The underside of the PCI DSS ecosystem:   PCI as Security, simple facts that no-one talks about and anecdotes from the mer...
Overview <ul><ul><ul><ul><li>A bit of background </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Presenter </li></ul></ul...
Disclaimers <ul><ul><ul><ul><li>These are my professional opinions, interpretations and recollections of situations encoun...
Background … <ul><li>BIO – </li></ul><ul><li>Patrick Wheeler has been involved in IT Consulting, Business, Engineering and...
Eight indicted in $9M RBS WorldPay heist...  Eight men have been  indicted on charges  that they hacked into credit card p...
A bit about PCI DSS In 2003 California enacts notification rule for private data breaches:  SB1386 “ The Payment Card Indu...
The Bear <ul><li>Stop me if you’ve heard this before …  </li></ul><ul><li>“ two friends hiking in the forest encounter a h...
PCI Security as Policy ??? <ul><li>Sophisticated Enterprise Security Managers Leverage Multiple Best Practices  </li></ul>...
ITIL COBIT ISO PCI Security Strategy on an Enterprise-wide Level
CobiT <ul><li>Soup to Nuts </li></ul>Soup to nuts  is an American English idiom conveying the meaning of &quot;from beginn...
ITIL <ul><li>ITIL  security management is based on the  Code of Practice for Information Security Management  defined by  ...
ISO <According to our friends at  ISO27kfaq >
PCI  PCI is certainly not a strategy One of PCI’s biggest criticisms: “ It is too prescriptive ” Is one of its biggest str...
Security strategy on an enterprise-wide level <ul><ul><ul><ul><li>Why is it important to think about it?  Don’t.  Do it! <...
Common Mistakes Companies Make …
Card schemes unexplained <ul><li>What Tier are you?  It depends…(scoping matters) </li></ul><ul><li>How to count? </li></u...
Knowing your internal landscape <ul><li>No substitute for internal knowledge and gaining  active  assistance of knowledgea...
Working with your Internal business partners <ul><li>When can your business partners be your compliance effort’s worst ene...
Working with your External business partners <ul><li>Some bad technology decisions that looked good at the time … </li></u...
Dear  Mr. Retail Director , wish to speak with you about PCI DSS, the Data Security Standard …  Wait a minute, let me get ...
…  An uncomfortable discussion with the Vice President of Audit  … … an even more uncomfortable meeting with the Enterpris...
Making sure your QSA is successful … <ul><li>I may not be a QSA, but “some of my best friends are QSA’s” (at least I think...
A few Maladies to watch out for  <ul><li>“ Yes I know my brand is at risk …” </li></ul><ul><li>Brand risk does not automat...
A few suggestions … <ul><li>Build internal competence and a sense of responsibility & ownership within the organization </...
A few errors PCI commits on our behalf … <ul><li>Names matter … </li></ul><ul><li>One size fits all … </li></ul><ul><li>Sc...
Is Compliance killing us ??? <ul><li>A few things we know to be true … </li></ul><ul><li>PCI Compliance ensures credit car...
DSS, its own worst enemy and our best hope <ul><li>We all know what we wish to avoid … fragmented governmental rules </li>...
