PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin

2,340
-1

Published on

“PCI DSS Myths: Why Are They Still Alive?” by Anton Chuvakin

The presentation will cover PCI DSS-related myths and misconceptions that are sadly common among organizations dealing with PCI DSS challenges and payment security. Myths related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.

With voice at: http://www.brighttalk.com/webcast/6495

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,340
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • http://www.brighttalk.com/summit/pcicompliance3andhttp://www.brighttalk.com/webcast/6495“PCI DSS Myths: Why Are They Still Alive?”The presentation will cover PCI DSS-related myths and misconceptions that are sadly common among organizations dealing with PCI DSS challenges and payment security. Myths related to technical and process side of PCI, self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all organizations dealing with credit card information and thus struggling with PCI DSS mandates.
  • Dummm
  • Floor
  • How to STAY compliant!
  • PCI DSS Myths 2010: Why Are They STILL Alive by Dr. Anton Chuvakin

    1. 1. PCI DSS Myths: Why Are They Still Alive?”<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />(SIEM, Log Management, PCI DSS services)<br />March 2010<br />
    2. 2. Agenda<br /><ul><li>What is PCI DSS?
    3. 3. When does PCI DSS apply?
    4. 4. PCI DSS myths
    5. 5. Why are they still alive?
    6. 6. Reminder: compliance vs validation
    7. 7. Conclusions</li></li></ul><li>What is PCI DSS or PCI?<br />Payment Card Industry Data Security Standard<br />Payment Card = <br />Payment Card Industry = <br />Data Security = <br />Data Security Standard = <br />
    8. 8. <ul><li>Install and maintain a firewall confirmation to protect data
    9. 9. Do not use vendor-supplied defaults for system passwords and other security parameters</li></ul>Build and Maintain a Secure Network<br /><ul><li>Protect stored data
    10. 10. Encrypt transmission of cardholder data and sensitiveinformation across public networks</li></ul>Protect Cardholder Data<br /><ul><li>Use and regularly update anti-virus software
    11. 11. Develop and maintain secure systems and applications</li></ul>Maintain a Vulnerability Management Program<br /><ul><li>Restrict access to data by business need-to-know
    12. 12. Assign a unique ID to each person with computer access
    13. 13. Restrict physical access to cardholder data</li></ul>Implement Strong Access Control Measures<br /><ul><li>Track and monitor all access to network resources andcardholder data
    14. 14. Regularly test security systems and processes</li></ul>Regularly Monitor and Test Networks<br /><ul><li>Maintain a policy that addresses information security</li></ul>Maintain an Information Security Policy<br />PCI DSS = Basic Security Practices!<br />
    15. 15. Ceiling vs Floor<br />PCI is the “floor” of security<br />This is fundamental reality of PCI DSS!<br />However, many prefer to treat it as a “ceiling”<br />Result: <br />security breaches<br />
    16. 16. For the Impatient:Eight Common PCI Myths<br />PCI just doesn’t apply to us, because…<br />PCI is confusing and not specific!<br />PCI is too hard<br />Recent breaches prove PCI irrelevant<br />PCI is easy: we just have to “say Yes” on SAQ and “get scanned”<br />My network, application, tool is PCI compliant<br />PCI is all we need to do for security! <br />Even if breached and then found non-compliant, our business will not suffer<br />
    17. 17. M1 - PCI just doesn’t apply to us …<br />Myth: PCI just doesn’t apply to us, because…<br />“… we are small, a University, don’t do e-commerce, outsource “everything”, not permanent entity, etc”<br />Reality: PCI DSS DOES apply to you if you “accept, capture, store, transmit or process credit and debit card data”, no exceptions!<br />At some point, your acquirer will make it clear to you!<br />
    18. 18. M2 - PCI is confusing<br />Myth: PCI is confusing and not specific!<br />“We don’t know what to do, who to ask, what exactly to change”<br />“Just give us a checklist and we will do it. Promise!”<br />Reality: PCI DSS documents explain both what to do and how to validate it; take some time to read and understand it.<br /><- Also, read our book on PCI! <br />
