• Save
Spirit of PCI DSS by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5

Spirit of PCI DSS by Dr. Anton Chuvakin



Spirit of PCI DSS by Dr. Anton Chuvakin...

Spirit of PCI DSS by Dr. Anton Chuvakin

PCI compliance is seen by many merchants as “a checklist exercise” which is disconnected from reducing their fraud costs, security risks and other losses. It is sometimes perceived as a painful exercise in futility, enforced by some “higher powers” who don’t care about merchants. This presentation will discuss how to bring back the real spirit of PCI DSS, the spirit of data security, risk reduction and trustworthy business transactions. It will discuss, in particular, how to use the controls of PCI DSS to protect your business from online threats and highly damaging hacker attacks. Moreover, focusing on the spirit of PCI DSS will help merchants to both simplify compliance and improve security, while protecting their customers and their sensitive data and keeping acquirers and brands happy.



Total Views
Slideshare-icon Views on SlideShare
Embed Views



44 Embeds 2,022

http://chuvakin.blogspot.com 1449
http://chuvakin.blogspot.co.uk 92
http://chuvakin.blogspot.in 74
http://chuvakin.blogspot.ca 50
http://www.slideshare.net 50
http://www.computersecurityarticles.info 46
http://chuvakin.blogspot.com.au 41
http://chuvakin.blogspot.fr 25
http://chuvakin.blogspot.se 24
http://chuvakin.blogspot.de 22
http://chuvakin.blogspot.nl 19
http://chuvakin.blogspot.com.es 11
http://chuvakin.blogspot.ae 8
http://chuvakin.blogspot.gr 8
http://chuvakin.blogspot.co.at 7
http://chuvakin.blogspot.it 7
http://translate.googleusercontent.com 7
http://chuvakin.blogspot.ie 7
http://chuvakin.blogspot.com.br 6
http://chuvakin.blogspot.cz 6
http://chuvakin.blogspot.co.nz 6
http://chuvakin.blogspot.jp 6
http://chuvakin.blogspot.co.il 6
http://chuvakin.blogspot.sg 4
http://chuvakin.blogspot.ch 4
http://chuvakin.blogspot.hk 3
http://static.slidesharecdn.com 3
http://movetech 3
http://chuvakin.blogspot.be 3
http://chuvakin.blogspot.ru 3
http://www.securitybloggersnetwork.com 3
http://chuvakin.blogspot.no 3
http://chuvakin.blogspot.tw 2
http://chuvakin.blogspot.hu 2
http://chuvakin.blogspot.dk 2
http://www.chuvakin.blogspot.co.uk 2
http://chuvakin.blogspot.com.tr 1
http://chuvakin.blogspot.ro 1
http://www.lmodules.com 1 1
http://chuvakin.blogspot.mx 1
http://chuvakin.blogspot.fi 1
http://chuvakin.blogspot.com.ar 1
http://chuvakin.blogspot.kr 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.


11 of 1

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • http://www.pciknowledgebase.com/index.php?option=com_mtree&task=viewlink&link_id=1366&Itemid=0As a banker who has been involved in audit and risk management for 20+ years, I have a beef with PCI. Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. We have removed the acceptance of risk as an option by insisting on 100% compliance. That was not the intent.
  • Forrester“Value of Data” report: “Custodial data has little intrinsic value in and of itself. But when it is obtained by an unauthorized party, misused, lost, or stolen, it changes state. Data that is ordinarily benign transforms into something harmful. When custodial data isspilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints.Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data alsoaccrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity.”
  • Forrester report:2/3of value in OWN data, ½ is spent protecting it!
  • + not have OWN DATA+ not have CUSTODIAN DATA+ removes CUSTODIAN DATA = protects CUSTODIAN DATA!+ protects key business processes
  • While many hope for gaussian, in security – counter to intuition! – most people are below average!
  • Example controls deemed useful for fraud:LoggingUser access configuration, logging and monitoringLimiting access to data –e.g. encryption, tokenization, etcSecurity awareness – unavoidable punishment for internal fraudDefine an incentive program to enforce policies. About two months ago in this column I wrote about he importance of “deputizing” store managers to watch for security breaches. Since I have discussed such programs with leading retailers, it’s become clear that in order to change the culture, retailers have to provide incentives to these “deputies” in order to actually impact key metrics such as shrinkage, fraud and chargeback rates. The other important technique is to link the PCI compliance initiative to these same security metrics. For example, a PCI project manager who wants to “embed” PCI compliance into the corporate culture would be well advised to spend about 20 hours, spread over several weeks, to create a presentation for management which shows how PCI compliance can not only reduce risk, but also can impact key financial metrics such as fraud and chargeback rates. I have talked to three PCI managers who also own fraud management and report into the CFO. All three have found that linking PCI compliance to financial performance is a great way to get executive attention, and budget. And since all these metrics are key to individual store performance, this is one of the ways to gain the support of store management for PCI compliance – circling back to the whole “deputize” argument.  Pasted from WE ARE LOOKING TO LINK PCI COMPLIANCE TO FRAUD REDUCTION: You cannot simply say that PCI compliance leads to reduced fraud rates. You have to prove it. Because PCI is so detailed, it's not ALL of the controls that can be proven to reduce fraud. However, one of the controls that we believe has the most direct impact are #3, encryption, #10, monitoring and logging access, #7, access controls, and #11 vulnerability testing. If just those 4 are done well, we believe that we can prove those controls in PCI can lead directly to reduced fraud rates. However, we still cannot prove it statistically. We have case study data that suggest it however.  Pasted from “Merchants have implemented PCI-mandated security controls in order to reduce fraud and security breaches. However, a weak connection between the PCI controls and fraud management by many merchants has left PCI compliance ineffective at catching external fraud on a day-to-day basis. Some merchants run PCI compliance as an IT project, leaving other operations groups fewer opportunities to get involved. PCI managers also need better understanding of fraud and risk managers' functions to benefit from PCI-mandated reporting.”  Pasted from
  • REAL Spirit of PCITrust in business transactions"Corporate Social Responsibility"They trusted you with their data!You give me data. I lose it. Another suffers.
  • This comes from the PCI book www.pcicompliancebook.info
  • + After validating that you are compliant, don’t stop: continuous compliance AND security is your goal, not “passing an audit.”See “How to STAY PCI Compliant?”