Upcoming SlideShare
Loading in …5
×

Pci Europe 2009 Underside Of The Compliance Ecosystem

538 views
471 views

Published on

Keynote Presentation at Security Conference in Brussels

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
538
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pci Europe 2009 Underside Of The Compliance Ecosystem

  1. 1. The underside of the PCI DSS ecosystem: PCI as Security, simple facts that no-one talks about and anecdotes from the merchant’s perspective Patrick Wheeler, P.E. [email_address] December 2009 … The following deck is shared post event: It is intended to be accompanied by a dialog and a verbal presentation that unfortunately is not as easy to share … however if you are struggling with PCI I encourage you to contact me via email, LinkedIn or any other means you find comfortable …
  2. 2. Overview <ul><ul><ul><ul><li>A bit of background </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Presenter </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>PCI DSS </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Is PCI DSS a viable security strategy in itself or a minimum baseline standard? </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>A walk through my favorite acronyms PCI / ISO / ITIL / COBIT </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Why is it important to think about security strategy on an enterprise-wide level? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>What are the most common errors companies commit? </li></ul></ul></ul></ul><ul><ul><ul><ul><li>How do you ensure your QSA is successful while adopting an integrated enterprise-wide security strategy? </li></ul></ul></ul></ul>
  3. 3. Disclaimers <ul><ul><ul><ul><li>These are my professional opinions, interpretations and recollections of situations encountered </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Without a doubt there are some factual errors, this is entirely unintentional, except where it is not </li></ul></ul></ul></ul><ul><ul><ul><ul><li>I will refrain from using most names to protect the innocent, the guilty and those in-between </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Comments are offered with the intent to help the industry and anyone involved in protecting Payment Card Transactions and with mal-intent towards none (except maybe fraudsters) </li></ul></ul></ul></ul>Doing the necessary … “ Views Expressed Here Don't Necessarily Reflect Those of Our Sponsors,” any Employer, Any Church, State or any Correct Thinking Individual Copyrights, trademarks, images, citations and other attributable material reproduced here is incorporated for educational and illustrative purposes and please address any concerns to [email_address]
  4. 4. Background … <ul><li>BIO – </li></ul><ul><li>Patrick Wheeler has been involved in IT Consulting, Business, Engineering and Security for over 16 yrs.  He has a Bachelors (BSEE) and an MBA and is a registered professional engineer.  His background includes fun job titles like Security Architect, Audit Manager, Inspector, Systems and Security Analyst, Project Manager, IS & Operations Director and VP of Operations.  </li></ul><ul><li>His business, IT and best practices experience includes audit and compliance functions including PCI as well as internal & external financial & technology audits, security reviews, SAS-70 and Department of Defense.  With a legal support background he has served as an expert witness on various aspects of best practices and industry standards.  </li></ul><ul><li>He has been involved in many industries from Government Agencies and Banking through Fashion and Retail as well as technology startups and such well known firms such as Apple, Webex, Tibco, Brocade and Wine.com.  Prior to moving to Europe where he is currently consulting in the security field he served in California’s Silicon Valley specializing in security, compliance and operational efficiency topics. </li></ul><ul><li>As the European IT Audit Manager for Levi Strauss & Company he managed their global PCI program.  He remains active and opinionated within the PCI community encouraging adoption and improvements to security as well as the PCI program.  Personal interests include driving old cars too fast while taking photographs (in a well controlled secure environment). </li></ul>Andre Van Bever ©
  5. 5. Eight indicted in $9M RBS WorldPay heist... Eight men have been indicted on charges that they hacked into credit card processing firm RBS Worldpay, and helped steal more than $9 million in a highly coordinated heist nearly a year ago Data Breaches are ever more frequent & negatively impact public perception & diminish public trust in an institution Comprehensive Data Breach notification rules are inevitable Credit Card security standards like PCI are a first step Hackers escalate thefts of financial data Computer hackers stole more sensitive records last year than in the previous four combined, with ATM cards and PIN information growing in popularity as targets , according … Organised criminal groups orchestrated nine in 10 of the most successful attacks, with 93 per cent of the 285m records exposed coming from the financial sector … US to Get Data Breach Notification Laws : … notify anyone whose personal information may have been accessed in a breach … set new standards for data breach notifications, the Personal Data Privacy and Security Act of 2009 (S.1490) and the Data Breach Notification Act (S.139), were passed by the Senate Judiciary Committee Nov. 5 … ( link ) The European Council has approved a data breach notification rule for Europe's telecoms firms. … Security breach notification laws force companies which have lost customers' or employees' personal data to announce the loss. Information Society Commissioner Viviane Reding said. &quot;The Commission will … extend the debate to generally applicable breach notification requirements and work on possible legislative solutions … In 2010 , the Commission intends … a major initiative to modernise and strengthen network and information security policy in the EU ,&quot; ( link )
  6. 6. A bit about PCI DSS In 2003 California enacts notification rule for private data breaches: SB1386 “ The Payment Card Industry Data Security Standard ( PCI DSS ) consists of an industry-wide set of controls and processes for securing cardholder data. Any system that stores, process and/or transmits cardholder data must comply with this standard. ” In 2004 Credit Card brands merged individual security programs to create the Payment Card Industry Security Standards Council ( PCI ) which created the Data Security Standard ( DSS ) <ul><li>Initial focus was compliance among large merchants, internet channels & payment service providers. </li></ul><ul><li>Compliance is required Globally throughout all card channels, only differences are in deadlines and enforcement (this is a _big_ difference) </li></ul><ul><li>PCI is a Baseline standard and does not guarantee security </li></ul>Is an attempt by the Industry to “Police Itself” and to prevent fragmented governmental regulations and intervention into business practices as well as protecting the consumer
  7. 7. The Bear <ul><li>Stop me if you’ve heard this before … </li></ul><ul><li>“ two friends hiking in the forest encounter a hungry bear …” </li></ul><ul><li>IT security often seems like a treadmill where you only get to choose from three options: </li></ul><ul><ul><li>a) Run faster than the Bear </li></ul></ul><ul><ul><li>b) Run faster than your Friend(s) </li></ul></ul><ul><ul><li>c) Get out of the Forest </li></ul></ul>SB1386 May I introduce you to the Bear?