    19. 19. M3 - PCI is too hard<br />Myth: PCI is too hard …<br />“… too expensive, too complicated, too burdensome, too much for a small business, too many technologies or even unreasonable”<br />Reality: PCI DSS is basic, common sense, baseline security practice; it is only hard if you were not doing it before.<br />It is no harder than running your business or IT – and you’ve been doing it!<br />
    20. 20. M4 - Breaches prove PCI irrelevant<br />Myth: Recent breaches prove PCI irrelevant<br />“We read that ‘media and pundits agree – massive data losses “prove” PCI irrelevant’”<br />Reality: Data breaches prove that basic PCI DSS security is not enough, but you have to start from the basics.<br />PCI is actually easier to understand than other advanced security and risk matters. Start here at Step 1: PCI DSS!<br />
    21. 21. M5 – PCI is Easy: Just Say “YES”<br />Myth: PCI is easy: we just have to “say Yes” on SAQ and “get scanned”<br />“What do we need to do - get a scan and answer some questions?”<br />Reality: Not exactly - you need to:<br />a) Get a scan – and then resolve the vulnerabilities found<br />b) Do all the things that the questions refer to – and prove it<br />c) Keep doing a) and b) forever!<br />
    22. 22. M6 – My tool is PCI compliant<br />Myth: My network, application, tool is PCI compliant<br />“The vendor said the tool is ‘PCI compliant’”<br />“I use PA-DSS tools, thus I am PCI OK”<br />Reality: There is no such thing as “PCI compliant tool, network”, PCI DSS compliance applies to organizations.<br />PCI DSS combines technical AND process, policy, management issues; awareness and practices as well.<br />
    23. 23. M7 – PCI Is Enough Security <br />Myth: PCI is all we need to do for security<br />“We worked hard and we passed an ‘audit’; now we are secure!”<br />Reality: PCI is basic security, it is a necessary baseline, but NOT sufficient (floor – not the ceiling!) <br />PCI is also about cardholder data security, not the rest of private data, not your intellectual property, not SSNs, etc.<br />It also covers confidentiality, and NOT integrity and availability. There is more to security than PCI!<br />
    24. 24. M8 – PCI DSS Is Toothless<br />Myth: Even if breached and also found non-compliant, our business will not suffer.<br />“We read that companies are breached and then continue being profitable; so why should we care?”<br />Reality: Possible fines + lawsuits + breach disclosure costs + investigation costs + CC rate increases + contractual breaches + cost of more security measures + cost of credit monitoring = will you risk ALL that?<br />
    25. 25. Summary: Eight Common PCI Myths<br />PCI just doesn’t apply to us, because…<br />PCI is confusing and not specific!<br />PCI is too hard<br />Recent breaches prove PCI irrelevant<br />PCI is easy: we just have to “say Yes” on SAQ and “get scanned”<br />My network, application, tool is PCI compliant<br />PCI is all we need to do for security! <br />Even if breached and then found non-compliant, our business will not suffer<br />
    26. 26. WHY Are They Still Alive?<br />Compliance is MUCH easier than security<br />“Everybody is below average in security” <br />It is hard to mandate “following the spirit, not the letter” and “doing a good job”<br />Whining is MUCH easier than securing!<br />
    27. 27. PCI and Security Today<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />Remember:<br />security first, compliance as a result.<br />
    28. 28. Continuous Compliance vs Validation<br />Q: What to do after your QSA leaves?<br />A: PCI DSS compliance does NOT end when a QSA leaves or SAQ is submitted.<br /><ul><li>Use what you built for PCI to reduce risk</li></ul>“Own” PCI DSS; make it the basis for your policies<br />Think beyond credit card data and grow your security!<br />Note: a good QSA will check whether you are “wired” for continuous compliance. Pick one of that sort!<br />BTW, see my recent paper: “How to STAY Compliant”<br />
    29. 29. Conclusions and Action Items<br />PCI is common sense, basic security; stop complaining about it - start doing it!<br />After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”<br />Develop “security and risk” mindset, not “compliance and audit” mindset.<br />
    30. 30. Get More Info!<br />“PCI Compliance” by Anton Chuvakin and BrandenWilliams, THE PCI book for merchants, vendors – and everybody else!<br />Get TWO free chapters at <br />http://www.pcicompliancebook.info/<br />Released December 2009!<br />
    31. 31. Questions?<br />Dr. Anton Chuvakin <br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
    32. 32. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

    ×