Spirit of PCI DSS by Dr. Anton Chuvakin Spirit of PCI DSS by Dr. Anton Chuvakin Presentation Transcript

  • Spirit of PCI DSSorThe REAL Goal of PCI
    Dr. Anton Chuvakin
    Security Warrior Consulting
    Author of “PCI Compliance” book
    Keynote at PCI in Higher Education Workshop
    Indianapolis, IN - May 2010
  • “PCI Is The Devil !!!”
  • Inspiration….
    “Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “
    PCI Knowledge Base by late David Taylor
  • Outline
    Background and context around PCI
    Why are we doing it?
    Accept risk … of others?
    Security as a checklist?
    PCI -> security?
    Conclusions: Simplify PCI?
  • What is PCI DSS or PCI?
    Payment Card Industry Data Security Standard
    Payment Card =
    Payment Card Industry =
    Data Security =
    Data Security Standard =
  • PCI Regime vs DSS Guidance
    The PCI Council publishes PCI DSS
    Outlined the minimumdata security protections measures for payment card data.
    Defined Merchant & Service Provider Levels, and compliance validation requirements.
    Left the enforcement to card brands (Council doesn’t fine anybody!)
    Key point: PCI DSS (document) vs PCI (validation regime)
    • Install and maintain a firewall confirmation to protect data
    • Do not use vendor-supplied defaults for system passwords and other security parameters
    Build and Maintain a Secure Network
    • Protect stored data
    • Encrypt transmission of cardholder data and sensitiveinformation across public networks
    Protect Cardholder Data
    • Use and regularly update anti-virus software
    • Develop and maintain secure systems and applications
    Maintain a Vulnerability Management Program
    • Restrict access to data by business need-to-know
    • Assign a unique ID to each person with computer access
    • Restrict physical access to cardholder data
    Implement Strong Access Control Measures
    • Track and monitor all access to network resources andcardholder data
    • Regularly test security systems and processes
    Regularly Monitor and Test Networks
    • Maintain a policy that addresses information security
    Maintain an Information Security Policy
    PCI DSS = Basic Security Practices!
  • PCI Game: The Players
    PCI Security Standards Council
  • Why Are We Doing It?
    Risk of DEATH
    Risk of $60 fine?
  • My Data – Their Risk!?
  • Key Point: What Do You Protect?
  • 2/3 Value vs ½ Protection
    What is VALUED
    what is
    Lack of Balance!
  • Observations…
  • Leaders vs Losers
  • Extra Dimension: Fraud?
    Disconnect of
    fraud and PCI?
    • Deploy PCI DSS controls
    • Measure their impact on fraud
    • Rinse, repeat!
  • Compliance vs Security
  • Ceiling vs Floor
    PCI is the “floor” of security
    This is fundamental reality of PCI DSS!
    However, many prefer to treat it as a “ceiling”
    security breaches
  • PCI and Security Today
    <- This is the enemy!
    This is NOT the enemy! ->
    security first, compliance as a result.
  • Checklist Mentality IS Evil!
  • “Whack-an-assessor”
    PCI “game” as
    “whack-an-assessor” = PAIN, PAIN, PAIN, PAIN, PAIN, PAIN!
    Do it for security – justify it for PCI DSS!
  • How To “Profit” From PCI DSS?
    Everything you do for PCI DSS, MUST have security benefit for your organization!
    Examples: log management, IDS/IPS, IdM, application security , etc
  • In Other Words…
    Every time you think “PCI DSS OR security,”
    god kills a kitten!
  • The Spirit of PCI DSS?
    PCI DSS = Motivating FORCE for CUSTODIAN data security, thus customer TRUST!
    Can learn to protect YOUR data too!
  • CSR Goes Far?
    Corporate Social Responsibility?
    “Fair” trade
    Secure data -> trust!
  • The Whining of PCI DSS
    W1: Why don’t the brands “fix the system?”
    A1: They will.
    W2: Can we have “a risk based” standard?
    A2: No. 91% of people can’t spell “risk”
    W3: Can we do something simpler?
    A3: Yes! Cash.
  • Conclusions and Action Items
    Kill the data! Outsource!
    PCI is basic security; stop complaining about it - start doing it!
    Develop “security and risk” mindset, not “compliance and audit” mindset.
    If you are doing PCI DSS and not getting a security benefit, please STOP!
  • Get The PCI Book!
    “PCI Compliance” by Anton Chuvakin and Branden Williams
    Useful reference for merchants, vendors – and everybody else in PCI-land
    Released December 2009!
  • Questions?
    Dr. Anton Chuvakin
  • More on Anton
    Now: independent consultant
    Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
    Standard developer: CEE, CVSS, OVAL, etc
    Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
  • Security Warrior Consulting Services
    Logging and log management policy
    Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
    Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
    Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
    Help integrate logging tools and processes into IT and business operations
    Content development
    Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
    Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
    More at www.SecurityWarriorConsulting.com