  8. 8. PCI Security as Policy ??? <ul><li>Sophisticated Enterprise Security Managers Leverage Multiple Best Practices </li></ul><ul><li>In a survey of security professionals conducted for the research report … 72% of North American enterprise-class organizations (i.e., organizations with 1,000 or more employees ) say they are implementing one or more formal IT best practice control and process models. The most widely-used commercial frameworks include: </li></ul><ul><li>ITIL (IT Infrastructure Library): Provides recommendations for a wide range of IT operations and service delivery best practices including security management. ITIL’s information security recommendations are based heavily on ISO/IEC 17999 and emphasize information confidentiality, integrity and availability. </li></ul><ul><li>ISO/IEC 17799/27002 (Information technology - Security techniques - Code of practice for information security management): Provides information security specialists with specialized recommendations for risk assessment, physical and information security policy, governance, development, compliance and access control. Originally labeled as ISO/IEC 17799, this set of best practices was renumbered as ISO/IEC 27002 in July 2007. </li></ul><ul><li>COBIT (Control Objectives for Information and related Technology): Provides 210 control objectives applied to 34 high-level IT processes, categorized in four domains: Planning and Organization, Acquisition and Implementation, Delivery and Support, and Monitoring. COBIT recommendations include issues related to ensuring effectiveness and value of IT as well as information security and process governance. < source BSMReview.com> </li></ul>Bear Repellant?
  9. 9. ITIL COBIT ISO PCI Security Strategy on an Enterprise-wide Level
  10. 10. CobiT <ul><li>Soup to Nuts </li></ul>Soup to nuts is an American English idiom conveying the meaning of &quot;from beginning to end&quot;. It is derived from the description of a full course dinner, in which courses progress from soup to a dessert of nuts. It is comparable to expressions in other languages, such as the Latin phrase ab ovo usque ad mala (&quot;from the egg to the apples&quot;), describing the typical Roman meal. &quot;Soup to nuts&quot; is often used in I.T. and Project Management to refer to &quot;the complete process&quot; from original idea to completion.
