Spirit of PCI DSS by Dr. Anton Chuvakin

Spirit of PCI DSSorThe REAL Goal of PCI
Dr. Anton Chuvakin
Security Warrior Consulting
www.securitywarriorconsulting.com
Author of “PCI Compliance” book
Keynote at PCI in Higher Education Workshop
Indianapolis, IN - May 2010

“PCI Is The Devil !!!”

Inspiration….
“Too many have lost sight of goal which is to reduce the risk of security breaches and card fraud. Assessors often just focus on the words in the standard. They do not understand WHY the standard was written, or the risk built into it. “
PCI Knowledge Base by late David Taylor

Outline
Background and context around PCI
Why are we doing it?
Accept risk … of others?
Security as a checklist?
PCI -> security?
Conclusions: Simplify PCI?

What is PCI DSS or PCI?
Payment Card Industry Data Security Standard
Payment Card =
Payment Card Industry =
Data Security =
Data Security Standard =

PCI Regime vs DSS Guidance
The PCI Council publishes PCI DSS
Outlined the minimumdata security protections measures for payment card data.
Defined Merchant & Service Provider Levels, and compliance validation requirements.
Left the enforcement to card brands (Council doesn’t fine anybody!)
Key point: PCI DSS (document) vs PCI (validation regime)

Install and maintain a firewall confirmation to protect data
Do not use vendor-supplied defaults for system passwords and other security parameters
Build and Maintain a Secure Network
Protect stored data
Encrypt transmission of cardholder data and sensitiveinformation across public networks
Protect Cardholder Data
Use and regularly update anti-virus software
Develop and maintain secure systems and applications
Maintain a Vulnerability Management Program
Restrict access to data by business need-to-know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Implement Strong Access Control Measures
Track and monitor all access to network resources andcardholder data
Regularly test security systems and processes
Regularly Monitor and Test Networks
Maintain a policy that addresses information security
Maintain an Information Security Policy
PCI DSS = Basic Security Practices!

PCI Game: The Players
PCI Security Standards Council

Why Are We Doing It?
Risk of DEATH
Vs
Risk of $60 fine?

My Data – Their Risk!?
*I* GIVE *YOU* DATA
*YOU* LOSE IT
*ANOTHER* SUFFERS!

Key Point: What Do You Protect?

2/3 Value vs ½ Protection
What is VALUED
vs
what is
PROTECTED
Lack of Balance!

Observations…

Leaders vs Losers

Extra Dimension: Fraud?
Disconnect of
fraud and PCI?
Ideas:
Deploy PCI DSS controls
Measure their impact on fraud
Rinse, repeat!

Compliance vs Security
X

Ceiling vs Floor
PCI is the “floor” of security
This is fundamental reality of PCI DSS!
However, many prefer to treat it as a “ceiling”
Result:
security breaches

PCI and Security Today
<- This is the enemy!
This is NOT the enemy! ->
Remember:
security first, compliance as a result.

Checklist Mentality IS Evil!

“Whack-an-assessor”
PCI “game” as
“whack-an-assessor” = PAIN, PAIN, PAIN, PAIN, PAIN, PAIN!
Do it for security – justify it for PCI DSS!

How To “Profit” From PCI DSS?
Everything you do for PCI DSS, MUST have security benefit for your organization!
Examples: log management, IDS/IPS, IdM, application security , etc

In Other Words…
Every time you think “PCI DSS OR security,”
god kills a kitten!

The Spirit of PCI DSS?
PCI DSS = Motivating FORCE for CUSTODIAN data security, thus customer TRUST!
Can learn to protect YOUR data too!

CSR Goes Far?
Corporate Social Responsibility?
Green
Sustainable
“Fair” trade
LOSES CUSTOMER DATA!!!
Secure data -> trust!

The Whining of PCI DSS
W1: Why don’t the brands “fix the system?”
A1: They will.
W2: Can we have “a risk based” standard?
A2: No. 91% of people can’t spell “risk”
W3: Can we do something simpler?
A3: Yes! Cash.

Conclusions and Action Items
Kill the data! Outsource!
PCI is basic security; stop complaining about it - start doing it!
Develop “security and risk” mindset, not “compliance and audit” mindset.
If you are doing PCI DSS and not getting a security benefit, please STOP!

Get The PCI Book!
“PCI Compliance” by Anton Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else in PCI-land
Released December 2009!
www.pcicompliancebook.info

Questions?
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
Twitter:@anton_chuvakin
Consulting:http://www.securitywarriorconsulting.com

More on Anton
Now: independent consultant
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

Security Warrior Consulting Services
Logging and log management policy
Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems
Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation
Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations
Help integrate logging tools and processes into IT and business operations
Content development
Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs
Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations
More at www.SecurityWarriorConsulting.com

http://chuvakin.blogspot.com	951
http://www.slideshare.net	50
http://www.computersecurityarticles.info	41
http://chuvakin.blogspot.in	11
http://translate.googleusercontent.com	7
http://chuvakin.blogspot.ca	5
http://chuvakin.blogspot.co.uk	5
http://chuvakin.blogspot.com.au	4
http://chuvakin.blogspot.com.es	3
http://www.securitybloggersnetwork.com	3
http://movetech	3
http://static.slidesharecdn.com	3
http://chuvakin.blogspot.fr	2
http://127.0.0.1:8795	1
http://www.lmodules.com	1

Spirit of PCI DSS by Dr. Anton Chuvakin

by Anton Chuvakin on May 07, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

15 Embeds 1,090

Statistics

Spirit of PCI DSS by Dr. Anton Chuvakin — Presentation Transcript