PCI DSS Myths 2009: Myths and Reality

PCI DSS Myths 2009: Fiction and Reality Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com November 2009

Agenda
What is PCI DSS?
When does PCI DSS apply?
PCI DSS myths
Compliance vs validation
Conclusions

What is PCI DSS or PCI?
Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =

PCI DSS is based on basic data security practices!
Protect stored data
Encrypt transmission of cardholder data and sensitive information across public networks
Protect Cardholder Data
Maintain a policy that addresses information security
Maintain an Information Security Policy
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Regularly Monitor and Test Networks
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Implement Strong Access Control Measures
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Maintain a Vulnerability Management Program
Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Build and Maintain a Secure Network

Ceiling vs Floor
PCI is the “floor” of security
This is fundamental reality of PCI DSS!
However, many prefer to treat it as a “ceiling”
Result:
security breaches

M1 - PCI just doesn’t apply to us …
Myth : PCI just doesn’t apply to us , because…
“… we are small, a University, don’t do e-commerce, outsource “everything”, not permanent entity, etc”
Reality: PCI DSS DOES apply to you if you “ accept, capture, store, transmit or process credit and debit card data ”, no exceptions! At some point, your acquirer will make it clear to you!

M2 - PCI is confusing
Myth : PCI is confusing and not specific !
“ We don’t know what to do, who to ask, what exactly to change”
“ Just give us a checklist and we will do it. Promise!”
Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it. <- Also, read our book on PCI! 

M3 - PCI is too hard
Myth : PCI is too hard …
“… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable”
Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before. It is no harder than running your business or IT – and you’ve been doing it!

M4 - Breaches prove PCI irrelevant
Myth : Recent breaches prove PCI irrelevant
“ We read that ‘media and pundits agree – massive data losses “ prove ” PCI irrelevant’”
Reality: Data breaches prove that basic PCI DSS security is not enough, but you have to start from the basics. PCI is actually easier to understand than other advanced security and risk matters. Start there!

M5 – PCI is Easy : Just Say “YES”
Myth : PCI is easy : we just have to “say Yes” on SAQ and “get scanned”
“ What do we need to do - get a scan and answer some questions?”
Reality: Not exactly - you need to: a) Get a scan – and then resolve the vulnerabilities found b) Do the things that the questions refer to – and prove it c) Keep doing a) and b) forever!

M6 – My tool is PCI compliant
Myth : My network, application, tool is PCI compliant
“ The vendor said the tool is ‘PCI compliant’”
“ I use PA-DSS tools, thus I am PCI OK”
Reality: There is no such thing as “PCI compliant tool, network”, PCI DSS compliance applies to organizations . PCI DSS combines technical AND process, policy, management issues; awareness and practices as well.

M7 – PCI Is Enough Security
Myth : PCI is all we need to do for security
“ We worked hard and we passed an ‘audit’; now we are secure!”
Reality: PCI is basic security, it is a necessary baseline, but NOT sufficient (floor – not the ceiling!) PCI is also about cardholder data security , not the rest of private data, not your intellectual property, not SSNs, etc. It also covers confidentiality , and NOT integrity and availability. There is more to security than PCI!

M8 – PCI DSS Is Toothless
Myth : Even if breached and also found non-compliant, our business will not suffer.
“ We read that companies are breached and then continue being profitable; so why should we care?”
Reality: Possible fines + lawsuits + breach disclosure costs + investigation costs + CC rate increases + contractual breaches + cost of more security measures + cost of credit monitoring = will you risk ALL that?

Summary: Eight Common PCI Myths
PCI just doesn’t apply to us , because…
PCI is confusing and not specific !
PCI is too hard
Recent breaches prove PCI irrelevant
PCI is easy : we just have to “say Yes” on SAQ and “get scanned”
My network, application, tool is PCI compliant
PCI is all we need to do for security!
Even if breached and then found non-compliant, our business will not suffer

Your Approach To PCI DSS
Understand your merchant level (1-4)
Review the applicable requirements
Identify the gap between your current and required state
Implement changes to technology and policies!
Validate requirements and attest to it (via SAQ or QSA)
Key : continue to maintain secure-thus-compliant state!

Continuous Compliance vs Validation
Reminder : PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted.
Q: What to do “after your QSA leaves”?
Use what you built for PCI to reduce risk
“ Own” PCI DSS; make it the basis for your policies
Think beyond credit card data and grow your security!
Note : a good QSA will check whether you are “wired” for continuous compliance. Pick one of that sort!

PCI and Security Today
<- This is the enemy!
This is NOT the enemy! ->
Remember:
security first , compliance as a result.

Conclusions and Action Items
PCI is common sense, basic security; stop complaining about it - start doing it!
After validating that you are compliant, don’t stop: continuous compliance AND security is your goal , not “passing an audit.”
Develop “security and risk” mindset , not “compliance and audit” mindset.

Get More Info!
“ PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else
Out in December 2009!

About Anton Chuvakin
Dr. Anton Chuvakin
Email: [email_address]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Twitter: @anton_chuvakin
C onsulting: www.securitywarriorconsulting.com
For more: http://www.chuvakin.org

More on Anton
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop , many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, now Consultant

Security Warrior Consulting Services
Logging and log management policy
Develop logging policies and processes , log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
Content development
Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

PCI DSS Myths 2009: Myths and Reality

by Anton Chuvakin on Dec 16, 2009

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 9

Statistics

PCI DSS Myths 2009: Myths and Reality Presentation Transcript