  11. 11. ITIL <ul><li>ITIL security management is based on the Code of Practice for Information Security Management defined by ISO/IEC 27002 . </li></ul><ul><li><according to our friends at Wikipedia > </li></ul><ul><li>The Information Technology Infrastructure Library ( ITIL ) is a set of concepts and policies for managing the Information Technology (IT) services ( ITSM ), developments and operations. </li></ul><ul><li>ITIL gives a detailed description of a number of important IT practices with comprehensive checklists, tasks and procedures that any IT organization can tailor to its needs. </li></ul>
  12. 12. ISO <According to our friends at ISO27kfaq >
  13. 13. PCI PCI is certainly not a strategy One of PCI’s biggest criticisms: “ It is too prescriptive ” Is one of its biggest strengths… PCI is, at its heart, basic housekeeping Not New Not Complicated Not Rocket Science <and, as we all know, not a guarantee> PCI is a list of procedures and explicit instructions implementable by a decent IT security practitioner and/or competent engineers/sysadmins and relatively easily verifiable
  14. 14. Security strategy on an enterprise-wide level <ul><ul><ul><ul><li>Why is it important to think about it? Don’t. Do it! </li></ul></ul></ul></ul><ul><li>Good Security leads to PCI compliance, not Vice Versa… </li></ul><ul><li>Good Security Management along industry standard principles is a strong basis for PCI security </li></ul><ul><li>No wasted efforts by implementing COBIT or ITIL or ISO or other standards </li></ul><ul><li>Mappings between ISO/COBIT/ITIL/PCI exist by very dedicated and smart people. </li></ul>What if we do not have an enterprise level? <thanks in part to http://www.stanford.edu/dept/Internal-Audit/infosec/ > <ul><li>Putting PCI in its place (the US version) </li></ul><ul><li>Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) </li></ul><ul><li>Payment Card Industry Data Security Standards ( PCI-DSS_v1.2 ) </li></ul><ul><li>The Fair and Accurate Credit Transaction Act of 2003 ( FACTA ) </li></ul><ul><li>Family Educational Rights & Privacy Act of 1974 ( FERPA ) </li></ul><ul><li>Digital Millennium Copyright Act of 1998 ( DMCA ) </li></ul><ul><li>California Civil Code 1798.82-85 ( SB-1386 ) </li></ul><ul><li>Graham-Leach-Bliley Act of 1999 ( GLBA ) </li></ul><ul><li>Sarbanes-Oxley Act of 2002 ( SOX ) </li></ul><ul><li>and etc. and etc. ad nauseum </li></ul>
  15. 15. Common Mistakes Companies Make …
  16. 16. Card schemes unexplained <ul><li>What Tier are you? It depends…(scoping matters) </li></ul><ul><li>How to count? </li></ul><ul><ul><li>Owned & Operated: of course </li></ul></ul><ul><ul><li>Owned but not Operated ? </li></ul></ul><ul><ul><li>Franchisee ? Shop in Shop ? </li></ul></ul><ul><ul><li>What about different merchant ID’s, in different countries, with different banks ? </li></ul></ul><ul><li>Reporting </li></ul><ul><ul><li>Deadline? What exactly is the deadline in Europe? To whom? </li></ul></ul>Which tier am I? https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
  17. 17. Knowing your internal landscape <ul><li>No substitute for internal knowledge and gaining active assistance of knowledgeable internal resources … </li></ul><ul><li>Don’t send a QSA off on their own and expect efficient and solid results … </li></ul><ul><li>Tailor your approach to the internal </li></ul><ul><li>resource you are speaking to … </li></ul><ul><li>DBA’s and SysAdmins can </li></ul><ul><li>be a breed apart </li></ul><ul><li>Make certain you have the right </li></ul><ul><li>technical skills in your team … </li></ul><ul><li>“ do you speak L33T?” </li></ul><ul><li>In Scoping discussion, _ everything _ is on the table . . . (Lifetime Compliance TCO Calculations can be astounding) </li></ul>
  18. 18. Working with your Internal business partners <ul><li>When can your business partners be your compliance effort’s worst enemy? </li></ul><ul><li>Turn your internal business partners into PCI advocates… </li></ul><ul><ul><ul><ul><li>Legal / Information Technology / Treasury </li></ul></ul></ul></ul><ul><li>Do you really want to be a service provider… </li></ul><ul><li>You are going to do _what_ with our Global SAP system ?!?!?! </li></ul><ul><li>(can we re-review the concept of ‘segmentation’ and scope reduction?) </li></ul>With Chip & Pin in Europe, PCI does-not/should-not be necessary... It is a problem because of you Americans…
  19. 19. Working with your External business partners <ul><li>Some bad technology decisions that looked good at the time … </li></ul><ul><li>(can I interest anyone in a well-used Cisco MARS log management solution?) </li></ul><ul><li>Working with POS systems and e-commerce vendors </li></ul><ul><ul><ul><ul><li>PCI? Never heard of it … </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Certified payment application? Sure, if you pay us for it … </li></ul></ul></ul></ul><ul><ul><ul><ul><li>When your most trusted partners trip you </li></ul></ul></ul></ul><ul><li>What to do when your acquirers and banks are still working on their own compliance program? </li></ul>PCI Compliance is a minimum, ‘PCI +’ ®™© is a market differentiator
  20. 20. Dear Mr. Retail Director , wish to speak with you about PCI DSS, the Data Security Standard … Wait a minute, let me get the IT guys on the phone … Dear Ms. Risk Manager , wish to discuss our Certificate of Compliance – Wait a minute, let me call the auditors … Dear Mssr. Regional Store Manager , we need to discuss Requirement 12 : Maintain a policy that addresses information security for employees and contractors , Section 12.3.10 when accessing cardholder data via remote access technologies – Wait a minute, let me get a pillow … Where is the business?
