station, using an ATM/debit card to pay for groceries, buying a book online, getting cash out of an ATM, paying for dinner with a credit card or using a gift card to purchase something special, chances are the transaction is moved quickly and securely by First Data. First Data processes transaction data of all kinds, harnesses the power of that data, and delivers innovations in secure infrastructure, intelligence and insight for its customers.  From large financial institutions to the merchant around the corner, First Data supports its customers by helping them process and understand the intelligence behind every transaction. For more, visit www.firstdata.com.
  • PCI 2010: Trends and Technologies

    1. 1. PCI 2010: Trends & Technologies Presented by: Dr. Anton Chuvakin Author of the book “ PCI Compliance” Principal at www.securitywarriorconsulting.com/
    2. 2. Agenda <ul><li>Why PCI? </li></ul><ul><li>Key Question </li></ul><ul><li>PCI “State of the Union” </li></ul><ul><li>“ PCI War” </li></ul><ul><li>Future of PCI? </li></ul>
    3. 3. Why is PCI Here? <ul><li>Criminals need money </li></ul><ul><li>Credit card = money </li></ul><ul><li>Where are the most cards? In computers. </li></ul><ul><li>Data theft grows and reaches HUGE volume </li></ul><ul><li>Some organizations still don’t care … </li></ul><ul><li>… . especially if the loss is not theirs </li></ul><ul><li>Payment card brands enforce DSS! </li></ul>
    4. 4. PCI DSS is based on fundamental data security practices What is PCI DSS: DSS + Regime <ul><li>Protect stored data </li></ul><ul><li>Encrypt transmission of cardholder data and sensitive information across public networks </li></ul>Protect Cardholder Data <ul><li>Maintain a policy that addresses information security </li></ul>Maintain an Information Security Policy <ul><li>Track and monitor all access to network resources and cardholder data </li></ul><ul><li>Regularly test security systems and processes </li></ul>Regularly Monitor and Test Networks <ul><li>Restrict access to data by business need-to-know </li></ul><ul><li>Assign a unique ID to each person with computer access </li></ul><ul><li>Restrict physical access to cardholder data </li></ul>Implement Strong Access Control Measures <ul><li>Use and regularly update anti-virus software </li></ul><ul><li>Develop and maintain secure systems and applications </li></ul>Maintain a Vulnerability Management Program <ul><li>Install and maintain a firewall confirmation to protect data </li></ul><ul><li>Do not use vendor-supplied defaults for system passwords and other security parameters </li></ul>Build and Maintain a Secure Network
    5. 5. Ceiling vs Floor <ul><li>PCI is the “floor” of security </li></ul><ul><li>However, many prefer to treat it as a “ceiling” </li></ul><ul><li>Result: </li></ul><ul><li>security breaches </li></ul>
    6. 6. Laggards vs Leaders <ul><li>Issue : many merchants don’t even want to “grow up” to the floor . </li></ul><ul><li>Action : breaches, fines, “motivation”, guidance, etc </li></ul><ul><li>Result : security improves! </li></ul>
    7. 7. PCI War: Security vs Compliance <ul><li>Issue : some argue that PCI lowers the ceiling of security </li></ul><ul><li>Truth : PCI doesn’t lower security, YOU do </li></ul><ul><li>Result : breach is your fault! </li></ul>
    8. 8. Myth 7 – PCI Is Enough Security (from “PCI Myths and Misconceptions” by Anton Chuvakin) <ul><li>Myth : PCI is all we need to do for security </li></ul><ul><li>“ We are secure, we got PCI!” </li></ul><ul><li>“ We worked hard and we passed an ‘audit’; now we are secure!” </li></ul>Reality: Again, PCI is basic security, it is a necessary, NOT sufficient . PCI is also about cardholder data security , not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality , and NOT integrity and availability of data.
    9. 9. PCI and Security Today <ul><li><- This is the enemy! </li></ul><ul><li>This is NOT the enemy! -> </li></ul><ul><li>Remember: </li></ul><ul><li>security first , compliance as a result. </li></ul>
    10. 10. PCI 2010 <ul><li>Battle for Level3s and Level4s continues : security increases, transaction risk decreases </li></ul><ul><li>New technologies make payment security easier : tokenization, E2EE, DLP ( who pays? ) </li></ul><ul><li>Outsource to those who know : don’t fail on your own </li></ul><ul><li>Cybercrime still rampant : focus on security! </li></ul><ul><li>Remember : ongoing compliance vs point-in-time validation </li></ul>
    11. 11. Quick PCI Action Items <ul><li>Less card data -> less work needed!!! (Yes, 3 times  ) </li></ul><ul><li>PCI is common sense, basic data security; stop complaining about it - start doing it! </li></ul><ul><li>After validating that you are compliant, don’t stop: continues compliance AND security is your goal , not “passing an audit” </li></ul>
    12. 12. Get More Info! <ul><li>“ PCI Compliance” by Anton Chuvakin and Branden Williams </li></ul><ul><li>Useful reference for merchants, vendors – and everybody else </li></ul><ul><li>Out in December 2009! </li></ul>
    13. 13. About Anton Chuvakin <ul><li>Dr. Anton Chuvakin </li></ul><ul><li>Email: [email_address] </li></ul><ul><li>Site: http://www.chuvakin.org </li></ul><ul><li>Blog: http://www.securitywarrior.org </li></ul><ul><li>LinkedIn: http://www.linkedin.com/in/chuvakin </li></ul><ul><li>Twitter: @anton_chuvakin </li></ul><ul><li>Consulting : www.securitywarriorconsulting.com </li></ul>For more: http://www.chuvakin.org
    14. 14. More on Anton <ul><li>Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc </li></ul><ul><li>Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop , many, many others worldwide </li></ul><ul><li>Standard developer: CEE, CVSS, OVAL, etc </li></ul><ul><li>Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others </li></ul><ul><li>Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, now Consultant </li></ul>
    15. 15. Anton’s Security Warrior Consulting Services <ul><li>Logging and log management policy </li></ul><ul><ul><li>Develop logging policies and processes , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems </li></ul></ul><ul><ul><li>Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation </li></ul></ul><ul><ul><li>Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations </li></ul></ul><ul><ul><li>Help integrate logging tools and processes into IT and business operations </li></ul></ul><ul><li>Content development </li></ul><ul><ul><li>Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs </li></ul></ul><ul><ul><li>Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations </li></ul></ul><ul><li>More at www.SecurityWarriorConsulting.com </li></ul>