• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PCI 2010: Trends and Technologies

PCI 2010: Trends and Technologies



PCI 2010: Trends and Technologies webcast deck.

PCI 2010: Trends and Technologies webcast deck.



Total Views
Views on SlideShare
Embed Views



2 Embeds 9

http://www.slideshare.net 5
http://movetech 4



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Scope! Scope!! Scope!!! PCI DSS is an industry standard that highlights the following: The PCI Data Security Standard is endorsed by the “Participating Brands”: Visa, MasterCard, American Express, Discover Card, JCB and Diners’ Club. Standardized Security Requirements Consistent validation requirements and protocols Common evaluator credentials and approvals Clear procedures for review and reassessment Slide Point of Contact: Eduardo Perez
  • Scope! Scope!! Scope!!!
  • Whether someone’s writing a check at the gas station, using an ATM/debit card to pay for groceries, buying a book online, getting cash out of an ATM, paying for dinner with a credit card or using a gift card to purchase something special, chances are the transaction is moved quickly and securely by First Data. First Data processes transaction data of all kinds, harnesses the power of that data, and delivers innovations in secure infrastructure, intelligence and insight for its customers.  From large financial institutions to the merchant around the corner, First Data supports its customers by helping them process and understand the intelligence behind every transaction. For more, visit www.firstdata.com.

PCI 2010: Trends and Technologies PCI 2010: Trends and Technologies Presentation Transcript

  • PCI 2010: Trends & Technologies Presented by: Dr. Anton Chuvakin Author of the book “ PCI Compliance” Principal at www.securitywarriorconsulting.com/
  • Agenda
    • Why PCI?
    • Key Question
    • PCI “State of the Union”
    • “ PCI War”
    • Future of PCI?
  • Why is PCI Here?
    • Criminals need money
    • Credit card = money
    • Where are the most cards? In computers.
    • Data theft grows and reaches HUGE volume
    • Some organizations still don’t care …
    • … . especially if the loss is not theirs
    • Payment card brands enforce DSS!
  • PCI DSS is based on fundamental data security practices What is PCI DSS: DSS + Regime
    • Protect stored data
    • Encrypt transmission of cardholder data and sensitive information across public networks
    Protect Cardholder Data
    • Maintain a policy that addresses information security
    Maintain an Information Security Policy
    • Track and monitor all access to network resources and cardholder data
    • Regularly test security systems and processes
    Regularly Monitor and Test Networks
    • Restrict access to data by business need-to-know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
    Implement Strong Access Control Measures
    • Use and regularly update anti-virus software
    • Develop and maintain secure systems and applications
    Maintain a Vulnerability Management Program
    • Install and maintain a firewall confirmation to protect data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
    Build and Maintain a Secure Network
  • Ceiling vs Floor
    • PCI is the “floor” of security
    • However, many prefer to treat it as a “ceiling”
    • Result:
    • security breaches
  • Laggards vs Leaders
    • Issue : many merchants don’t even want to “grow up” to the floor .
    • Action : breaches, fines, “motivation”, guidance, etc
    • Result : security improves!
  • PCI War: Security vs Compliance
    • Issue : some argue that PCI lowers the ceiling of security
    • Truth : PCI doesn’t lower security, YOU do
    • Result : breach is your fault!
  • Myth 7 – PCI Is Enough Security (from “PCI Myths and Misconceptions” by Anton Chuvakin)
    • Myth : PCI is all we need to do for security
    • “ We are secure, we got PCI!”
    • “ We worked hard and we passed an ‘audit’; now we are secure!”
    Reality: Again, PCI is basic security, it is a necessary, NOT sufficient . PCI is also about cardholder data security , not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality , and NOT integrity and availability of data.
  • PCI and Security Today
    • <- This is the enemy!
    • This is NOT the enemy! ->
    • Remember:
    • security first , compliance as a result.
  • PCI 2010
    • Battle for Level3s and Level4s continues : security increases, transaction risk decreases
    • New technologies make payment security easier : tokenization, E2EE, DLP ( who pays? )
    • Outsource to those who know : don’t fail on your own
    • Cybercrime still rampant : focus on security!
    • Remember : ongoing compliance vs point-in-time validation
  • Quick PCI Action Items
    • Less card data -> less work needed!!! (Yes, 3 times  )
    • PCI is common sense, basic data security; stop complaining about it - start doing it!
    • After validating that you are compliant, don’t stop: continues compliance AND security is your goal , not “passing an audit”
  • Get More Info!
    • “ PCI Compliance” by Anton Chuvakin and Branden Williams
    • Useful reference for merchants, vendors – and everybody else
    • Out in December 2009!
  • About Anton Chuvakin
    • Dr. Anton Chuvakin
    • Email: [email_address]
    • Site: http://www.chuvakin.org
    • Blog: http://www.securitywarrior.org
    • LinkedIn: http://www.linkedin.com/in/chuvakin
    • Twitter: @anton_chuvakin
    • Consulting : www.securitywarriorconsulting.com
    For more: http://www.chuvakin.org
  • More on Anton
    • Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    • Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop , many, many others worldwide
    • Standard developer: CEE, CVSS, OVAL, etc
    • Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    • Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, now Consultant
  • Anton’s Security Warrior Consulting Services
    • Logging and log management policy
      • Develop logging policies and processes , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
      • Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
      • Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
      • Help integrate logging tools and processes into IT and business operations
    • Content development
      • Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
      • Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
    • More at www.SecurityWarriorConsulting.com