  21. 21. … An uncomfortable discussion with the Vice President of Audit … … an even more uncomfortable meeting with the Enterprise Risk Manager … … Meeting with a fifth generation billionaire chairman emeritus business owner … Where is the business?
  22. 22. Making sure your QSA is successful … <ul><li>I may not be a QSA, but “some of my best friends are QSA’s” (at least I think of them as my friends, perhaps not after this presentation) </li></ul>What the Big Four Auditor missed <ul><li>Unethical sales techniques (throw a rock…) </li></ul><ul><li>Too stringent in interpretations / Audit focused </li></ul><ul><li>Accepting restrictions from clients (typical SAS-70 conflict…) </li></ul><ul><li>Race to the bottom as services become commoditized </li></ul><ul><li>Overreliance on latest whizz-bang technical solutions </li></ul><ul><li>Not focusing on the true needs of the client organization </li></ul><ul><li>Not being able to communicate to the client organization </li></ul><ul><ul><ul><li>Not Listening / Hearing Disabilities </li></ul></ul></ul>No shortage of criticisms: … while building an enterprise solution
  23. 23. A few Maladies to watch out for <ul><li>“ Yes I know my brand is at risk …” </li></ul><ul><li>Brand risk does not automatically justify any and all expenditure </li></ul><ul><li>Separating the tools from the fools while ensuring their success in spite of themselves. Check your QSA for these maladies: </li></ul><ul><ul><ul><ul><li>Hammer syndrome – When you have a hammer, everything looks like a nail </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Herr Professor Doctor syndrome – Lecturing on an hourly bill rate </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The Niche syndrome – Yes, I know my encryption is lousy, but tell me about my network segmentation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The Opinion syndrome – ‘In my professional opinion …’ </li></ul></ul></ul></ul><ul><li>When to keep your QSA in a locked box and not let them out in front of a senior executive </li></ul>
  24. 24. A few suggestions … <ul><li>Build internal competence and a sense of responsibility & ownership within the organization </li></ul>Repeat after me: “The QSA’s success is the client’s success” Tone at the top matters … as do sotto voce comments Ensure your QSA can engage with you on a strategic level Ensure you can engage with your QSA on a strategic level Choose your tools wisely, focus on long term solutions Don’t buy quick-fix one-size-fits-all snake-oil magic-overnight-compliance solutions Look for integrated solutions merged into existing mature business & IT processes Look for tools that help you manage the security process, not PCI technical solutions
  25. 25. A few errors PCI commits on our behalf … <ul><li>Names matter … </li></ul><ul><li>One size fits all … </li></ul><ul><li>Scaled down sizing will work … </li></ul><ul><li>What about Europe, Asia, rest of America’s, Oceania … </li></ul><Insert your text here>
  26. 26. Is Compliance killing us ??? <ul><li>A few things we know to be true … </li></ul><ul><li>PCI Compliance ensures credit card security </li></ul><ul><li>Once we pass PCI we are secure </li></ul><ul><li>Once we certify our compliance we are good for the rest of the year </li></ul><ul><li>We need to pass the PCI compliance audit </li></ul><ul><li>PCI compliance is best handled via the IT Project Management/Compliance Office with the assistance of the IT Security Group and bring the QSA auditors in to validate afterwards </li></ul>If it walks like a duck & talks like a duck, what is it? PCI + ®™©
  27. 27. DSS, its own worst enemy and our best hope <ul><li>We all know what we wish to avoid … fragmented governmental rules </li></ul><ul><li>(did I say that?) </li></ul><ul><li>A myriad of critics and criticisms, no better solution on offer … </li></ul>We are all responsible for the success of the PCI ecosystem

×