Successfully reported this slideshow.

Total FBO User Conference



Loading in …3
1 of 9
1 of 9

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Total FBO User Conference

  1. 1. The Need for PCI TotalFBO User Conference Presented by Branden R. Williams [email_address] September 17, 2009
  2. 2. PCI Data Security Standard Overview 2001-3 Payment application best practices Program announced 2005 2004 Programs combined into Payment Card Industry (PCI) Data Security Standards (DSS) 12 core requirements Scanning requirements for public-facing systems PCI security standards Council formed and PCI DSS version 1.1 released 2006 PA-DSS released New SAQs released PCI version 1.2 2008 Separate Visa (2001) and MasterCard (2003) programs The History of PCI DSS
  3. 3. Defining Compliance/Validation <ul><li>Compliance </li></ul><ul><ul><li>You are, at this moment, meeting all of the requirements related to PCI </li></ul></ul><ul><ul><li>Yes, for real </li></ul></ul><ul><li>Validation </li></ul><ul><ul><li>QSA or Internal Audit (for merchants) reviews controls </li></ul></ul><ul><ul><li>Decides you are compliant </li></ul></ul><ul><ul><li>Fill out Attestation </li></ul></ul>
  4. 4. Why breaches happen: Firefighting and PCI <ul><li>QSA Issues </li></ul><ul><ul><li>QSA is not thorough </li></ul></ul><ul><ul><li>Does not ask the right questions </li></ul></ul><ul><ul><li>Is not interviewing the right people </li></ul></ul><ul><ul><li>Does not sample correctly </li></ul></ul><ul><li>Merchant/Service Provider </li></ul><ul><ul><li>Hides things from the QSA </li></ul></ul><ul><ul><li>Intentionally chooses easy QSA </li></ul></ul><ul><ul><li>Falsifies documentation </li></ul></ul><ul><li>PCI must be a partnership! </li></ul><ul><li>Company that PCI is enforced upon is ultimately responsible for compliance! </li></ul>The Fire Inspector Analogy
  5. 5. Case Studies: A company gets it oh so wrong <ul><li>Fail every year, but remediate in 60 days </li></ul><ul><li>Out of compliance for most of year </li></ul><ul><ul><li>Risk breach in between </li></ul></ul><ul><ul><li>No repeatable processes </li></ul></ul><ul><ul><li>Compliance viewed as “audit” </li></ul></ul><ul><li>Security/Compliance office buried </li></ul><ul><ul><li>All reporting to IT? </li></ul></ul><ul><ul><li>CISO unable to sell MGT </li></ul></ul><ul><ul><li>Process stagnates </li></ul></ul>Medium US-Based Retail, <1,000 Locations
  6. 6. Case Studies: A company gets it Large US-Based Service Provider <ul><li>Pass most years, minor gaps fixed in days </li></ul><ul><li>In compliance for most of year </li></ul><ul><ul><li>Fixated on compliance </li></ul></ul><ul><ul><li>Read letter of the law </li></ul></ul><ul><ul><li>Do not use risk model </li></ul></ul><ul><li>Security needs to grow </li></ul><ul><ul><li>Wireless IPS </li></ul></ul><ul><ul><li>Log Management </li></ul></ul><ul><ul><li>Governance </li></ul></ul>
  7. 7. Case Studies: A company gets it right Medium US-Based Service Provider <ul><li>Pass every year </li></ul><ul><ul><li>Assessment scope < 1% </li></ul></ul><ul><ul><li>Assessment done in one week </li></ul></ul><ul><li>In compliance all year </li></ul><ul><ul><li>Program rooted in security </li></ul></ul><ul><ul><li>Understand intent of requirement </li></ul></ul><ul><ul><li>Spend for security, get compliant free </li></ul></ul><ul><li>Simple & Elegant PMT Systems </li></ul><ul><ul><li>Complex ≠ Competitive Advantage </li></ul></ul><ul><ul><li>Simplicity + Elegance = Competitive Advantage </li></ul></ul><ul><li>Go into assessment knowing outcome </li></ul>
  8. 8. What keeps you up at night? As an executive, Data Security SHOULD keep you up at night! <ul><li>Breaches are expensive </li></ul><ul><ul><li>Fees </li></ul></ul><ul><ul><li>Fines </li></ul></ul><ul><ul><li>CapEx for hardware </li></ul></ul><ul><li>Breaches ‘cost’ more today </li></ul><ul><ul><li>Weak economy </li></ul></ul><ul><ul><li>Weak sales </li></ul></ul><ul><ul><li>Flat growth </li></ul></ul><ul><ul><li>Harder to measure </li></ul></ul><ul><li>Breaches put you at a competitive disadvantage </li></ul><ul><ul><li>20 years FTC mandated audits? </li></ul></ul><ul><ul><li>Cash allocation erased? </li></ul></ul>
  9. 9. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Branden R. Williams reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Unpublished work of Branden R. Williams. © All rights reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of Branden R. Williams. Access to this work is restricted to Branden R. Williams and any employee who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected or adapted without the prior written consent of Branden R. Williams.

Editor's Notes

  • 11/04/09
  • PCI has been a long time in the making. The current standards are largely based on independent efforts made by Visa USA and MasterCard International. At the beginning of the century, credit card fraud was increasing at an astronomical rate. In order to combat the large losses suffered by member banks, Visa created the Cardholder Information Security Program (CISP). This program aimed to address weaknesses found in the structure of the payment card industry and implementations of large merchant systems. Two years later, MasterCard announced the Site Data Protection program (SDP) with a list of standards largely aimed at electronic commerce merchants. In December of 2004, Visa and MasterCard joined forces and released the Payment Card Industry Data Security Standard (PCI-DSS). This unified approach solved many problems related to two independent standards trying to address the same root problem. The PCI-DSS is made of 12 core requirements (sometimes called the 12 Pillars or Digital Dozen) and ongoing maintenance programs to ensure compliance is maintained on a day to day basis. In response to a large number of payment application compromises (largely Point of Sale and Shopping Cart based), Visa USA created the Payment Applications Best Practices program in 2005. The intent of this program was to combat large scale breaches based on poorly written payment application programs. This program has gained adoption and now more than 80 applications are certified. PABP has been superseded by the Payment Application Data Security Standard and is managed by the PCI Security Standards Council. On September 7, 2006, the PCI Security Standards Council was officially announced in conjunction with version 1.1 of the PCI Standard. During 2008, we’ve seen a new revision of the PCI-DSS, updated self assessment questionnaires (which are consequently now out of date with version 1.2 of the standard), and the release of the PA-DSS.
  • 11/04/09
  • ×