PCI 2010: Trends and Technologies

PCI 2010: Trends & Technologies Presented by: Dr. Anton Chuvakin Author of the book “ PCI Compliance” Principal at www.securitywarriorconsulting.com/

Agenda
Why PCI?
Key Question
PCI “State of the Union”
“ PCI War”
Future of PCI?

Why is PCI Here?
Criminals need money
Credit card = money
Where are the most cards? In computers.
Data theft grows and reaches HUGE volume
Some organizations still don’t care …
… . especially if the loss is not theirs
Payment card brands enforce DSS!

PCI DSS is based on fundamental data security practices What is PCI DSS: DSS + Regime
Protect stored data
Encrypt transmission of cardholder data and sensitive information across public networks
Protect Cardholder Data
Maintain a policy that addresses information security
Maintain an Information Security Policy
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Regularly Monitor and Test Networks
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Implement Strong Access Control Measures
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Maintain a Vulnerability Management Program
Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Build and Maintain a Secure Network

Ceiling vs Floor
PCI is the “floor” of security
However, many prefer to treat it as a “ceiling”
Result:
security breaches

Laggards vs Leaders
Issue : many merchants don’t even want to “grow up” to the floor .
Action : breaches, fines, “motivation”, guidance, etc
Result : security improves!

PCI War: Security vs Compliance
Issue : some argue that PCI lowers the ceiling of security
Truth : PCI doesn’t lower security, YOU do
Result : breach is your fault!

Myth 7 – PCI Is Enough Security (from “PCI Myths and Misconceptions” by Anton Chuvakin)
Myth : PCI is all we need to do for security
“ We are secure, we got PCI!”
“ We worked hard and we passed an ‘audit’; now we are secure!”
Reality: Again, PCI is basic security, it is a necessary, NOT sufficient . PCI is also about cardholder data security , not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality , and NOT integrity and availability of data.

PCI and Security Today
<- This is the enemy!
This is NOT the enemy! ->
Remember:
security first , compliance as a result.

PCI 2010
Battle for Level3s and Level4s continues : security increases, transaction risk decreases
New technologies make payment security easier : tokenization, E2EE, DLP ( who pays? )
Outsource to those who know : don’t fail on your own
Cybercrime still rampant : focus on security!
Remember : ongoing compliance vs point-in-time validation

Quick PCI Action Items
Less card data -> less work needed!!! (Yes, 3 times  )
PCI is common sense, basic data security; stop complaining about it - start doing it!
After validating that you are compliant, don’t stop: continues compliance AND security is your goal , not “passing an audit”

Get More Info!
“ PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Out in December 2009!

About Anton Chuvakin
Dr. Anton Chuvakin
Email: [email_address]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Twitter: @anton_chuvakin
Consulting : www.securitywarriorconsulting.com
For more: http://www.chuvakin.org

More on Anton
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop , many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, now Consultant

Anton’s Security Warrior Consulting Services
Logging and log management policy
Develop logging policies and processes , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
Content development
Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

PCI 2010: Trends and Technologies

by Anton Chuvakin on Dec 16, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 9

Statistics

PCI 2010: Trends and Technologies — Presentation Transcript

http://www.slideshare.net	5
http://movetech	4